Failed to connect to SFTP

+1 vote
asked Nov 15, 2010 by Steven Koegler (130 points)
edited Jan 27, 2012

I'm using .netcf 2.0 on windows CE 5.0. When I try to connect I get an exception with the message "unsupported key size (1024)." This happens before I call Login. The server has both the RSA and DSA keys set to 512. Any idea why I'm unable to Connect?

Applies to: Rebex SFTP

5 Answers

+1 vote
answered Nov 16, 2010 by Lukas Pokorny (102,130 points)
edited Jun 16, 2015 by Lukas Pokorny

Update: Rebex SFTP 2012 R1 and higher contain a built-in workaround for this issue.

This exception was thrown because the size of ephemeral Diffie-Hellman key supplied by the server during the SSH key exchange was larger than the maximum key size supported by the cryptographic providers available at the device. This key is only used during key exchange and is not related to RSA and DSA key lengths.

For 512bit keys, "Microsoft Base DSS and Diffie-Hellman Cryptographic Provider" is adequate, but for larger keys (1024bit and 2048bit), "Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider" is needed.

Could you please let us know what cryptographic providers are installed on your device by looking into the following registry key? "HKEY_LOCAL_MACHINE\Comm\Security\Crypto\Defaults\Provider" (Use PHM Registry Editor if the system lacks a registry editor.) It might be possible that the provider is present but we are not detecting it correctly for some reason.

Several customers have encountered several newer devices where the enhanced provider was missing or not installed correctly (causing the same error you got), possibly by a mistaken choice made by the manufacturer (they forgot to include DSS and DH providers). In some of these cases, they were able to fix the problem by installing a fixed OS image on the device (recommended solution) or by recreating the missing or malformed registry structure under "HKEY_LOCAL_MACHINE\Comm\Security\Crypto\Defaults\Provider", so this might be a solution in your case as well.

With the base provider, you should still be able to connect to an SFTP server that supports 512bit DiffieHellmanGroupExchangeSHA1 key exchange algorithm (see Specifying SSH parameters for more info on how to request this), but it seems most SFTP servers only supports 1024bit and larger keys.

commented Nov 18, 2010 by Steven Koegler (130 points)
Here are the three Registry keys under "HKEY_LOCAL_MACHINE\Comm\Security\Crypto\Defaults\Provider" - Microsoft Base Cryptographic Provider v1.0 - Microsoft Enhanced Cryptographic Provider v1.0 - Microsoft Enhanced RSA and AES Cryptographic Provider Can you tell if the Enhanced DSS and D-H provider is present?
0 votes
answered Sep 16, 2011 by mchroman (180 points)
edited Sep 19, 2011

What is the fix? We are having the same issue on our device...Net CF

commented Sep 19, 2011 by Lukas Pokorny (102,130 points)
edited Sep 19, 2011

The recommended solution is to install a new OS image on the device - one that includes "Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider". Consult the device vendor for advice.

If this can't be done, we can try enabling our custom .NET implementation of Diffie-Hellman. The only problem with that is that it's very slow and is only usable on newer and faster devices.

0 votes
answered Sep 19, 2011 by mchroman (180 points)
edited Sep 19, 2011

How do we enable your implementation? It may be easier than getting the vendor to add an image enhancement...

commented Sep 19, 2011 by Lukas Pokorny (102,130 points)
edited Sep 19, 2011

I sent a link to a new build of Rebex SFTP that does it automatically to your e-mail.

0 votes
answered Dec 21, 2011 by safeMan (140 points)
edited Dec 22, 2011

Hey Lukas, is that build that does the custom Diffie-Hellman implementation still available anywhere? I am working with a Windoes CE device running .NET CF 2.0 and am tasked with adding SFTP support to the software running on the device and I am experiencing the exact same issues as described here. I am currently using the Trial implementation to try and get it to work, but I am afraid that if I can't get it to work we won't be able to support SFTP as I cannot find any other implementation anywhere. Also, since we source our CE devices from another country, reworking the image is not an option for us at this time. I am hoping to convince my company to use this product, but if we can't get it implemented we will have to figure something else out. Can you all help? Thanks!

commented Dec 22, 2011 by Lukas Matyska (55,430 points)
edited Dec 22, 2011

I have sent a link to the current beta build to your email.

0 votes
answered Jan 26, 2012 by BPK (160 points)
edited Jan 27, 2012

Can you please send me the link to latest beta version which has Fix in it?

I too having the same issue with .Net CF device, using build 3793.

Also, few times, "Channel has been closed" error is also appearing.

Can you please let me know, If there is a new build for the same too?

Thanks very much for your help.

commented Jan 27, 2012 by Lukas Pokorny (102,130 points)
edited Jan 27, 2012

I have just sent a link to the current beta build to your email. Please let us know whether it solves the issues.

...