(This is a set of excerpts from a 1000 line file I got from a guy @IBM. If anyone wants the whole thing, just ask.) | Network Security Program Version 1 Release 2 is a distributed authentication | and key distribution program. The Network Security Program authenticates the | identity of two communicating principals in the network and provides each | with the ability to verify the identity of the other via a common third-party | server. | Network Security Program provides secured single sign-on (SSO) to 3270 host | applications via an EHLLAPI emulator interface to a RACF* host system. | Through the implementation of PassTickets, the user at the client workstation | need only provide one log-on password that will allow secured access to | multiple host applications. In addition to the TCP/IP transfer protocols for | these platforms NetBIOS is supported on AIX*, OS/2*, DOS*, and Windows; LU6.2 | is supported on AIX and OS/2. | | Network Security Program provides distributed security services that user | applications may invoke through the Generic Security Services Application | Programming Interface (GSSAPI). GSSAPI is approved as an Request for Comment | (RFC) by the Internet Engineering Task Force (IETF). The underlying security | mechanism is based on KryptoKnight, an advanced authentication technology | developed by IBM Research Laboratories in Zurich, Switzerland and Yorktown | Heights, New York. | | In V1R2 we are extending our platforms from the AIX/6000, OS/2 and DOS | operating systems to include HP, SUN, and DOS/Windows for client and | application server workstations. IPX/SPX is supported on OS/2 and Windows | for authentication servers and clients running on workstations with Novell | Netware. TCP/IP is supported on all the specified platforms. Single sign-on | (SSO) support for OS/2 has been extended to LanServer and Novell. | In DCE environments, Network Security Program is offered to customers whose | environments pose authentication problems at the transport layer and below. | Because of its compact tickets and flexible authentication protocols, Network | Security Program can be more effective in satisfying this set of | requirements. Network Security Program also provides secure LU2 sign-on to | RACF host applications without requiring re-entry of host user names or | passwords. Single sign-on to LANServer and Novell is also available. DCE is | the recommended solution for customers requiring authentication above the | transport layer (through secure RPC), for use by the application layer, for | more complete security services, or for integration with other services, such | as data access control or integration with resource managers. | DATA CONFIDENTIALITY | | Commercial Data Masking Facility (CDMF) is a new technology recently | developed by the IBM Crypto Competence Center. CDMF has a scrambling | algorithm that will be supported under the GSS-API (GSS-SEAL / GSS-UNSEAL API | calls). It provides the application programmer the capability to easily | scramble selected packets of data sent in the network. Data confidentiality | is secured from indiscriminate use and your assets stay protected. | | CDMF alleviates the worry of having your data flow across the network in | clear text. The degree of security is equivalent to encryption using DES but | with keys limited to 40 bits. IBM has obtained approval from the US | Government to export CDMF in products without the license required to export | products containing DES. | TEXT | | TECHNICAL DESCRIPTION | | Network Security Program was developed to exploit key distribution and | authentication technologies based on a third party authentication server. | Several technologies exist in the industry today, one of which is | KryptoKnight, which was developed by the IBM Research Division laboratories | in Yorktown Heights, NY, and Zurich, Switzerland. The KryptoKnight | technology, from a user viewpoint, appears on the surface much the same as | another security service developed at MIT, Kerberos. Though Kerberos has | been made widely available through public access, it presents several | limitations in certain network environments. Network Security Program | provides extensions to the Kerberos technology that can prove most desirable | to customers operating such networks environments. For example, the smaller | KryptoKnight tokens make implementation of security at lower networking | layers possible. Other technical advantages include a use of cryptography | that is not subject to export controls, flexibility in authentication | protocols for situations in which the client cannot contact the | authentication server directly and the reduced dependency on clock | synchronization among communicating principals. | Network Security Program is being developed as an 'open' multi-platform | security solution. The intent is to provide a port to as many different | systems as is possible given the time and resource constraints. In the | workstation environment, a customer typically will have many varieties of | hardware/software in their network. Interoperability is a key requirement | for any security solution. This release of the Network Security Program will | address the AIX/6000, OS/2, DOS, DOS/Windows, SUN and HP platforms. | | Network Security Program is developed with a user-friendly Graphical User | Interface (GUI). The security mechanisms residing below the Application | Programming Interface (API) are transparent to the client. At the | Authentication Server, there is also an administration interface. Industry | standards are supported to provide as seamless a transition among all | platforms as possible; MOTIF standards for AIX/6000 and CUA91 standards for | OS/2 and DOS. | RISC System/6000* POWERstation*. The client code shipped with the Network | Security Program runs on the following workstations: OS/2, DOS/Windows, | AIX/6000, SUN, and HP. The minimum machine requirements are: | o DOS Workstation | Approximately 400KB of free disk space is required for the Network | Security Program. If the Network Security Program software is installed | o SUN Workstation | - A SUN microsystem spark [sic] station running Solaris 1.1 or later. (Most UNIX systems req. 5mb disk, 8mb ram. Seems that Solaris 2 is not later enough to count as 'solaris 1.1 or later;' It was not listed as a supported OS.) -- Adam Shostack adam@bwh.harvard.edu Politics. From the greek "poly," meaning many, and ticks, a small, annoying bloodsucker.