Supported SSH Encryption Algorithms

SSH (Secure Shell) is a protocol that allows secure remote login and data transmission over a network, including support for secure file transfers. To ensure the security of your data, the SocketTools components use a combination of encryption, hash functions, and key exchange algorithms. In this article, we’ll explain each of these and list the supported algorithms currently available with our libraries and components. This information applies to both our SSH components and our FTP components when using SFTP for file transfers.

Encryption Algorithms (Ciphers)

Encryption algorithms are used to ensure that the data being transmitted between two systems is unreadable to anyone intercepting the transmission. The SSH protocol uses symmetric encryption, meaning both sides (client and server) use the same key to encrypt and decrypt the data. The selection of which cipher should be used is automatically negotiated between the client (your application using SocketTools) and the server you are connecting with. The following ciphers are currently supported:

  • aes256-gcm@openssh.com: A modern cipher that combines AES-256 with Galois/Counter Mode (GCM), offering both encryption and message integrity. This is a highly secure and efficient option.
  • aes128-gcm@openssh.com: Similar to aes256-gcm but with a 128-bit key, offering a balance between security and performance.
  • aes256-ctr, aes192-ctr, aes128-ctr: AES in Counter (CTR) mode is a widely-used encryption method that turns a block cipher into a stream cipher, known for its strong security and high performance.
  • aes256-cbc, aes192-cbc, aes128-cbc: AES in Cipher Block Chaining (CBC) mode is an older encryption method. While secure, it is more vulnerable to certain attacks compared to modern modes like CTR or GCM.
  • blowfish-cbc: An older encryption algorithm that is fast but less secure compared to AES. It uses variable-length keys, commonly set to 128 bits.
  • cast128-cbc: A symmetric encryption algorithm that uses a block size of 64 bits and is known for being fast and secure.
  • 3des-cbc: Triple DES, an older encryption standard that applies the DES algorithm three times for improved security, though it’s considered slower and less secure compared to modern algorithms.

Hash Algorithms (Message Authentication Codes)

Hash algorithms are used to ensure data integrity. A hash or Message Authentication Code (MAC) is calculated from the data being sent, and the receiving side calculates the same hash to ensure the data wasn’t tampered with during transmission. The following hash algorithms are currently supported:

  • hmac-sha2-256, hmac-sha2-512: HMAC (Hashed Message Authentication Code) using SHA-2 (Secure Hash Algorithm 2) ensures strong data integrity. The number (256 or 512) refers to the bit-length of the hash output.
  • hmac-sha1, hmac-sha1-96: HMAC using SHA-1 is an older standard. While still supported, SHA-1 is gradually being replaced by SHA-2 due to its known weaknesses.
  • hmac-ripemd160: A hash function based on RIPEMD, offering a 160-bit digest size. It is a less common alternative to SHA.

Key Exchange Algorithms

Key exchange algorithms are used in SSH to securely generate a shared secret (encryption key) between the client and server. These algorithms ensure that the key cannot be intercepted, even if someone is listening to the communication. The following key exchange algorithms are supported:

  • curve25519-sha256: A modern and fast elliptic-curve key exchange algorithm, paired with the SHA-256 hash function for secure key generation.
  • ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521: Elliptic Curve Diffie-Hellman (ECDH) with different elliptic curve sizes. These are secure, modern key exchange methods that use elliptic curve cryptography for enhanced security.
  • diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1: Diffie-Hellman key exchange that allows dynamic generation of key exchange parameters for better security, paired with either SHA-256 or the older SHA-1 hash algorithm.
  • diffie-hellman-group16-sha512, diffie-hellman-group18-sha512: More secure variants of Diffie-Hellman using large prime groups and SHA-512 for stronger security.
  • diffie-hellman-group14-sha256, diffie-hellman-group14-sha1: These use a predefined 2048-bit prime group, offering a balance between security and performance. SHA-256 is the preferred choice, while SHA-1 is older and less secure.
  • diffie-hellman-group1-sha1: One of the earliest Diffie-Hellman algorithms using a small prime size, considered less secure today.

By supporting a wide range of encryption, hash, and key exchange algorithms, the SocketTools SSH components ensure both data confidentiality and integrity during secure communications. The algorithms we support range from the latest, highly secure standards to older methods for compatibility with legacy systems. For most environments, it’s recommended the server support modern algorithms like AES-GCM for encryption, SHA-2-based HMAC for hashing, and Curve25519 for key exchange, ensuring robust security without sacrificing performance.

See Also

Troubleshooting SSH Connection Issues
Creating SSH Authentication Keys
SFTP Public Key Authentication
Windows and Supported TLS Versions

Shopping Cart
Scroll to Top