The following tables contain all the encryption algorithms you can configure One Identity Safeguard for Privileged Sessions (SPS) to recognize. If you use a configuration that is only partially supported, SPS might ignore the connection without warning.
NOTE: Do not use the CBC block cipher mode, or any sha1-based KEX, MAC, or host key algorithm, which are considered weak.
The default SPS configuration for both the client and the server is the following:
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
The following key exchange (KEX) algorithms are recognized:
Figure 229: Key exchange (KEX) algorithms
Key exchange (KEX) | Default | Comment |
---|---|---|
ecdh-sha2-nistp256 | ✔ | |
ecdh-sha2-nistp384 | ✔ | |
ecdh-sha2-nistp521 | ✔ | |
diffie-hellman-group1-sha1 | - | Not recommended |
diffie-hellman-group14-sha1 | - | Not recommended |
diffie-hellman-group14-sha256 | ✔ | |
diffie-hellman-group15-sha512 | - | |
diffie-hellman-group16-sha512 | ✔ | |
diffie-hellman-group17-sha512 | - | |
diffie-hellman-group18-sha512 | ✔ | |
diffie-hellman-group-exchange-sha256 | ✔ | |
diffie-hellman-group-exchange-sha1 | - | Not recommended |
During an SSH session, SPS performs a key re-exchange after each gigabyte of transmitted data or after each hour of connection time, whichever comes sooner.
The default SPS configuration for both the client and the server is the following:
aes128-ctr,aes192-ctr,aes256-ctr
The following cipher algorithms are recognized:
Figure 230: Cipher algorithms
Cipher algorithm | Default | Comment |
---|---|---|
3des-cbc | – | Not recommended |
blowfish-cbc | – | Not recommended |
twofish256-cbc | – | Not recommended |
twofish-cbc | – | Not recommended |
twofish192-cbc | – | Not recommended |
twofish128-cbc | – | Not recommended |
aes256-cbc | – | Not recommended |
aes192-cbc | – | Not recommended |
aes128-cbc | – | Not recommended |
aes256-ctr | ✔ | |
aes192-ctr | ✔ | |
aes128-ctr | ✔ | |
serpent256-cbc | – | Not recommended |
serpent192-cbc | – | Not recommended |
serpent128-cbc | – | Not recommended |
arcfour | – | Not recommended |
idea-cbc | – | Not recommended |
cast128-cbc | – | Not recommended |
none | – | Means no cipher algorithm; not recommended |
The default SPS configuration for both the client and the server is the following:
hmac-sha2-256,hmac-sha2-512
The following MAC algorithms are recognized:
Figure 231: Message Authentication Code (MAC) algorithms
MAC | Default | Comment |
---|---|---|
hmac-sha1 | – | Not recommended |
hmac-sha1-96 | – | Not recommended |
hmac-md5 | – | Not recommended |
hmac-md5-96 | – | Not recommended |
hmac-sha2-256 | ✔ | |
hmac-sha2-512 | ✔ |
The default SPS configuration for both the client and the server is the following:
none
The following SSH compression algorithms are recognized:
Figure 232: SSH compression algorithms
SSH compression algorithm | Default | Comment |
---|---|---|
zlib | – | Not recommended |
none | ✔ | Means no compression |
The default SPS configuration for both the client and the server is the following:
ecdsa-sha2-nistp256,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
The following host key algorithms are recognized:
Figure 233: Host key algorithms
Host key algorithms | Default | Comment |
---|---|---|
ecdsa-sha2-nistp256 | ✔ | |
ssh-ed25519 | ✔ | |
rsa-sha2-512 | ✔ | |
rsa-sha2-256 | ✔ | |
ssh-rsa | ✔ |
Not recommended NOTE: The ssh-rsa public key signature algorithm that depends on SHA-1 is not recommended and will be disabled in a future release. |
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center