[JSch-users] Diffie-Helman-Group-14 on Java

Discussion:

[JSch-users] Diffie-Helman-Group-14 on Java < 1.8

Lothar Kimmeringer

2014-06-04 16:25:11 UTC

Hello all,

Since DH-Keys > 1024 bytes aren't supported with Java VMs < 8,
this KEX is removed from the list of supported KEXes. Problem
"here" is that the system to be connected is only allowing
precisely this KEX, so connections fail and the system in
question needs to stay on Java 7 for a while, so updating
to Java 8 is not an option at the moment.

I had a look into the sources (still 0.1.50) and think I can
solve that problem (not sure ATM though). In case I find
a solution, is there interest, that I contribute that for the
standard? I already do changes to the source everytime I use
a newer version of the library, since I added some log-entries
and made the Logger non-static, to allow to write into different
files when multiple threads are performing SSH-sessions. Maybe
that is useful for the standard as well.

Cheers, Lothar

Atsuhiko Yamanaka

2014-06-05 07:48:53 UTC

Permalink

Hi,

+-From: Lothar Kimmeringer <***@kimmeringer.de> --
|_Date: Wed, 04 Jun 2014 18:25:11 +0200 __________
|
|Since DH-Keys > 1024 bytes aren't supported with Java VMs < 8,
|this KEX is removed from the list of supported KEXes. Problem
|"here" is that the system to be connected is only allowing
|precisely this KEX, so connections fail and the system in
|question needs to stay on Java 7 for a while, so updating
|to Java 8 is not an option at the moment.

According to the source code of com.sun.crypto.provider.DHKeyPairGenerator[1],
the following change will allow to use Diffie-Helman-Group-14 on java6 and java7,
but it depends on a bug of DHKeyPairGenerator.

--- jsch-0.1.51/src/main/java/com/jcraft/jsch/jce/DH.java 2014-01-02 08:15:41.000000000 +0000
+++ jsch-0.1.51.group14/src/main/java/com/jcraft/jsch/jce/DH.java 2014-06-05 07:35:43.000000000 +0000
@@ -54,7 +54,12 @@
public byte[] getE() throws Exception{
if(e==null){
DHParameterSpec dhSkipParamSpec=new DHParameterSpec(p, g);
- myKpairGen.initialize(dhSkipParamSpec);
+ try{ myKpairGen.initialize(dhSkipParamSpec); }
+ catch(InvalidAlgorithmParameterException e){
+ String msg="Prime size must be multiple of 64, and can only range from 512 to 1024 (inclusive)";
+ if(!e.getMessage().equals(msg))
+ throw e;
+ }
KeyPair myKpair=myKpairGen.generateKeyPair();
myKeyAgree.init(myKpair.getPrivate());
// BigInteger x=((javax.crypto.interfaces.DHPrivateKey)(myKpair.getPrivate())).getX();

[1] http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/6-b14/com/sun/crypto/provider/DHKeyPairGenerator.java#109

Sincerely,
--
Atsuhiko Yamanaka
JCraft,Inc.
1-14-20 HONCHO AOBA-KU,
SENDAI, MIYAGI 980-0014 Japan.
Tel +81-22-723-2150
Skype callto://jcraft/
Twitter: http://twitter.com/ymnk
Facebook: http://facebook.com/aymnk

Lothar Kimmeringer

2014-06-06 08:47:36 UTC

Permalink

Hello,

Post by Atsuhiko Yamanaka
According to the source code of com.sun.crypto.provider.DHKeyPairGenerator[1],
the following change will allow to use Diffie-Helman-Group-14 on java6
and java7 but it depends on a bug of DHKeyPairGenerator.

thanks for that. It seems to work. I have to check the functionality
with IBM-VMs e.g. on IBM AS/400 (but I'm not sure if the original
error occurs there anyway, so maybe the workaround isn't necessary
there).

Cheers, Lothar