EldoS | Feel safer!

Software components for data protection, secure storage and transfer

LogJam Reactions

Posted: 02/22/2016 11:34:12
by Ken Ivanov (Team)

Hi Alexander,

Thank you for contacting us.

In case of SFTP negotiation Diffie-Hellman keys are generated on the server side. You normally do not need to do anything on the client side to make them work. What exactly connectivity issue are you having?

Posted: 02/22/2016 11:54:41
by Robin Whitehead (Standard support level)
Joined: 08/30/2013
Posts: 3


The above question (from Alexander Rennie) is being asked on the company's behalf, so if you can reply to me then that would be great. The licences are attached to this account.

Thank you
Posted: 02/22/2016 12:03:04
by Robin Whitehead (Standard support level)
Joined: 08/30/2013
Posts: 3


Thank you for your response (which I apologize for failing to spot before posting the above!) I realize we aren't doing anything explicit to generate the Diffie-Hellman keys on our side, which is my real problem in trying to work out how to respond to our partner's request.

Basically, we are getting "Connection lost (error code is 10058)" when trying to connect to their server, and they have responded to my enquiries by saying that - as our software is using a bit length of 1,024 - their server is refusing the connection. They have given me the following to illustrate their reasoning for this:

"Logjam Attack (weakdh) and Attachmate Products

Technical Note 2795
Last Reviewed 29-Oct-2015
Applies To

All Attachmate Products

In May 2015, researchers announced weaknesses in Diffie-Hellman key exchange that is used in many encrypted connection protocols (CVE-2015-4000). This technical note provides information on affected products.
The Diffie-Hellman (DH) key exchange is a method of securely exchanging cryptographic keys over a public channel. This method is used by a number of encrypted connection protocols.
With TLS protocol version 1.2 and earlier, if the DHE_EXPORT ciphersuite is supported by the server, man-in-the-middle attackers can conduct cipher-downgrade attacks. The client can be forced to use a weaker ciphersuite, even though the client does not have it enabled.
Additionally, in any TLS or SSH connection with both server and client enabled to use weaker DH Groups for key exchange, an attacker can passively eavesdrop and decrypt sessions. Groups with 1024-bit length or less are considered vulnerable, which includes the 512-bit export DH."

I have been trying to work out how to increase the length to 2,048. Is this feasible with Secure BlackBox SFTP, or am I going to have to find a different product?

Thank you
Posted: 02/22/2016 12:04:40
by Eugene Mayevski (Team)

Dear Mr.Whitehead, I am moving license-related question to the Helpdesk for resolving.

Sincerely yours
Eugene Mayevski
Posted: 02/22/2016 12:19:24
by Robin Whitehead (Standard support level)
Joined: 08/30/2013
Posts: 3

On consideration, I believe we may be able to sort this out by using a passing a new public key of 2,048 bit length to our partner. If this fails then I will get back to you, but in the meantime thanks for your help.
Posted: 02/22/2016 13:27:57
by Ken Ivanov (Team)


I believe it might be reasonable to continue our technical discussion in the help desk too. I've created a different ticket for you (#29356) to talk on the technical aspects.





Topic viewed 4450 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!