9.3.11 Use Only Approved Cipher in Counter Mode

Information

This variable limits the types of ciphers that SSH can use during communication.

*Rationale*

Based on research conducted at various institutions, it was determined that the symmetric
portion of the SSH Transport Protocol (as described in RFC 4253) has security weaknesses
that allowed recovery of up to 32 bits of plaintext from a block of ciphertext that was
encrypted with the Cipher Block Chaining (CBD) method. From that research, new Counter
mode algorithms (as described in RFC4344) were designed that are not vulnerable to these
types of attacks and these algorithms are now recommended for standard use.

Solution

Edit the /etc/ssh/sshd_config file to set the parameter as follows-Ciphers aes128-ctr,aes192-ctr,aes256-ctr

See Also

https://workbench.cisecurity.org/files/91

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-13

Plugin: Unix

Control ID: fc3dd8c07c690d36e238ea94bbc90505c86edefe2fac3976e6c31b108dc1c455