tags:

views:

104

answers:

2
+1  Q: 

new encryption algorithm for ssh

hi dears

I am asked to add a new algorithm to ssh so data is ciphered in new algorithm, any idea how to add new algorithm to ssh ?

thanks

+1  A: 

It is possible to add some new algorithm to SSH communication, and this is done from time to time (eg. AES was added later). But the question is that you need to modify both client and server so that they both support this algorithm, otherwise it makes no sense.

I assume that you were asked to add some custom, either home-made or non-standard algorithm. So first thing I'd like to do is to warn you that the added algorithm can be weak. You need to perform at least basic search for information about this algorithm, as if it's broken, you will do completely useless and even dangerous work.

As for software modification themselves - it's a rare job to do so most likely you won't find anybody with this experience there. However the code that handles various algorithms is typical and adding new algorithm is trivial - you add one source file with algorithm implementation and then modify a bunch of places by adding one more case to switch statement.

Eugene Mayevski 'EldoS Corp  2010-10-03 13:04:20
Actually, I've worked on a close-source fork of openssh. Given a couple of weeks I could probably get enough code knowledge back to do this. :-)
Omnifarious  2010-10-03 13:27:22
+1  A: 

In my career I've worked on a private fork of ssh that was sold as closed-source commercial software. Even they in all their crazy stupidity (private fork? who in their right mind uses non-Open Source encryption software? I thought our customers were completely off their rockers.) didn't add a new encryption algorithm.

It can be done though. Adding the hooks to the ssh protocol to support it isn't hard. The protocol is designed to be extensible in that way. At the beginning the client and server exchange lists of encryption algorithms they're willing to use.

This means, of course, that only a modified client and modified server will talk to eachother.

The real difficulty is OpenSSL. ssh does not use TLS/SSL, but it does use the OpenSSL encryption library. You would have to add the new algorithm to that library, and that library is a terrible beast.

Though, I suppose you could add the algorithm without adding it to OpenSSL. That might be tricky though since I think openssh may rely heavily on the way the OpenSSL APIs work. And part of how they work allows you to pass around a constant representing which algorithm you want to use and then a standard set of calls for encryption and decryption that use the constant to decide on the algorithm.

Again though, if I recall correctly, OpenSSL has an API specifically for adding new algorithms to its suite. So that may not be so hard. You will have to make sure this happens when the OpenSSL library is being initialized.

Anyway, this is a fairly vague answer, but maybe it will point you in the right direction. You should make whoever is doing this pay enormous sums of money. Stupidity that requires this level of knowledge to pull off should never come cheaply.

Omnifarious  2010-10-03 13:25:57
I must disagree regarding stupidity, and here's why: it can be that they are adding some national encryption standard. For example in Russia they use GOST and GOST is the only accepted encryption algorithm (family of algorithms in fact) for use in public areas.
Eugene Mayevski 'EldoS Corp  2010-10-03 13:59:35
@Eugene Mayevski 'EldoS Corp yes but this is a task for a seasoned cryptographer. Also I personally don't see a benefit of using an alternate primitive, even when considering obscure primitives like GOST.
Rook  2010-10-03 18:52:08
@Rook national regulations compliance can be the benefit or requirement. IF this is the case, it's not we or the developers who decide what to do - they just must do this. We had to add GOST to our SecureBlackbox product cause xUSSR customers said, that GOST was the only allowed algorithm, so if they wanted to release their products on local markets, they had to have it, like it or not.
Eugene Mayevski 'EldoS Corp  2010-10-03 19:03:49
thanks dear friends for kindly guide, that's part of some academic work i don't have any idea of the main project but i am asked to do so and as Eugene Mayevski said i must do so! , dear Omnifarious your reply made a lot of sense for my way ,thanks
amin  2010-10-04 13:24:35
pointing to openssl showed me the right way and that comment about GOST cleared the way, they have added GOST support on last openssl version and many comments useful to such a project, thanks
amin  2010-10-06 11:22:09
@amin - Good, I'm glad my vague hand-waving in the right general direction was helpful. :-)
Omnifarious  2010-10-06 14:47:10

related questions

grep a file, but show several surrounding lines?
VMWare Server Under Linux Secondary NIC connection
Should I move from C++ to Python? ... Or another language?
Globus Toolkit virtual machine
How to avoid redefining VERSION, PACKAGE, etc.
How do I setup Public-Key Authentication?
showing a message box from a bash script in linux
Best Linux Distro for Computer Repair
Mapping my custom keys in Debian
Any IcedTea war stories?
How do you find the age of a long-running Linux process?
Personal Linux web server
Programmatically talking to a Serial Port in OS X or Linux
what's in your .bashrc ?
Linux - files and scripts that execute on boot
Text Editor For Linux (Besides Vi)?
Lightweight IDE for Linux
Shell scripting input redirection oddities
XML Editing/Viewing Software
What should a longtime Windows user know when starting to use Linux?
Gtk SSH client for Linux?
Getting root permissions on a file inside of vi?
Is it possible to drag windows between workspaces when using Compiz?
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?