views:

104

answers:

2

hi dears

I am asked to add a new algorithm to ssh so data is ciphered in new algorithm, any idea how to add new algorithm to ssh ?

thanks

+1  A: 

It is possible to add some new algorithm to SSH communication, and this is done from time to time (eg. AES was added later). But the question is that you need to modify both client and server so that they both support this algorithm, otherwise it makes no sense.

I assume that you were asked to add some custom, either home-made or non-standard algorithm. So first thing I'd like to do is to warn you that the added algorithm can be weak. You need to perform at least basic search for information about this algorithm, as if it's broken, you will do completely useless and even dangerous work.

As for software modification themselves - it's a rare job to do so most likely you won't find anybody with this experience there. However the code that handles various algorithms is typical and adding new algorithm is trivial - you add one source file with algorithm implementation and then modify a bunch of places by adding one more case to switch statement.

Eugene Mayevski 'EldoS Corp
Actually, I've worked on a close-source fork of openssh. Given a couple of weeks I could probably get enough code knowledge back to do this. :-)
Omnifarious
+1  A: 

In my career I've worked on a private fork of ssh that was sold as closed-source commercial software. Even they in all their crazy stupidity (private fork? who in their right mind uses non-Open Source encryption software? I thought our customers were completely off their rockers.) didn't add a new encryption algorithm.

It can be done though. Adding the hooks to the ssh protocol to support it isn't hard. The protocol is designed to be extensible in that way. At the beginning the client and server exchange lists of encryption algorithms they're willing to use.

This means, of course, that only a modified client and modified server will talk to eachother.

The real difficulty is OpenSSL. ssh does not use TLS/SSL, but it does use the OpenSSL encryption library. You would have to add the new algorithm to that library, and that library is a terrible beast.

Though, I suppose you could add the algorithm without adding it to OpenSSL. That might be tricky though since I think openssh may rely heavily on the way the OpenSSL APIs work. And part of how they work allows you to pass around a constant representing which algorithm you want to use and then a standard set of calls for encryption and decryption that use the constant to decide on the algorithm.

Again though, if I recall correctly, OpenSSL has an API specifically for adding new algorithms to its suite. So that may not be so hard. You will have to make sure this happens when the OpenSSL library is being initialized.

Anyway, this is a fairly vague answer, but maybe it will point you in the right direction. You should make whoever is doing this pay enormous sums of money. Stupidity that requires this level of knowledge to pull off should never come cheaply.

Omnifarious
I must disagree regarding stupidity, and here's why: it can be that they are adding some national encryption standard. For example in Russia they use GOST and GOST is the only accepted encryption algorithm (family of algorithms in fact) for use in public areas.
Eugene Mayevski 'EldoS Corp
@Eugene Mayevski 'EldoS Corp yes but this is a task for a seasoned cryptographer. Also I personally don't see a benefit of using an alternate primitive, even when considering obscure primitives like GOST.
Rook
@Rook national regulations compliance can be the benefit or requirement. IF this is the case, it's not we or the developers who decide what to do - they just must do this. We had to add GOST to our SecureBlackbox product cause xUSSR customers said, that GOST was the only allowed algorithm, so if they wanted to release their products on local markets, they had to have it, like it or not.
Eugene Mayevski 'EldoS Corp
thanks dear friends for kindly guide, that's part of some academic work i don't have any idea of the main project but i am asked to do so and as Eugene Mayevski said i must do so! , dear Omnifarious your reply made a lot of sense for my way ,thanks
amin
pointing to openssl showed me the right way and that comment about GOST cleared the way, they have added GOST support on last openssl version and many comments useful to such a project, thanks
amin
@amin - Good, I'm glad my vague hand-waving in the right general direction was helpful. :-)
Omnifarious