amazon-web-servicessshcryptographysftpaws-transfer-family

How can i connect to AWS transfer Family's SFTP server using diffie-hellman-group1-sha1 algrothm


I am working with hardware devices which supports SFTP protocol for file transfer. for that i have created SFTP server in AWS transfer family.

The issue i am facing is that device does not support any cryptographic algorithm that is supported by AWS transfer family

Due to that i am getting following error

ERRORS KEX_FAILURE Message="no matching key exchange method found" Kex=diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1 SourceIP=121.244.200.210

Algorithms which are supported by the instrument :

Key Exchange Algorithms (Kex_Algorithms) diffie-hellman-group1-sha1 ssh-rsa Cipher 3des-cbc MAC hmac-md5

These are deprecated set of cryptographic algorithm which is not supported by AWS transfer family. https://docs.aws.amazon.com/transfer/latest/userguide/security-policies.html

Also currently there is no way to upgrade the device to change the cryptographic algorithm

what alternative do i have for making the connection.


Solution

  • You could consider a standalone SFTP server that supports deprecated ciphers, and install it on a dedicated EC2 instance.

    Check this out https://zappysys.com/forums/topic/ciphers-algorithms-supported-sftp-connection/ I think it matches your device cryptos. It may not be HIPAA approved set-up would be my concern, should you be subject to that.

    Perhaps you can add compensating controls like a VPN endpoint and you could tunnel deprecated protocols though it. This would provide better security for data in transit, as 3DES is considered a weak cipher. For a security analysis see https://crypto.stackexchange.com/questions/51629/is-triple-des-still-considered-safe-to-use