Skip to content

Key Exchange

When a client requests a new session, the server and client use a key exchange protocol to decide on a one-time session key. Key exchange protocols enable the server and client to establish a shared secret key, even though the communications take place in the open. After the key is established, the client and server encrypt subsequent communications using the session key and an agreed upon cipher.

Use the Key Exchange pane to control which key exchange protocols the server supports. You can also configure the server to require a new key exchange after a specified time interval has elapsed.

Key exchange pane

From the server console, click Configuration > Encryption > Key Exchange

From this pane, you can enable and disable key exchange algorithms. If you enable only some of the available algorithms, you need to ensure that you select those that are supported by your client(s). The following algorithms are available:

  • diffie-hellman-group1-sha1
  • diffie-hellman-group14-sha1
  • diffie-hellman-gex-sha1
  • diffie-hellman-gex-sha256
  • gss-group1-sha1 with Kerberos 5
  • gss-gex-sha1 with Kerberos 5

Secure Shell standards (RFC 4253) require all clients to support both diffie-hellman-group1-sha1 and diffie-hellman-group14-sha1. Of these, diffie-hellman-group14-sha1 is more secure, but requires more time during the key exchange. Both diffie-hellman-gex-sha256 and diffie-hellman-gex-sha1 also improve security, and do not slow down the key exchange. However, these are not supported by all clients.

If you use GSSAPI host and user authentication, you need to enable gss-group1-sha1 and/or gss-gex-sha1, depending on your client.