EldoS | Feel safer!

Software components for data protection, secure storage and transfer

SFTP Client_OnKeyValidate

Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.
#11774
Posted: 11/21/2009 06:55:36
by Steve Goldring (Standard support level)
Joined: 11/21/2009
Posts: 3

Hi,

Looking for example code to store and check ServerKey:

Code
Private Sub Client_OnKeyValidate(ByVal Sender As Object, ByVal ServerKey As SBSSHKeyStorage.TElSSHKey, ByRef Validate As Boolean)
    Validate = True ' NEVER do this. You MUST check the key somehow
End Sub


in VB.NET SFTP sample. I'm stumped trying to work with ServerKey.FingerprintSHA1.

Thank you,

SG
#11775
Posted: 11/21/2009 07:06:31
by Eugene Mayevski (EldoS Corp.)

What exactly problem are you having with FingerprintSHA1?


Sincerely yours
Eugene Mayevski
#11778
Posted: 11/23/2009 05:28:37
by Steve Goldring (Standard support level)
Joined: 11/21/2009
Posts: 3

I guess one idea is to save ServerKey.FingerprintSHA1 as a string, and check it on next-connect. I don't see how to save it as a string.

Thanks,

SG
#11779
Posted: 11/23/2009 05:34:59
by Ken Ivanov (EldoS Corp.)

Use SBUtils.Unit.DigestToStr160() method to convert the obtained TMessageDigest160 object to string.
#11781
Posted: 11/23/2009 06:06:17
by Steve Goldring (Standard support level)
Joined: 11/21/2009
Posts: 3

Thanks. Can you confirm that storing and checking this string is an adequate form of validation?

SG
#11783
Posted: 11/23/2009 06:17:08
by Eugene Mayevski (EldoS Corp.)

You can store the keys themselves, if you wish. Unlike X.509 certificates SSH keys don't include information that would let one bind them to the resource (server in our case) or distinguish between the keys. So SHA1 fingerprint is the only way to identify the key without comparing the keys themselves.


Sincerely yours
Eugene Mayevski
#11922
Posted: 12/13/2009 16:41:56
by Greg  (Standard support level)
Joined: 12/09/2009
Posts: 20

I'm feeling pretty stupid and have a similar request to Steve's.

Is there an example someplace of the appropriate way to do this validation?

Starting from the OnKeyValidate:
Private Sub m_Client_OnKeyValidate(ByVal Sender As Object, ByVal ServerKey As SBSSHKeyStorage.TElSSHKey, ByRef Validate As Boolean)

I can see from the example that if I wish to say all is well, then I return true in Validate. I looked in all three examples provided with Sftp and find exactly the same thing: Don't do this! But I can't find an example of what to do.

I don't know cryptography beyond a general programmer's grasp and Steve's request "Can you confirm that storing and checking this string is an adequate form of validation?" is pertinent. While I may be able to do something and get it to work (as in not bomb), I have no idea of the correct way to store and compare and am likely to come up with something that isn't very good.

The latest reply to Steve's question still didn't answer the original request: "Looking for example code to store and check ServerKey:"

Please, an example will answer a ton of questions and provide the proper way to store and compare.


I had a very long post typed up from my experience trying to find what I needed for this from last night. Let me just say that the experience was so frustrating that I became very impolite and am very glad I didn't actually post the thing.

This is my second re-write of that post. I hope it's sane enough, polite enough, and I hope it gets an actual example posted or a link to an example provided. There should be one.

Private Sub m_Client_OnKeyValidate(ByVal Sender As Object, ByVal ServerKey As SBSSHKeyStorage.TElSSHKey, ByRef Validate As Boolean)
Dim ClientFileName As String = "pick a location you can reach"
If ClientParms.AcceptNewKey Then
ServerKey.SavePublicKey(ClientFileName, SBUtils.TSBEOLMarker.emCRLF)
Validate = True
Exit Sub
End If

'not first time storage

Dim StoredPublicKey As New SBSSHKeyStorage.TElSSHKey
StoredPublicKey.LoadPublicKey(ClientFileName)

If ServerKey.TestForMatch(StoredPublicKey) Then 'for example. Just how should you do this? What is undocumented .IsValid() ?
'goodness
Validate = True
Else
'badness
Validate = False
End If

End Sub

Thank you,
-greg
#11925
Posted: 12/13/2009 23:39:45
by Ken Ivanov (EldoS Corp.)

This how-to article explains key validation procedure.

To make a long story short, you should maintain a list of known servers along with their corresponding public keys. You can either keep (and compare) public keys themselves (getting the blob from TElSSHKey object using SavePublicKey method), or just the fingerprints (obtaining them via FingerprintMD5 and FingerprintSHA1 properties). There is no practical difference what to store from security point of view (fingerprints provide enough protection against key substitution; all the existing SSH implementations actually store fingerprints).
#11954
Posted: 12/15/2009 22:56:24
by Greg  (Standard support level)
Joined: 12/09/2009
Posts: 20

Fantastic! Excellent! I searched, but did not find that. Now I really feel dumb, but I really appreciate the answer.
Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.

Reply

Statistics

Topic viewed 3066 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!