Discuss this help topic in SecureBlackbox Forum

Configure MAC algorithms

The main purpose of MAC ("Message Authentication Code") algorithms is to ensure the integrity of the transmitted data. Even though the data are transmitted in encrypted form, an adversary might alter the encrypted stream, thus making a change (yet, to them of unknown kind) to the plaintext. MAC is a record added to the plaintext containing a CRC or a fingerprint of the source data that is checked by the receiver and compared to the MAC it calculates over the data by themselves. While an adversary can alter the encrypted stream, it is virtually impossible for them to alter it in the way that its MAC record remains consistent.

SecureBlackbox supports the majority of MAC algorithms defined in SSH specification and its derivatives. However please note that in order for MAC algorithm to be usable during SSH session it must be supported by both parties.

MAC algorithm constants are defined in SBSSHConstants(.Unit) namespace. SSH_MA_FIRST and SSH_MA_LAST aliases are provided to simplify iterating over the whole list of algorithms.

The following example shows how to disable all supported MAC algorithms and only enable some particular ones:

C#:


for (int i = SBSSHConstants.Unit.SSH_MA_FIRST; i <= SBSSHConstants.Unit.SSH_MA_LAST; i++)
{
    Client.set_MacAlgorithms(i, false);
}
Client.set_MacAlgorithms(SBSSHConstants.Unit. SSH_MA_HMAC_SHA1, true);
Client.set_MacAlgorithms(SBSSHConstants.Unit. SSH_MA_HMAC_SHA1_96, true);
Client.set_MacAlgorithms(SBSSHConstants.Unit. SSH_MA_HMAC_SHA256, true);

Note that enabling too many MAC algorithms might cause an older or buggy server to crash. Setting AutoAdjustCiphers to true or reducing the set of supported MAC algorithms might help to overcome connectivity issues of such nature.

You can get the identifiers of the algorithms that were negotiated between the parties via the component's MacAlgorithmClientToServer and MacAlgorithmServerToClient properties. While the outbound and inbound algorithms may be negotiated independently as per the SSH specification, in practice the negotiated algorithms are typically the same.

You can read the algorithms any time after the authentication phase has started.

How To articles about SFTP client

Discuss this help topic in SecureBlackbox Forum