Recently I have been working on an ActionScript 3.0 (aka Adobe AIR) implementation of SSH for my PlayBook. Why? you may ask. Well, partly for the hell of it, partly to learn AIR/ActionScript (a bit of a grotesque language, but that’s for another post)), and partly because there isn’t one available at this time and I want to be able to admin some boxen from wherever I happen to be.

Unfortunately, the PlayBook currently doesn’t make its crypto APIs available to the public via ActionScript. Which is annoying. Not to be put off however, I cast around for some alternatives.

There are some ActionScript crypt libraries already out there (notably AS3Crypto: however unfortuately that doesn’t support Diffie-Hellman. So, back to first principles…

My maths is veeeery rusty though, and rather than re-invent the wheel regarding “g^x mod p” etc, I looked around for a BigInt library. Again, AS3Crypto has some support, however their version of the above operation only works if x is an int – hardly useful when x is a big-ass secret ideally some 512+ bits long.

Eventually my eyes lighted on Leemon Baird has implemented BigInt in JavaScript, and it seemed to fit. Fancying one more challenge, I took that code, and ported it to AS3.

The .js implementation handles bigInt’s as arrays. However, as it’s .js, there’s no typesafe-ness. So I added that, wrapping it into a class (BigInt). The internals are a bit disgusting, as I have ultimately created a private property ‘val’ which is an array, which all the private leemon-methods operate on.

Thus far it seems to work – Diffie Hellman completes correctly in my SSH implementation, and 3DES works. It’s entirely possible that I’ve introduced some bugs however – if anyone has any bigInt test cases they’d like me to run against, I’m more than willing.

Anyway, I now release this library to the world. Do (or not) as you see fit. The file is being hosted in my public dropbox ( as there’s no way to host .as or .txt files on wordpress (bad wordpress!).

Enjoy! And please let me know if you use it.

The code can be found here:

About these ads