-----BEGIN PGP SIGNED MESSAGE----- Just noticed this on USENET. Sorry if it's passed through cpunks lately, but ya know, sometimes I just fall asleep while the conspiracypunks drivel goes by, and don't notice when someone strays back to crypto. - ---Start Msg Newsgroups: alt.security,sci.crypt Subject: Secure Telnet: Summary Message-ID: <41q81d$22he@info4.rus.uni-stuttgart.de> From: zcbi1122@rpool4.rus.uni-stuttgart.de (Jochen Schwarze) Date: 27 Aug 1995 16:55:09 GMT Organization: Comp.Center (RUS), U of Stuttgart, FRG NNTP-Posting-Host: rpool4.rus.uni-stuttgart.de Lines: 74 Thanks to everyone who responded to my posting regarding a `secure telnet' implementation: Is there a (possibly free) implementation of something like a "secure telnet"? I'm looking for a way to login into a remote system providing secure interactive communication between the two hosts over (possibly insecure) Internet connections. Here's a summary of the implementations I am now aware of: * SSL There is a free implementation of Netscape's SSL Protocol (Secure Socket Layer) by Eric Young named "SSLeay" <ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/>. Eric Young is also the author of a popular DES Library. <ftp://ftp.psy.uq.oz.au/pub/Crypto/DES/> SSL provides a secure authentication and encryption basis on top of which application protocols like telnet, ftp, and http may be transparently added <http://home.netscape.com/info/SSL.html>. However, the RC4 encryption using a 40 bit key, which is employed by SSL, has recently been cracked with a brute force attack, see RISKS-17.27 <http://catless.ncl.ac.uk/Risks/17.27.html#subj1>. A modified version of telnet that uses SSL-based authentication and encryption is also available <ftp://ftp.psy.uq.oz.au/pub/Crypto/SSLapps/>. * Deslogin Deslogin by Dave Barrett <barrett@asgard.cs.colorado.edu> provides a network login service much like rlogin/rlogind. Deslogin uses a `challenge-response' protocol to authenticate users. Also, all data transmitted to and from the remote host in encrypted using the DES. Deslogin also includes a command-line program `cipher' for fast DES encryption. <ftp://ftp.uu.net/pub/security/des/> * SRA Telnet This is a version of the SRA Telnet modified by the Technical University of Chemnitz. A session key is negotiated using an uncertified Diffie-Hellman-Method and used for the encryption of UID and password. The complete session text in encrypted with DES in CFB mode. <ftp://ftp.tu-chemnitz.de/pub/Local/informatik/sec_tel_ftp> * Ssh Ssh (Secure Shell) is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over insecure channels. Among other features, Ssh is a complete replacement for rlogin, rsh, and rcp. <ftp://ftp.funet.fi/pub/unix/security/ssh-1.0.0.tar.gz> * Skey Bell Canada's `skey' free-ware implements a one-time password system, so that sniffers can get your ID and PW, but can't use the PW next time. <ftp://ftp.cert.dfn.de/pub/tools/password/SKey/> - ---------------------------------------------------------------------- I provide this information in the hope that it will be useful, but with no claim of either completeness or correctness. Thanks again to all who contributed to compile the above information. - -- Jochen Schwarze <jochen.schwarze@studbox.uni-stuttgart.de> - ---End Msg First question: what does anyone know about these programs. Second question: since I'm only a cyphergroupie, how can I make use of these programs? Currently, I'm trying to move as many operations as I can (mix client, mail reading, etc) to my local Linux box so that all traffic headed through my server is already encrypted. Naturally, some of these programs look interesting, the SSL telnet (but what about the other end?) for example. I noticed an announcement that DID come across cpunks: [snip] Announcing CryptoTCP beta version 0.9 CTCP is a public domain software package to do encrypted TCP sessions on unix systems. It features Diffie-Hellman key exchange with triple-DES encryption. This initial release is to be considered a beta version. Bug reports or comments on security issues are invited. [snip] Detached signature for ctcp.0.9.tar: - - -----BEGIN PGP MESSAGE----- Version: 2.71828 iQCVAgUAMBqiPf32LDYerV6NAQHUoAP/RLU0mM3ydxC9vjzay8hR5Qmb5zupHyCO klW8IYjxIt14jnBTqkVM7q+mnaAWK2Ishppe14H5K6MAn/VOe2o5Hf61wAzJuxzw wywiA9ZOdb+2cxm86YMgdbrnv430BCbSjPITV5PHyorovSqhX4RLLB1R8oOX4WUB 5WwzgLyV6Kc= =ltvK - - -----END PGP MESSAGE----- But I missed where this comes from, and I doubt I'd be able to drop it into my Linux in anything resembling a plug-and-play style. Anybody tried this? Don -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMEFQdMLa+QKZS485AQENNwMAu5du39fa8Dy5qaFCV0sq2IK4kwUVGYsP 1RndpErFYQoWC6wTmz2wB4AqeDUG6OmujFPF6as9vvl6RPT3MxKcd2St7wAGllwX p7Q0WTfPA7u2ICStsvJ/MtRMKSMQniii =fYr3 -----END PGP SIGNATURE----- <don@cs.byu.edu> fRee cRyPTo! jOin the hUnt or BE tHe PrEY PGP key - http://bert.cs.byu.edu/~don or PubKey servers (0x994b8f39) June 7&14, 1995: 1st amendment repealed. Death threats ALWAYS pgp signed * This user insured by the Smith, Wesson, & Zimmermann insurance company *