EldoS | Feel safer!

Software components for data protection, secure storage and transfer

ecdh-sha2-nistp256 Supported?

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.
Posted: 05/21/2015 16:58:16
by Sal Quintanilla (Basic support level)
Joined: 05/21/2015
Posts: 6

I've seen some messages suggesting ecdh is supported, and that's what we need for a client-side implementation of an sftp uploader to an openssl-based server.

I've been an rsa/dsa person right up until today. I've found instructions for generating ecdh keys using openssl, and I think I did it right, but I'm getting a Key store failed when I try to send a file up. So I don't know if it's not supported, or if I'm doing something wrong.

Here's what I'm using to generate keys, and I can easily believe that it's either partially or fully wrong, or that I'm not setting up authorized_keys right, or that I'm not not generating a key file that my sftp client can use.

$ openssl ecparam -param_enc explicit -name secp256k1 -genkey -outform PEM -out ec-openssl.pem
$ openssl ec -param_enc explicit -inform PEM -in ec-openssl.pem -pubout -outform DER -out ec-openssl.der

$ openssl ecparam -name secp256k1 -genkey -param_enc explicit -outform DER -out ec-openssl.der

My questions:

  • Does the client-side SecureBlackBox sftp client support ecdh-sha2-nistp256
  • How do I generate a public key for the server-side authorized_keys file (using openssl under Linux... or some other suggested tool)?
  • How do I generate the private key file to use for key selection before sending a file from my SecureBlackBox-based sftp client program?
Posted: 05/22/2015 04:49:21
by Vsevolod Ievgiienko (Team)

Thank you for contacting us.

ECDH for SSH/SFTP is supported starting from the 13th version of SecureBlackbox. You can download the beta here: https://www.eldos.com/sbb/download-pre...hp#product
Posted: 05/22/2015 09:16:39
by Sal Quintanilla (Basic support level)
Joined: 05/21/2015
Posts: 6

Thanks, I had version 12, that's promising.

Unfortunately I'm still not able to connect.

Are my key generation commands correct?

Would you provide some guidance on how to generate and use the keys? An example with whatever tool EldoS uses would be fine, I can adapt. I didn't find anything in the Help file or the sample projects.


P.S. I did test dsa / rsa keys with the new version, it's running fine, so I believe I at least have interfaced to it correctly. But perhaps I don't understand ecdh enough, and the public/private/authorized_keys file method doesn't apply.
Posted: 05/22/2015 11:38:33
by Vsevolod Ievgiienko (Team)

You can use our TElSSHKey with Algorithm property set to ALGORITHM_ECDSA to generate such keys. Please check next article and our samples for details: https://www.eldos.com/documentation/sb...shkey.html
Posted: 05/22/2015 15:37:06
by Sal Quintanilla (Basic support level)
Joined: 05/21/2015
Posts: 6

Sometimes the help file isn't necessarily suggestive of what to do, but the samples apps take care of that very well.

In this case, I used the desktop SSH Keys Demo, adding an EHCD option associated with SBSSHKeyStorage.Unit.ALGORITHM_ECDSA. I also went ahead and added support for all of the TSBSSHKeyFormat types. For all permutations of key format types and 128, 256, and 512 bits, the EHCD attempt returned a status of SBSSHKeyStorage.Unit.SB_ERROR_SSH_KEYS_INTERNAL_ERROR.

I looked around here and elsewhere and don't see any clues about what to do about it. I'm still evaluating and don't have the source.

Are there additional TElSSHKey methods to call when using ECDSA?

Posted: 05/25/2015 02:11:50
by Ken Ivanov (Team)

Hi Sal,

We've just had a look into the code and it looks that currently (talking about build 271) you have to pass the curve ID as the Bits parameter of the Generate() method. It was made by mistake, and we are going to fix that in the future version 13 build (by providing a special GenerateEC() method).

In the mean time, with build 271 you can use the following syntax to generate EC keys:


Posted: 05/25/2015 07:56:09
by Sal Quintanilla (Basic support level)
Joined: 05/21/2015
Posts: 6

Thanks Ken. I've got build 271, but

  • SSH_EC_NIST_P256 gets error "does not exist in the current control". What type is it?
  • If it's not an int for the Bits field, is key.Generate() in your example not from TElSSHKey?
Posted: 05/25/2015 09:02:47
by Ken Ivanov (Team)

Hi Sal,

Please reference it as SBSSHConstants.Unit.SSH_EC_NIST_P256. This is an integer constant, so it will work out fine as Bits parameter.

Posted: 05/25/2015 13:04:16
by Sal Quintanilla (Basic support level)
Joined: 05/21/2015
Posts: 6

Much better, thanks.

For some reason, I'm still not working. That could be my host, so I've gone back to creating RSA and DSS keys. With ssh-keygen, I can

  • Create an RSA key
  • Copy the public file to authorized_keys on our server
  • Connect successfully and retrieve a file list with "SimpleSftpClent demo application" using the generated private key
  • Do the same thing with DSS

But when I create RSA or DSS keys with "SSH keys demo" (OpenSSH format, 512 bits, no password), the keys that are saved through the application (I also tried cut-and-paste) result in outputs like (RSA trial):

Server key [5....] received
Authentication type [2] failed
Error 114
Connection failed due to exception: Conneciton lost (error code is 10058)
If you have ensured that all connection parameters are correct and you still can't connect, please contact EldoS support as described on http://www.wldos.com/...
Remember to provide details about the error that happened.
Server software identified itself as: OpenSSH_6.5

I suppose the question that might take care of things is: What do I need to do to "SSH keys demo" to have it output private and public keys that work the same way keys generated by running "ssh-keygen" with no passphrase work?
Posted: 05/25/2015 14:16:36
by Ken Ivanov (Team)


There are several reasons that might stop the keys generated with SSHKeysDemo from working for you:

1) The generated public key has not been added to the authorized_keys file on the server.

2) You didn't pass a SecureBlackbox evaluation license key to the SetLicenseKey() method in the SSHKeysDemo sample; therefore the keys it generates are inconsistent.

3) The key is just too short. Please try generating a 2048 bit RSA key and check if it is subject to the same error.

On the other hand, what exactly issues do you have with EC key generation functionality?

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.



Topic viewed 1887 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!