Viewing or Modifying Message Authentication Codes (MAC) Settings
(Requires the SFTP module in EFT Express) A keyed-Hash Message Authentication Code (HMAC) is used to verify data integrity and message authenticity, to confirm data has not been altered between the client and the server. SHA (Secure Hash Algorithm) is a cryptographic hash algorithm published by the United States Government. It produces a 160-bit hash value from an arbitrary length string. EFT supports the following HMAC algorithms, which are each selected/enabled by default:
-
hmac-sha2-512
-
hmac-sha2-256
-
hmac-sha1
-
hmac-md5
-
hmac-sha1-96
-
hmac-md5-96
To select Message Authentication Codes (MAC)
-
In the Allowed MACs list, clear or select the check boxes to specify which algorithms you want to use for message authentication.
-
Click OK to close the dialog box.
-
Click Apply. EFT tries each selected MAC with the client until an algorithm is agreed upon.
EFT provides advanced properties that affect hmac ciphers:
-
hmac-sha2-512 - can be disabled for outbound client connections via Advanced Property SFTP2_SHA2_512 to false
-
hmac-sha2-256 - can be disabled for outbound client connections via Advanced Property SFTP2_SHA2_256 to false
-
hmac-sha1 - can be ENABLED for outbound client connections via Advanced Property SFTP2_SHA1 to TRUE
-
hmac-md5 - can be ENABLED for outbound client connections via Advanced Property SFTP2_MD5 to TRUE
-
hmac-sha1-96 - can be ENABLED for outbound client connections via SFTP2_SHA1_96 to TRUE
hmac-md5-96 - can be ENABLED for outbound client connections via Advanced Property SFTP2_MD5_96 to TRUE
If a particular cipher is selected in the interface, both inbound and outbound connections will use that cipher, UNLESS you enable an Advanced Property that changes the behavior for OUTBOUND (EFT acting as client) connections. For the most part, the advanced property is used to turn OFF a specific cipher for outbound that is allowed for inbound; however, in some instances, due perhaps to the security risk involved, the advanced property must enable that algorithm, even if it is already enabled for inbound connections via the interface. This additional step forces administrators to take extra steps for security, and also prevents accidental enabling of a cipher for outbound connections when it was only intended for inbound connections.
Related Topics