Robert.Smart@ditmela.oz.au (Robert Smart) (04/17/89)
Posting #53 to aus.comms ------------------------------------------------------------------------ There is interest in security of access over a TCP/IP network. Here is a simple proposal for your criticism. The objective is minimum change to existing code. This addresses two related security issues: (1) people attempting unauthorized access to your system; (2) the fact that the TCP data stream is easy to snoop on as it passes through insecure parts of a network. The first thing a Secure-TELNET daemon does when it receives a connection is send a random number (say 4 bytes) to the client. The client has to know the servers "magic number". It combines that magic number with the random number to obtain two random number sequences. The server does the same. From then on each byte in the TCP stream is XORed with the low order byte of the appropriate random number sequence. This simultaneously encrypts outgoing bytes and decrypts incoming ones. In fact the encryption/ decryption code should be in the TCP layer so that it is quite easy to modify other applications like ftp to produce secure versions. I think this would have a low overhead and be very hard for someone watching the data stream to decrypt. Any encryption experts like to comment? The nice thing about this scheme is that it can be used in two distinct ways. You can set it up so that machines you trust (on your local subnet, etc) know the "magic number". The users of those machines can log in to your machine via Secure Telnet without having the "magic number". Indeed it is best if the number is held securely so they can't find it out. For the much smaller number of people who use your machine from remote hosts, perhaps while travelling, you can tell those people the magic number and they can tell the secure Telnet client the number when they invoke it. -- Bob Smart, <smart%ditmelb.oz.au@uunet.uu.net> or <uunet!munnari!ditmelb!smart>