+1 vote
by (130 points)
edited

I'm using .netcf 2.0 on windows CE 5.0. When I try to connect I get an exception with the message "unsupported key size (1024)." This happens before I call Login. The server has both the RSA and DSA keys set to 512. Any idea why I'm unable to Connect?

Applies to: Rebex SFTP

5 Answers

+1 vote
by (147k points)
edited by

Update: Rebex SFTP 2012 R1 and higher contain a built-in workaround for this issue.

This exception was thrown because the size of ephemeral Diffie-Hellman key supplied by the server during the SSH key exchange was larger than the maximum key size supported by the cryptographic providers available at the device. This key is only used during key exchange and is not related to RSA and DSA key lengths.

For 512bit keys, "Microsoft Base DSS and Diffie-Hellman Cryptographic Provider" is adequate, but for larger keys (1024-bit and higher), "Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider" is needed.

Could you please let us know what cryptographic providers are installed on your device by looking into the following registry key? "HKEY_LOCAL_MACHINE\Comm\Security\Crypto\Defaults\Provider" (Use PHM Registry Editor if the system lacks a registry editor.) It might be possible that the provider is present but we are not detecting it correctly for some reason.

Several customers have encountered several newer devices where the enhanced provider was missing or not installed correctly (causing the same error you got), possibly by a mistaken choice made by the manufacturer (they forgot to include DSS and DH providers). In some of these cases, they were able to fix the problem by installing a fixed OS image on the device (recommended solution) or by recreating the missing or malformed registry structure under "HKEY_LOCAL_MACHINE\Comm\Security\Crypto\Defaults\Provider", so this might be a solution in your case as well.

With the base provider, you should still be able to connect to an SFTP server that supports 512bit DiffieHellmanGroupExchangeSHA1 key exchange algorithm (see Specifying SSH parameters for more info on how to request this), but it seems most SFTP servers only supports 1024bit and larger keys.

by (130 points)
Here are the three Registry keys under "HKEY_LOCAL_MACHINE\Comm\Security\Crypto\Defaults\Provider" - Microsoft Base Cryptographic Provider v1.0 - Microsoft Enhanced Cryptographic Provider v1.0 - Microsoft Enhanced RSA and AES Cryptographic Provider Can you tell if the Enhanced DSS and D-H provider is present?
0 votes
by (180 points)
edited

What is the fix? We are having the same issue on our device...Net CF

by (147k points)
edited

The recommended solution is to install a new OS image on the device - one that includes "Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider". Consult the device vendor for advice.

If this can't be done, we can try enabling our custom .NET implementation of Diffie-Hellman. The only problem with that is that it's very slow and is only usable on newer and faster devices.

0 votes
by (180 points)
edited

How do we enable your implementation? It may be easier than getting the vendor to add an image enhancement...

by (147k points)
edited

I sent a link to a new build of Rebex SFTP that does it automatically to your e-mail.

0 votes
by (140 points)
edited

Hey Lukas, is that build that does the custom Diffie-Hellman implementation still available anywhere? I am working with a Windoes CE device running .NET CF 2.0 and am tasked with adding SFTP support to the software running on the device and I am experiencing the exact same issues as described here. I am currently using the Trial implementation to try and get it to work, but I am afraid that if I can't get it to work we won't be able to support SFTP as I cannot find any other implementation anywhere. Also, since we source our CE devices from another country, reworking the image is not an option for us at this time. I am hoping to convince my company to use this product, but if we can't get it implemented we will have to figure something else out. Can you all help? Thanks!

by (72.7k points)
edited

I have sent a link to the current beta build to your email.

0 votes
by (160 points)
edited

Can you please send me the link to latest beta version which has Fix in it?

I too having the same issue with .Net CF device, using build 3793.

Also, few times, "Channel has been closed" error is also appearing.

Can you please let me know, If there is a new build for the same too?

Thanks very much for your help.

by (147k points)
edited

I have just sent a link to the current beta build to your email. Please let us know whether it solves the issues.

...