Michael McMahon <0005857625@mcimail.com> writes: [...]

I'm wondering if there is a way to do [end-to-end encryption] with PCs? Is there a way to encrypt a remote users entire connection with the BBS, so that they would have to have a special term program to access the system?

Sure, no problem, provided you are willing to do a lot of coding... The basic idea would be to use public-key encryption to do a short negotigiation of a one-time key to use for DES/IDEA encryption of the session. You could then use a public key for the system as a whole (with which the users can encrypt thier personal public keys for uploading during the initial connection) and the user's public key to send the key transmitted from the BBS for the session. All that would be necessary is for you to add a bit of code to the comm program so that it would recognize when it was talking to a system such as this and do the right thing when needed (the actual encryption code is readily available in systems like PGP and the various DES implementations out there.) The downside is that there are a lot of terminal programs out there for microcomputers and not many supply source code for such modifications. I had thought about using such a system when planning out a raid-proof 386BSD system and the hassles of trying to get at least one program to do this for every platform that might want to connect to such a BBS was more work that I wanted to do. Perhaps as an option (e.g. one line using end-to-end encryption and others normal) for connecting to a system, but if all the lines are done like this you will probably find making it difficult for people to connect like this keeps people away from the system. jim

Eric Hughes wrote:

...

Is there a way to encrypt a remote users entire connection with the BBS, so that they would have to have a special term program to access the system?

For PC's, replacing the terminal software is really the best way. There is no effective abstraction of serial port hardware in the PC world. The int 0x14 driver in the BIOS was rampantly defective, and MSDOS does not provide a standard interface.

As a result, almost all comm software on PC's talks to the serial port directly. Now in MS Windows, there is abstraction for ther serial ports, but I don't know how easy it is to insert a device layer.

...

It would be best if the user only had to load a device driver or something so that they wouldn't all have to use the same comm program.

It might be possible, using a 386, to make a driver that acted as if it were hardware but actually did encryption. Ick. Reliability and cross-program compatibility would be shit. And it would have to be made compatible with whatever else was taking over the 386.

Using something like a FOSSIL driver (a replacement serial port driver that many BBSes use) you could do this. I would imagine that it would only encode when carrier is up and the BBS software sends an INT14 AX=xx instruction to turn on encryption. Tim -- Internet: pozar@kumr.lns.com FidoNet: Tim Pozar @ 1:125/555 Snail: Tim Pozar / KKSF / 77 Maiden Lane / San Francisco CA 94108 / USA POTS: +1 415 788 2022 Radio: KC6GNJ / KAE6247

Excerpts from internet.cypherpunks: 7-Apr-93 Real-time BBS Encryption?? by Eric Hughes@soda.berkele

For PC's, replacing the terminal software is really the best way. There is no effective abstraction of serial port hardware in the PC world. The int 0x14 driver in the BIOS was rampantly defective, and MSDOS does not provide a standard interface.

As a result, almost all comm software on PC's talks to the serial port directly. Now in MS Windows, there is abstraction for ther serial ports, but I don't know how easy it is to insert a device layer.

Actually, there is a rather old (for the PC) abstraction called FOSSIL (Fido Opus Seadog Serial Interface Layer ... or so). It is essentially an extention/replacement for the BIOS int 0x14 driver. It is certainly possible to further extend this for encryption by adding some functions to the interface. The two FOSSILs I know of are X00 and BNU - They can be found in oak.oakland.edu:/pub/msdos/fossil -- David Sward sward+@cmu.edu

-----BEGIN PGP SIGNED MESSAGE----- Michael McMahon <uunet!mcimail.com!0005857625> writes: [Talks about real-time end-to-end encryption of user sessions on BBS's.] It's not quite as sexy and "James Bond" as real-time end-to-end encryption, but I think an easier approach to this would be to adopt the architecture of the offline mail-reading programs that are available. For the benefit of people unaccustomed to offline readers, these programs collect up all of the unread messages, E-mails, and file descriptions from a BBS, .ZIPs or otherwise packs/compresses the files, and then the user downloads that "packet", and hangs up. The user then uses a program on her local PC to read and reply to messages in that packet, dials the BBS again, and uploads her responses. I haven't fussed around with offline readers much, but I'll bet it'd be pretty simple to add a step to the collection/.ZIP process, which would encrypt the whole package with some prearranged key. This would allow folks to use standard BBS programs, standard terminal programs, and perhaps even standard offline readers. It should be pretty simple from a programming standpoint, as well; it's perhaps implementable with only batch commands. Yes, the "bad guys" will get to watch the user log on and log off, and can read the menus and choices - but so what? It's possible (easy, really) to encrypt all of the really interesting stuff. - -- Greg Broiles greg@goldenbear.com Golden Bear Consulting +1 503 465 0325 Box 12005 Eugene OR 97440 BBS: +1 503 687 7764 -----BEGIN PGP SIGNATURE----- Version: 2.2 iQCVAgUBK8R3jH3YhjZY3fMNAQHDagP6AkE+8WrEtSOVNfBDiL6UYplI+TAihl66 IffYPilZ+b9Nxq2VHBF8aUYnX7duLRaivILQ7CPIRsNnKRq3DF5bljcvLY9B9VNn 3SSFSGJFQFYvakElcZPbCGhFbsLdmF8QNN97Z8Cdbx4fGYmj83brNidhHYNeXhpo 5Nk2+5W80mE= =Yxdd -----END PGP SIGNATURE-----

Here's the situation: We all know that some advanced computer systems have real-time encryption built into all modem connections. When a bank branch dials into the main office the entire transmission may be encrypted. This occurs even between terminal connections and the host.

This is usually accomplished through an external "data encryption unit", which is interfaced between the terminal (host) and modem. It is NOT in software.

I'm wondering if there is a way to do this with PCs?

Aside from those very expensive high-end boxes that banks use for their sensative information, there was a DES encryptor made by Practical Peripherals years ago. It still may be available. --