0

I am working with hardware devices which supports SFTP protocol for file transfer. for that i have created SFTP server in AWS transfer family.

The issue i am facing is that device does not support any cryptographic algorithm that is supported by AWS transfer family

Due to that i am getting following error

ERRORS KEX_FAILURE Message="no matching key exchange method found" Kex=diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1 SourceIP=121.244.200.210

Algorithms which are supported by the instrument :

Key Exchange Algorithms (Kex_Algorithms) diffie-hellman-group1-sha1 ssh-rsa Cipher 3des-cbc MAC hmac-md5

These are deprecated set of cryptographic algorithm which is not supported by AWS transfer family. https://docs.aws.amazon.com/transfer/latest/userguide/security-policies.html

Also currently there is no way to upgrade the device to change the cryptographic algorithm

what alternative do i have for making the connection.

Mihir Mehta
  • 13,743
  • 3
  • 64
  • 88
  • Looks like no option. All of the device cryptos are deprecated as you noted. I checked all 3 families and there is nothing that matches. Is the instrument no longer supported? – Rodrigo Murillo Aug 17 '21 at 11:53
  • Thanks @RodrigoM , Yes hardware provider doesn't support this device, and couldn't upgrade firmware .... – Mihir Mehta Aug 17 '21 at 12:21
  • Bummer! What type of instrument is it? Is there some upgrade path perhaps? – Rodrigo Murillo Aug 17 '21 at 13:24
  • Yeah ... It's basically a medical device, meant to store patient reports... which needs to be installed in hospitals... there is very limited amount of connectivity option there.... – Mihir Mehta Aug 17 '21 at 13:28
  • would create own sftp server on EC2 instance makes sense ? any document, reference on the same ? – Mihir Mehta Aug 17 '21 at 13:29
  • 1
    3des-cbc is known to be insecure and practically exploitable. None of the other algorithms are considered acceptable, either. This device is wildly insecure and shouldn't be used for private information. – bk2204 Aug 17 '21 at 21:35
  • While 3DES is not the most secure algorithm, that doesn’t mean that it’s going to be easy to break. Weak ciphers like 3DES can be broken via bruteforce, but note NIST allows it's use till 2023. It may take a super computer a month to crack. Possibly more computationally expensive than the data is worth. Apparently Mozilla still uses it today. See https://en.m.wikipedia.org/wiki/Triple_DES – Rodrigo Murillo Aug 18 '21 at 12:20
  • 1
    This is not a [programming question](https://stackoverflow.com/help/on-topic). – Martin Prikryl Aug 20 '21 at 18:58
  • @MartinPrikryl I have specifically ask this question to check if there is any "Programmable" solution to overcome this limitation ? – Mihir Mehta Aug 24 '21 at 12:02

1 Answers1

0

You could consider a standalone SFTP server that supports deprecated ciphers, and install it on a dedicated EC2 instance.

Check this out https://zappysys.com/forums/topic/ciphers-algorithms-supported-sftp-connection/ I think it matches your device cryptos. It may not be HIPAA approved set-up would be my concern, should you be subject to that.

Perhaps you can add compensating controls like a VPN endpoint and you could tunnel deprecated protocols though it. This would provide better security for data in transit, as 3DES is considered a weak cipher. For a security analysis see https://crypto.stackexchange.com/questions/51629/is-triple-des-still-considered-safe-to-use

Rodrigo Murillo
  • 13,080
  • 2
  • 29
  • 50