For ECC you need to enable support in menuconfig, its off by default atm since it increases the binary size by 40K.The other HMAC algorithms are disabled for the same reason, reducing binary size.As far as I know, the attacks against SHA1 are nowhere near the point that they would weaken authentication in these protocols.The main usage scenario where SHA1 may become a liability is where its used for signatures, where offline attacks are possible.
I dont see any strong reason to change change the defaults at this point. RSA, DSA and all EC parameters from NISTNSA are tainted by suspicion after the Snowden leaks. This list of projects who adopted X25519 on this argument is impressive: and OpeWrt should really (package signing is not enough) get on that list. ![]() Its always just a few kilobytes here and there and in the end the base system grows by several hundred K for each release, making many previously supported models fall down the cliff. Please keep that in mind when arguing for your particular feature of the day. In this case, I would suggest removing all old and insecure ciphers. In the changelog of changeset48196.html nbd says dropbear: enable curve25519 support by default, increases compressed binary size by 5 kb (Astonishingly quick, kudos). When I will get at compiling dropbear for Chaos Calmer (need stable here) will report if a size reduction could follow removal of oldinsecure protocols if any. I could imagine that well need to keep at least some of those obsoleted algs in order to stay compatible with various clients.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |