(CCing the dropbear list - hopefully crossposting isn't too awkward) I'll merge this pull request, though if anyone has comments please let me know. Comments inline below.
Matt On Thu, Jan 08, 2015 at 04:46:48AM -0800, fedor-brunner wrote: > https://github.com/mkj/dropbear/pull/9 > > -- Commit Summary -- > > * Prefer stronger algorithms in algorithm negotiation. > > -- File Changes -- > > M common-algo.c (16) > Prefer diffie-hellman-group14-sha1 (2048 bit) over > diffie-hellman-group1-sha1 (1024 bit). This is probably OK. group14 is quite a bit slower for slow machines (2x?). I don't think that's a big problem though - the algorithm preference order only applies to Dropbear as a client. In that case most servers seem to support ecdh methods which are fast - they're the first preference (curve25519 and the nist methods). > [prefer aes256 over 3des] > Due to meet-in-the-middle attacks the effective key length of > three key 3DES is 112 bits. AES is stronger and faster then 3DES. This makes sense. > Prefer to delay the start of compression until after authentication > has completed. This avoids exposing compression code to attacks > from unauthenticated users. I was thinking of doing this recently myself. At the time I added delayed compression some widespread clients (PuTTY I think?) didn't suppprt it, but I think that's OK now.