NS-DDN@DDN2.UUCP.UUCP (01/15/87)
I know it's hard for some people to believe, but the only locally available encrypting hardware/software for many users lies under the cranium! There are still lots of dumb terminals in other budget-consious organizations. Although Charles' original request specifically ruled them out of his network, I, for one, have to maintain their support. Consequently, I would like this discussion to bear them in mind. As Ron said, Charles, we're ignoring the problem of application program passwords (in this sense, TSO qualifies as such). Having run whatever gauntlet is implemented to gain access to server TELNET, your users will then have to logon to your host's applications. Thus you would probably want to monitor the TELNET session and encrypt the incoming responses for all recognized password prompts. But you would still be exposed to situations where no prompt is given unless you encrypted the entire user transmission. For example, assuming an implementation along the lines of Ron's scenario: TSO: ENTER LOGON - Server TELNET: [Encrypt your response with your ACP password] User: logon myid/mypass a(xyz) If this is going on through a virtual 3278, you would be forced to negotiate back to an NVT for that one transaction or create a screen for TELNET's use, decrypt the datastream returned, unwrap and remap the single line into the VTAM screen. It also means you would have to analyze your supported applications to determine where passwords are expected in responses, what those prompts look like in terms of constants and variables, and maybe software DES would be running a tight footrace with this kind of overhead. Does the application support command stacking with a special character, such as a semi-colon? Server TELNET may never see the normal prompt... I'll bet that physical security approach is sounding better and better all the time! Try suggesting to your IBM marketeer that they provide 370 DES instructions and supporting software. Also, get involved in SHARE and champion a requirement that IBM software get its password obscuring act together, recognizing that users are not always connected by an SNA device.