From a discussion of Powertalk in TidBITS#195/27-Sep-93, an online zine

published by "Adam C. Engst" <ace@tidbits.com>: ------------------- forward --------------------------------------- Key Chain The Key Chain is the third new Desktop icon and perhaps the most important PowerTalk feature. It provides quick, transparent access to any number of password-protected servers or services through a single system-wide logon password. All applications and services are integrated with a single security model. For every service, the user creates a key. Each key has account information, communications settings (such as. modem settings, addresses, and system identifiers), and an encrypted password. After this one- time setup, the user attaches the key to the Key Chain and can forget the password. From now on, the system will automatically and transparently connect to the protected service when needed. Apple feels that this mechanism is especially secure since a user will find it easier to remember a single, frequently-used password and will be less likely to write down a list of passwords. At any time, you can lock the Key Chain by issuing a command or through an inactivity time-out. When the Key Chain locks, all windows containing information from protected services are hidden. Apple claims that PowerTalk is more secure than most other off- the-shelf software solutions since those use less secure algorithms to avoid export restrictions. Apple is the first company to receive an export license for a DES-based product. A new "I am at..." menu item (e.g. Home, Office, Car, Hotel) lets the system know which services are accessible and automatically resets communications settings for Ethernet, modem connection, packet radio, etc. so the system can continue to transparently establish connections over available media. A PowerTalk server can act as a trusted party in establishing authenticated communications across the net. Network traffic is encrypted with the RC4 algorithm of RSA and delivered via ASDSP (Apple Secure Datastream Protocol). ASDSP adds only about ten percent to the communication overhead. At least in the initial release, peer-to-peer traffic cannot be encrypted. [Sorry for all the acronyms! RSA is a company. -Tonya] Digital signatures, based on RSA Public Key Encryption, provide a secure way of ensuring data has not been altered and was signed by a particular person. The mechanism is similar to Kerberos [a security system developed at MIT -Adam], which was not mature enough at the critical point in PowerTalk development. Apple anticipates supporting Kerberos in a future PowerTalk release. To sign a document, simply drops it on a Signer icon. A prompt for the personal signer code then appears on the screen. If the content of the signed document later changes in any way, the signature becomes invalid. While being signed, a file automatically is locked to avoid inadvertent invalidation. The Get Info window of a signed file is used to uncheck the file lock, and it contains a Verify button with which the recipient can assert the integrity of the file and authenticity of its signature. Large companies can become trusted signature issuing agents for their employees by obtaining a titanium blackbox with key interlocks from RSA. The box contains a certain number of key combinations and can be connected to a Macintosh which runs an RSA-signed signature issuing application. Individuals can acquire a personal signature code through a notary. RSA always is at the root of the issuing process and signatures expire after two years. The issuing cost of a digital signature runs about $25. One limitation of the signature mechanism, at least in the initial implementation, is that only one signature can be attached to a document. This may be worked around by designing forms such that each signatory vouches for the authenticity of the previous sender's signature. For an APS price list, send email to: <aps-prices@tidbits.com> For information on TidBITS: how to subscribe to our mailing list, where to find back issues, how to search issues on the Internet's WAIS, and other useful stuff, send email to: <info@tidbits.com> Otherwise, contact us at: ace@tidbits.com * CIS: 72511,306 AppleLink & BIX: TidBITS * AOL: Adam Engst * Delphi: Adam_Engst TidBITS * 1106 North 31st Street * Renton, WA 98056 USA ----------------------------------------------------------------