PDF Datasheet

SSHield - Secure Shell

Tech Specification

Embedded Secure Shell (SSH / SECSH) Server and Client

SSHieldSSHield is an embedded Secure Shell (IETF SECSH, formerly known as SSH) implementation with a full-featured suite of secure applications that are interoperable with all popular desktop, server and embedded SSH implementations. SSHield enables secure communication over a public or insecure network using popular encryption and authentication techniques. It includes an SSH server and client, secure copy (scp), secure FTP client and server (sftp and sftpd), a built-in version of modular crypto libraries all of which can be scaled out when not in use. With advanced features such as X.509 digital certificate support and Kerberos authentication, performance and memory optimizations for low-resource embedded environments. SSHield is an ideal fit for secure command-line management of any networked equipment and for securely transfering data and image files between field embedded devices and centralized servers.

SSHield is a standards based implementation of the SSH protocol, and integrates the core server and client components needed to implement a secure communication channel over insecure networks.

Its unique, advanced features include a full suite of secure applications such as an embedded SSH client and server, secure copy (scp), secure FTP client and server (sftp and sftpd), a built-in version of modular crypto libraries including support for AES, 3-DES, SHA-1 and other encryption & hashing algorithms.

Since SSHield is a designed-for-embedded implementation, the extensive feature set does not come at the expense of large memory footprints and a performance impact. Further, individual features can be disabled at run-time or even completely scaled out of the run-time version to eliminate any impact from unused features and components. Individual ciphers and hashing algorithms can be scaled in or out for the best application-specific trade-off between legacy compatibility and resource usage.

SSHield also includes flexible authentication support ranging from a simple password-based scheme (exchanged in encrypted form), public-key authentication support (RSA and DSA based), support for X.509 digital certificates and other schemes. Plug-in Kerberos authentication support is included and can be enabled by adding on a Kerberos module such as AuthAgent Kerberos.

SSHield can be used in any setting where a secure equivalent of FTP and telnet are desired, including command-line interface (CLI) management of embedded datacom, telecom, industrial and other equipment. SSHield includes specific hooks for integrating with existing CLIs and management backplanes, and also includes a modular helper library to optionally develop CLIs from scratch.

SSHield is not limited to CLI security, and can be used to secure a wide range of applications by integrating the application with SSHield secure file descriptors as a replacement for standard I/O, or as a secure transport for any TCP-based networking protocol, using a generic tunneling mechanism ("port-forwarding"). Port-forwarding not only serves as a convenient secure transport channel, but also enables TCP applications to be secured without requiring the application's source code to change or even be re-compiled! In other words, even binary application components for which source is not available (such as a telnet server or client) can be secured transparently with SSHield.

SSHield's SSH protocol implementation is completely interoperable with commercial and open-source flavors of the protocol available on desktop, server and other embedded platforms.

SSHield has been extensively validated on a variety of CPU architectures, and this minimizes development and integration efforts. SSHield supports for multi-tasking, memory partitions, & abstractions that are lean, yet fast. SSHield enables secure transactions in embedded network applications with the fewest changes.

Features & Benefits

  • Provides SSH protocol client and server support with both SSHv1 and SSHv2.
  • Includes sftp client and server as well as scp with flexible library-style APIs.
  • Supports password authentication in addition to public-key user authentication.
  • X.509 certificate support for authentication.
  • Support for Kerberos authentication.
  • Supports custom authentication mechanisms.
  • Modular crypto to scale out unneeded ciphers and hashes.
  • APIs for target-based key generation.
  • Data compression support.
  • Port Forwarding for legacy applications and X11 Forwarding.
  • Abstracted file IO system.
  • Works with standard SecureShell client implementations on other platforms.
  • Support for CPU types of either endian-ness including PowerPC, MIPS, X86, ARM/XScale.

Advanced Features

  • Includes server and client components for the SSH protocol as well as subsystems for SFTP and SCP
  • Wide choice for encryption algorithms including AES (Rijndael), DES, 3DES, Blowfish, Twofish, CAST or Arcfour
  • Overridable Pseudo Random Number Generator (PRNG)
  • FIPS-certified cryptographic algorithms and FIPS 140-2 certification
  • Target based key generation
  • Extended upport for digital certificate authentication
  • Multi-tasking support
  • Enhanced memory management & partition support
  • Native support for VxWorks 5.3, 5.4.x, 5.5.x, and AE 1.x, Linux, QNX, pSOS and other OSes.

Cryptography Support
The SSHield implementation of the SSHv1 protocol uses RSA based authentication and encryption using public-key cryptography. SSHield’s SSHv2 protocol can use either RSA and DSA based authentication and provides additional methods for encryption. SSHield supports the following encryption ciphers and is further capable of supporting others from the included included crypto library or new ones as they are developed:

  • AES
  • 3DES
  • CAST128
  • Arcfour

SSHield also provides hmac-sha1 and hmac-md5 hashing methods for message integrity protection.

SSHield’s included crypto library contains APIs to support popular hardware accelerators and dynamic embedded target-based key generation. Further, the cryptographic functionality, including the use of X.509 certificates, is completely modular allowing for scaling out of unused ciphers for deeply scaled down memory footprints when SSHield is used.

Authentication Support
Besides supporting public-key, X.509, and password based authentication out of the box, SSHield also includes hooks for customizing the authentication to plug in to various authentication standards such as RADIUS, Kerberos, or other proprietary authentication schemes including hardware tokens and biometric-based methods. Pre-tested integration with TeamF1’s AuthAgent Kerberos as an optional authentication method allows for enterprise use of SSHield-enabled embedded devices in environments such as UNIX® Kerberos realms and Microsoft® Active Directory controlled networks.

Port Forwarding
SSHield’s port forwarding is a powerful generic tunneling feature that allows the transparent and secure forwarding of TCP connections from one network node to another. Using this powerful mechanism, legacy insecure applications can be secured by redirecting traffic through the encrypted tunnel provided by SSHield. Security of the forwarded ports at the remote end can be further augmented by complementing the network security features of SSHield with a packet filtering firewall, such as TeamF1’s FireFly, which gives fine-grained control over the accessibility of application ports from the public network, while simultaneously allowing full access from within the tunneling capabilities of SSHield. Where exposure of these ports is not as big a concern, SSHield contains built-in IP-level blocking facilities to restrict outside connections that originate from specific IP addresses.

Secure File Transfer
SSHield’s flexible APIs to access the functionality of SFTP secure ftp (client and server) as well as SCP secure copy enables the use of secure file transfer functionality in embedded applications without tedious command line processing. An ftpLib style library API augments the standard standalone sftp/scp command usage and allows full access to the secure file transfer subsystems of the SSH protocol.

Securing CLIs
For applications needing a new CLI layer, SSHield includes a utility function library to generate commands and hook them up to internal application management functionality with ease. For applications that need to secure an existing CLI, the CLI utility library can be scaled out easily to reduce resource requirements. SSHield also integrates well with existing CLI (command line interface) based device management frameworks that may already be in place. It has pre-defined interfaces for common management backplanes such as Rapid Control® CLI and WIND® Manage for CLI allowing for drop-in integration with these products, and can work with other CLI libraries including proprietary ones.

Flexible IO
SSHield includes an optional abstract IO system to enable maximum flexibility for embedded devices that may not have a traditional file system, and yet require the use of secure file transfer capabilities, as well as to store and access keys from non file-system storage media. This, coupled with the ability to dynamically generate keys on the embedded device, greatly facilitates key management functions that may be needed by an embedded application.

Interoperability
SSHield is compliant with the IETF definition of the SECSH protocol and is interoperable with freely available and commercial implementations of this protocol. It has been extensively validated against various SSH client & servers, SFTP clients & servers, and SCP implementations on embedded and non-embedded platforms including those on Windows®, Solaris®, UNIX®, and Linux. SSHield-enabled connected embedded devices can easily work with other SECSH implementations on a local network or across the Internet.

Management Framework
SSHield provides API routines to administer a database of permitted RSA and DSA keys, and to configure SSHield server options. Password authentication is managed by a table-driven mechanism, which can be manipulated programmatically as well. External authentication mechanisms such as those using smart cards, RADIUS, Kerberos and other custom methods are easily incorporated into the Secure Shell framework using configurable call-outs. Similar flexible hooks are provided for user-configurable data sources used by SFTP services instead of direct accesses to the file-system.

Customization Flexibility

  • Available in full-source format.
  • Configurable choice of encryption and authentication methods.
  • Overridable PRNG functionality.
  • Hooks to use configurable data-sources in lieu of file-systems.
  • Configurability for proprietary external authentication mechanisms.
  • Customizable hardware assist functionality.
  • Complete scalability of unwanted components.