ssh的新加密算法
我被要求向 ssh 添加新算法,以便数据在新算法中加密,知道如何向 ssh 添加新算法吗?
谢谢
I am asked to add a new algorithm to ssh so data is ciphered in new algorithm, any idea how to add new algorithm to ssh ?
thanks
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
![扫码二维码加入Web技术交流群](/public/img/jiaqun_03.jpg)
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
可以向 SSH 通信添加一些新算法,并且有时会这样做(例如,后来添加了 AES)。但问题是你需要修改客户端和服务器,让它们都支持这个算法,否则就没有意义。
我假设您被要求添加一些自定义的,自制的或非标准的算法。所以我想做的第一件事是警告您添加的算法可能很弱。你需要至少对这个算法的信息进行基本的搜索,如果它坏了,你将做完全无用甚至危险的工作。
至于软件修改本身 - 这是一项罕见的工作,因此很可能您不会在那里找到有这种经验的人。然而,处理各种算法的代码是典型的,并且添加新算法是微不足道的 - 您添加一个包含算法实现的源文件,然后通过在 switch 语句中添加一个 case 来修改一堆位置。
It is possible to add some new algorithm to SSH communication, and this is done from time to time (eg. AES was added later). But the question is that you need to modify both client and server so that they both support this algorithm, otherwise it makes no sense.
I assume that you were asked to add some custom, either home-made or non-standard algorithm. So first thing I'd like to do is to warn you that the added algorithm can be weak. You need to perform at least basic search for information about this algorithm, as if it's broken, you will do completely useless and even dangerous work.
As for software modification themselves - it's a rare job to do so most likely you won't find anybody with this experience there. However the code that handles various algorithms is typical and adding new algorithm is trivial - you add one source file with algorithm implementation and then modify a bunch of places by adding one more case to switch statement.
在我的职业生涯中,我曾开发过 ssh 的私有分支,该分支作为闭源商业软件出售。即使他们疯狂愚蠢(私人分叉?谁头脑正常,使用非开源加密软件?我认为我们的客户完全疯了。)也没有添加新的加密算法。
不过这是可以做到的。向 ssh 协议添加钩子以支持它并不难。该协议旨在以这种方式进行扩展。一开始,客户端和服务器交换他们愿意使用的加密算法列表。
当然,这意味着只有经过修改的客户端和经过修改的服务器才能相互通信。
真正的困难是OpenSSL。 ssh 不使用 TLS/SSL,但它使用 OpenSSL 加密库。您必须将新算法添加到该库中,而该库是一个可怕的野兽。
不过,我想您可以添加该算法,而无需将其添加到 OpenSSL 中。但这可能很棘手,因为我认为 openssh 可能严重依赖 OpenSSL API 的工作方式。它们的部分工作方式允许您传递一个表示您要使用哪种算法的常量,然后传递一组标准的加密和解密调用,使用该常量来决定算法。
不过,如果我没记错的话,OpenSSL 有一个专门用于向其套件添加新算法的 API。所以这可能没那么难。您必须确保在初始化 OpenSSL 库时发生这种情况。
无论如何,这是一个相当模糊的答案,但也许它会为您指明正确的方向。你应该让任何这样做的人付出巨额金钱。需要这种程度的知识才能实现的愚蠢行为绝不应该便宜。
In my career I've worked on a private fork of ssh that was sold as closed-source commercial software. Even they in all their crazy stupidity (private fork? who in their right mind uses non-Open Source encryption software? I thought our customers were completely off their rockers.) didn't add a new encryption algorithm.
It can be done though. Adding the hooks to the ssh protocol to support it isn't hard. The protocol is designed to be extensible in that way. At the beginning the client and server exchange lists of encryption algorithms they're willing to use.
This means, of course, that only a modified client and modified server will talk to eachother.
The real difficulty is OpenSSL. ssh does not use TLS/SSL, but it does use the OpenSSL encryption library. You would have to add the new algorithm to that library, and that library is a terrible beast.
Though, I suppose you could add the algorithm without adding it to OpenSSL. That might be tricky though since I think openssh may rely heavily on the way the OpenSSL APIs work. And part of how they work allows you to pass around a constant representing which algorithm you want to use and then a standard set of calls for encryption and decryption that use the constant to decide on the algorithm.
Again though, if I recall correctly, OpenSSL has an API specifically for adding new algorithms to its suite. So that may not be so hard. You will have to make sure this happens when the OpenSSL library is being initialized.
Anyway, this is a fairly vague answer, but maybe it will point you in the right direction. You should make whoever is doing this pay enormous sums of money. Stupidity that requires this level of knowledge to pull off should never come cheaply.