Mailing List Archive: OpenSSH: Dev

Shell access to SSH KDF

Index | Next | Previous | View Threaded

eric at fergusonhome

Aug 30, 2012, 3:45 PM

Post #1 of 3 (245 views)
Permalink

Shell access to SSH KDF

Hi everyone.
I'm currently running through FIPS validation, and this year CAVP
requires KDF tests for SSH. I'm running OpenSSH v5.6p1 and I see that
the 6 keys that I need are derived in kex_derived_keys in kex.c.
However, I don't yet see any way for me to access this function from an
existing command line tool, being able to pass in K, H, and the
session_id from the test vector. Is my only option to build a custom
executable, linking in key derivation function I need, or am I missing
something?

Thank you.

Eric
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

djm at mindrot

Aug 30, 2012, 4:49 PM

Post #2 of 3 (224 views)
Permalink

Re: Shell access to SSH KDF [In reply to]

On Thu, 30 Aug 2012, Eric Ferguson wrote:

> Hi everyone.
> I'm currently running through FIPS validation, and this year CAVP
> requires KDF tests for SSH. I'm running OpenSSH v5.6p1 and I see that
> the 6 keys that I need are derived in kex_derived_keys in kex.c.
> However, I don't yet see any way for me to access this function from an
> existing command line tool, being able to pass in K, H, and the
> session_id from the test vector. Is my only option to build a custom
> executable, linking in key derivation function I need, or am I missing
> something?

No, there is definitely no way to invoke the KEX KDF from the shell. You'll
have to make you own executable.

In the future, we hope to make bits like this available in a more friendly
library form but I don't think we will ever expose them via a command
interface directly. If there are specific tests that need to be done then
I'd certainly consider adding them as unit tests though.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

eric at fergusonhome

Aug 31, 2012, 4:01 AM

Post #3 of 3 (227 views)
Permalink

RE: Shell access to SSH KDF [In reply to]

>> Hi everyone.
>> I'm currently running through FIPS validation, and this year CAVP
>> requires KDF tests for SSH. I'm running OpenSSH v5.6p1 and I see that
>> the 6 keys that I need are derived in kex_derived_keys in kex.c.
>> However, I don't yet see any way for me to access this function from an
>> existing command line tool, being able to pass in K, H, and the
>> session_id from the test vector. Is my only option to build a custom
>> executable, linking in key derivation function I need, or am I missing
>> something?
>
>No, there is definitely no way to invoke the KEX KDF from the shell. You'll
>have to make you own executable.
>
>In the future, we hope to make bits like this available in a more friendly
>library form but I don't think we will ever expose them via a command
>interface directly. If there are specific tests that need to be done then
>I'd certainly consider adding them as unit tests though.
>
>-d

Thank you for your prompt reply. Will do. Assuming the KDF
certifications are here to stay for future FIPS validations, a small
test harness for CAVP test vectors is likely something several others
may benefit from. Thanks again.

Eric
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads