Discuss this help topic in SecureBlackbox Forum

SSH: Configure encryption algorithms

All application layer data that passes between the client and the server is encrypted with some symmetric cipher. Typical examples of a symmetric cipher are AES and 3DES. Outbound and inbound streams of data are encrypted independently with different keys.

SecureBlackbox supports the majority of symmetric algorithms defined in SSH specification and its derivatives. Note that in order for a particular algorithm to be used it must be supported by both client and server parties.

You can alter the set of supported symmetric algorithms with the use of EncryptionAlgorithms[] property (set_EncryptionAlgorithms() method on some platforms). A collection of SSH_EA_ (for "Encryption Algorithm") constants are declared in SBSSHConstants(.Unit) namespace. SSH_EA_FIRST and SSH_EA_LAST aliases are provided to simplify iterating over the whole set of supported algorithms.

Typically you will disable the whole set of algorithms and then enable the ones you would like to use. An alternative approach, the other way round, is to enable the whole set of algorithms and disable the unwanted ones.

C#:


for (int i = SBSSHConstants.Unit.SSH_EA_FIRST; i <= SBSSHConstants.Unit.SSH_EA_LAST; i++)
{
    Server.set_EncryptionAlgorithms(I, false);
}
Server.set_EncryptionAlgorithms(SBSSHConstants.Unit. SSH_EA_AES128, true);
Server.set_EncryptionAlgorithms(SBSSHConstants.Unit. SSH_EA_AES128_CTR, true);
Server.set_EncryptionAlgorithms(SBSSHConstants.Unit. SSH_EA_AES128_GCM, true);
Server.set_EncryptionAlgorithms(SBSSHConstants.Unit. SSH_EA_AES128_GCM_OPENSSH, true);

Note that even though all above algorithms have 'AES128' in their names, all of them actually are different algorithms. The first algorithm is AES128 in CBC mode; the rest of the algorithms, while also based on AES, use different encryption modes (CTR and GCM). There also exist two different implementations of AES-GCM algorithms, one of which is based on the standard, and another one on the way it is implemented in OpenSSH. They all are incompatible with each other, so you won't be able to make a client that only supports SSH_EA_AES128 connect to the server that only supports SSH_EA_AES128_GCM.

You can get the identifiers of the algorithms that were negotiated between the parties via the component's EncryptionAlgorithmClientToServer and EncryptionAlgorithmServerToClient properties. While the outbound and inbound algorithms may be negotiated independently as per the SSH specification, in practice the negotiated algorithms are typically the same.

You can read the algorithms any time after the authentication phase has started.

How To articles about SSH server

Discuss this help topic in SecureBlackbox Forum