Encrypted Telnet

Encrypted Telnet

Post by JAY LYA » Sun, 05 Feb 1995 18:58:00




Jay Lyall (Capy Toad Blast)                But we don't want it."
                                               --Replacements

Jay has the following to say:
Does anyone have some info on encrypted telnet? Could ya please
send it to me or post it?

Thanks

jay

 
 
 

Encrypted Telnet

Post by Bill Husl » Tue, 07 Feb 1995 07:49:30




> Does anyone have some info on encrypted telnet? Could ya please
> send it to me or post it?

Post it please -- I too am interested.
Bill

 
 
 

Encrypted Telnet

Post by Mark Dadg » Wed, 08 Feb 1995 08:01:09






> > Does anyone have some info on encrypted telnet? Could ya please
> > send it to me or post it?

> Post it please -- I too am interested.

I'll second that - I'm interested as well.  Please post.

- Mark
--
Mark Dadgar             | If we had thought something this big was
Network/Systems Admin.  | going to happen to us, do you think we would
NeXT Computer, Inc.     | have called ourselves TOAD THE WET SPROCKET?!

                Here I am, NOT speaking for NeXT.

 
 
 

Encrypted Telnet

Post by MM » Wed, 08 Feb 1995 13:55:37


: Does anyone have some info on encrypted telnet? Could ya please
: send it to me or post it?

I haven't seen any publically available packages, although something
like Netlock or Isolation Systems would have the capability to do
both clear-text & encrypted sessions.. If you need any information
about the products, feel free to mail me you address,etc & I'll get some
stuff in the mail to you.

Jeromie
Garrison Associates      Digital Crime Prevention Specialists

 
 
 

Encrypted Telnet

Post by Holger Tra » Sun, 12 Feb 1995 02:01:47




>Jay Lyall (Capy Toad Blast)                But we don't want it."
>                                               --Replacements
>Jay has the following to say:
>Does anyone have some info on encrypted telnet? Could ya please
>send it to me or post it?
>Thanks
>jay

As part of the TAMU security package you are offered "sra.tar". This
archive contains modified BSD sources for Telnet and FTP (clients
and daemons included). This new Telnet optionally supports authentication
and encryption and FTP supports authentication only. Authentication
avoids sending user id and password as clear text. Three modes of
authentication are possible: Kerberos 4, Kerberos 5 and SRA.
SRA (Secure RPC Authentication) is a TAMU specific option and uses the
Diffie-Hellman algorithm to exchange a common session key at the beginning
of a session. The same idea is to be found with Sun's Secure RPC (RFC 1057).
This common session key is used to encrypt the uid and the password.

Here some remarks on this software:
We found sra.tar on a CD some weeks ago but unfortunately some files were
corrupt. After looking round for a while we found an intact version at a
Japanese FTP server. This release didn't contain the DES code. That's why we
build a separate freely available DES library and linked all together.
We omitted the Kerberos specific parts and concentrated on SRA only.
SRA is quite an efficient technique. You can read about it in a paper
by its authors included in this release.
After several little modifications in various files Telnet and FTP worked
as we had intended. That means it supports on demand authentication as well as
encryption. We have been using this software for about two weeks now
and we are very satisfied. It seems to be quite reliable.

At the moment we think of replacing DES with IDEA but we are not sure yet whether
this will be done or not. It mainly depends on the amount of work required.

It's possible to get the sources from us. If you're interested send us a
mail. It would be possible to distribute the package as a MIME mail or put it
on our FTP server. This will depend on the number of people interested in it
and their choices.

--
===============================================================
Name       : Holger Trapp
Institution: Technical University of Chemnitz-Zwickau
             Faculty of Computer Science

 
 
 

Encrypted Telnet

Post by Lenny Turets » Sun, 12 Feb 1995 18:43:50


I'd like to hear people's opinions on whether to use MIT's Kerberos or
TAMU's SRA (which I gather is based on Kerberos).

Which shortcoming(s) of Kerberos was SRA meant to fix?

LT


Quote:> As part of the TAMU security package you are offered "sra.tar". This
> archive contains modified BSD sources for Telnet and FTP (clients
> and daemons included). This new Telnet optionally supports authentication
> and encryption and FTP supports authentication only. Authentication
> avoids sending user id and password as clear text. Three modes of
> authentication are possible: Kerberos 4, Kerberos 5 and SRA.
> SRA (Secure RPC Authentication) is a TAMU specific option and uses the
> Diffie-Hellman algorithm to exchange a common session key at the beginning
> of a session. The same idea is to be found with Sun's Secure RPC (RFC 1057).
> This common session key is used to encrypt the uid and the password.
> Here some remarks on this software:
> We found sra.tar on a CD some weeks ago but unfortunately some files were
> corrupt. After looking round for a while we found an intact version at a
> Japanese FTP server. This release didn't contain the DES code. That's why we
> build a separate freely available DES library and linked all together.
> We omitted the Kerberos specific parts and concentrated on SRA only.
> SRA is quite an efficient technique. You can read about it in a paper
> by its authors included in this release.
> After several little modifications in various files Telnet and FTP worked
> as we had intended. That means it supports on demand authentication as well as
> encryption. We have been using this software for about two weeks now
> and we are very satisfied. It seems to be quite reliable.
> At the moment we think of replacing DES with IDEA but we are not sure yet whether
> this will be done or not. It mainly depends on the amount of work required.
> It's possible to get the sources from us. If you're interested send us a
> mail. It would be possible to distribute the package as a MIME mail or put it
> on our FTP server. This will depend on the number of people interested in it
> and their choices.
> --
> ===============================================================
> Name       : Holger Trapp
> Institution: Technical University of Chemnitz-Zwickau
>              Faculty of Computer Science

--
   _____________________________________________________________________
 /|                                                                     |
| | There are only two organizations that I know of that send armed     |
| | men in dark suits and sunglasses to take money they haven't earned: |
| | the mafia and the government.                   -- Lenny Turetsky   |
| |                                                                     |

| |_____________________________________________________________________|
|/_____________________________________________________________________/
 
 
 

Encrypted Telnet

Post by Geoffrey Cor » Sat, 11 Feb 1995 06:48:08


I know that MIT has a Kerberized Telnet.  You have to have both the daemon and
a client.  I'm not sure what the license on it is like; try e-mailing

Also, NCSA has kerberized telnet for the Mac; ie, the code and algorithms are
out there in the public domain.

GJC

 
 
 

Encrypted Telnet

Post by David Dent » Wed, 15 Feb 1995 11:45:39





|> > > Does anyone have some info on encrypted telnet? Could ya please
|> > > send it to me or post it?
|> >
|> > Post it please -- I too am interested.
|>
|> I'll second that - I'm interested as well.  Please post.
|>
|> - Mark
|> --
|> Mark Dadgar               | If we had thought something this big was
|> Network/Systems Admin.    | going to happen to us, do you think we would
|> NeXT Computer, Inc.     | have called ourselves TOAD THE WET SPROCKET?!

|>           Here I am, NOT speaking for NeXT.

Take a look at the work by Lawrie Brown from the Australian Defence Force Academy.

ftp.adfa.oz.au:/pub/security/adfa-telnet

I don't know whether it is generally available.

David Denton
ANSTO
Sydney
Australia

 
 
 

Encrypted Telnet

Post by Delman L » Thu, 16 Feb 1995 15:11:10



   ] Note that the particular exchange used by SRA (which has a poor choice
   ] of the specific 192 bit diffie-helman modulus used) has been
   ] cryptographically broken.

Anybody know what currently are pretty secure modulus and root?
Currently SRA uses a root of 3 and modulus of

  d4a0ba0250b6fd2ec626e7efd637df76c716e22d0944b88b

Any references?

It is easy to change the code to use more secure modulus.

Thanks, Delman.
--
______________________________________________________________________

  Delman Lee                             Tel.: +1-215-662-6780
  Medical Image Processing Group         Fax.: +1-215-898-9145

______________________________________________________________________

 
 
 

Encrypted Telnet

Post by Holger Trap » Thu, 16 Feb 1995 23:37:56



> Is having the server "populated" with keys a bad thing? Is it less
> secure than using a breakable encryption algorithm?

I'm not sure but often a breakable algorithm seems not to be the main
problem. If I think of our campus network there are not many cryptanalysts
around but many people with sniffer programs. So it's a good idea
to avoid sending passwords in the clear, I think.


> > >I'd like to hear people's opinions on whether to use MIT's Kerberos or
> > >TAMU's SRA (which I gather is based on Kerberos).

The package we modified is completely independent of Kerberos.
(URL: ftp://ftp.tu-chemnitz.de/pub/Local/informatik/sec_tel_ftp)

Quote:> > >Which shortcoming(s) of Kerberos was SRA meant to fix?

> > No shortcomings, per say.  The diffie-helman exchange used by SRA
> > permits a server and client to agree on a secret key without knowing
> > anything about each other ahead of time.  Kerberos requires
> > configuration of a kerberos server and population of the server's
> > database with client and server keys.

Let me cite from the abstract of the paper

  Secure RPC Authentication (SRA) for Telnet and FTP

"... These techniques, however, have several drawbacks, including technical
complexity, poor vendor support, and organizational problems. This paper
presents SRA, a very simple and tested technique based on Secure RPC which,
while certainly not as strong as RSA, is reasonably strong, fast, and trivial
to implement immediately for both inter and intra-domain communications."

You can get this paper (sra.ps) on several FTP servers. It's also part of the
source distribution.

Quote:

> > Note that the particular exchange used by SRA (which has a poor choice
> > of the specific 192 bit diffie-helman modulus used) has been
> > cryptographically broken.
> > --
> > Jeff Hayward

You can read about weaknesses of Kerberos as well. I suppose you won't
get absolute security with it. But it's much more expensive than SRA.
In our opinion SRA is a good compromise at the moment.

Another lightweight solution is S/Key.

===============================================================
Name       : Holger Trapp
Institution: Technical University of Chemnitz-Zwickau
             Faculty of Computer Science
             Chair of Computer Networks and Distributed Systems
Address    : 09107 Chemnitz
Location   : Strasse der Nationen 62
Phone      : +49 371 531 1379
Fax        : +49 371 531 1628

===============================================================

 
 
 

Encrypted Telnet

Post by Jeff Haywa » Fri, 17 Feb 1995 05:35:33




Quote:>This paper
>presents SRA, a very simple and tested technique based on Secure RPC which,
>while certainly not as strong as RSA, is reasonably strong, fast, and trivial
>to implement immediately for both inter and intra-domain communications."

>You can read about weaknesses of Kerberos as well. I suppose you won't
>get absolute security with it. But it's much more expensive than SRA.
>In our opinion SRA is a good compromise at the moment.

This is a dangerously misleading statement.

There is no cryptographic attack on Kerberos that I know of which has
been proven to work - that is, one which has actually broken or forged
a kerberos ticket.

There is a well-known, published attack on SRA.  It can *always* be
broken, in under a few minutes on a PC class machine.  This is a
severe weakness.  I grant you it's better than passwords in the clear,
but not by much.  Anyone who can sniff packets can break SRA
exchanges.

A Diffie-Helman exchange with a more circumspect choice of modulus
would be much preferred.  This would still leave a man-in-the-middle
attack open, but that requires much more access on the part of the
attacker to be successful.  There's also the issue of the
Diffie-Helman patent to be considered.

Your points about the complexity and cost of administering a kerberos
infrastructure vs the simplicity of Diffie-Helman are otherwise well
made.

--
Jeff Hayward

 
 
 

1. Encrypting telnet w/ NS 3.2?

Hi folks,

I've picked up the encrypting telnet code from MIT, and I'm trying to get
it to work on a NeXT running NextStep 3.2.  There is an entry in the
makefile for NextStep 1.0, but it is listed as "untested", and it chokes
and dies when I try to compile it anyway.

Does anyone have this running on their NeXT?

Thanks,
David.

2. radius login to linux

3. PROPOSAL: encrypted telnet

4. Linux Frequently Asked Questions with Answers (Part 5 of 6)

5. Encrypted Telnet (any recommendations)

6. Setting up a terminal (vt100 compatable)

7. Secure/Encrypted Telnet

8. 2.5 Problem Status report

9. FreeBSD/BSD44 encrypted telnet bug?

10. Encrypted telnet

11. Encrypted Telnet?

12. Encrypted telnet sessions

13. encrypting telnet