5.2.15 Ensure only strong Key Exchange algorithms are used - approved Key Exchange algorithms

Information

Key exchange is any method in cryptography by which cryptographic keys are exchanged
between two parties, allowing use of a cryptographic algorithm. If the sender and receiver
wish to exchange encrypted messages, each must be equipped to encrypt messages to be
sent and decrypt messages received

Rationale:

Key exchange methods that are considered weak should be removed. A key exchange
method may be weak because too few bits are used, or the hashing algorithm is considered
too weak. Using weak algorithms could expose connections to man-in-the-middle attacks.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Edit the /etc/ssh/sshd_config file add/modify the KexAlgorithms line to contain a comma
separated list of the site approved key exchange algorithms
Example:

KexAlgorithms curve25519-sha256,[email protected],diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

Default Value:

KexAlgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

See Also

https://workbench.cisecurity.org/files/2420

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-8, CSCv6|3.4, CSCv7|14.4

Plugin: Unix

Control ID: fe93a9a54791149bbb68af708fe93431ea7c1dfcebeffe765944e7fd6581032b