Spread encryption with telnet?
The current furor over people with password sniffers on the Internet made me think of another possible option for spreading the use of encryption on the net. As everbody knows, the problem is with the passing of plaintext passwords over the net. Get rid of these passwords, and the crackers have to go back to the other 99999 ways of breaking into machines. It couldn't be very hard to grab a version of telnet and telnetd off the net and hack in some sort of encryption of the data stream. Heck, you could just use the vendor's DES library on systems that have it -- perhaps not the most aesthetic solution, but easy. Put in a negotiation option so that encryption will be used when both ends support it, and you have instant plug-in relatively secure telnet. As a bonus, you get your whole session encrypted, not just the password. It seems like it could be much easier to install than, say, kerberos, and offer more security. I would guess that if you made something like this available and EASY, that lots of people would install it on their machines. Folks are a little nervous right now, and a sniff-proof telnet might make them feel better. If I made a telnet that simply hooked into a vendor's encryption library, with no internal encryption code, would I have ITAR problems still? That may be moot, since any vendor encryption library almost certainly will not address the problem of coming up with a session key, so probably some sort of key exchange protocol would have to be put in. Overall, this seems easy and useful enough that I'm amazed that nobody has done it yet. Have I missed something? jon
Earlier, Jonathan Corbet wrote:
It couldn't be very hard to grab a version of telnet and telnetd off the net and hack in some sort of encryption of the data stream. Heck, you could just use the vendor's DES library on systems that have it -- perhaps not the most aesthetic solution, but easy. Put in a negotiation option so that encryption will be used when both ends support it, and you have instant plug-in relatively secure telnet.
Overall, this seems easy and useful enough that I'm amazed that nobody has done it yet. Have I missed something?
Although not widely known, a telnet and telnetd combination of this form were constructed by Laurie Brown at ADFA during his development of the LOKI cipher. Draft IETF proposals were also written towards the goal of these extended telnet options and the negotiation procedure becoming a standard. In practice, it worked fine. One drawback was it required DES/LOKI keys to be pregenerated and stored online in an analog of /etc/passwd that the hyper-telnetd would use. The user needed to enter a password on the telnet before the session started, and as for how the negotiation procedures worked, I have absolutely no idea. This was some 2 years ago now and not only are my recollections vague, but at the time I was a 'cryptovirgin' and hence wouldn't know one key exchange from another. As for availability of this software, I don't think it was made a public release (I obtained it from though 'other' channels that I would prefer not to elaborate on -- and it was lost during 'cleansing'). I suggest getting in contact with Laurie Brown at Melbourne University, I believe thats his current abode. I think I will forward him a note, to satisfy my own sense of curiosity. Matthew. footnote: The Australian Defence Force Academy (ADFA) is well known for it's cryptographic school (take a look at AUSCRYPT proceedings). It's a stepping stone to the Defense Signals Directorate (DSD), our analog of the NSA, though not _nearly_ as big (they do share SIGINT info via the UKUSA agreement though). Anyway, since just recently, the DSD is housed a stones throw from ADFA, which makes for interesting liasons. -- Matthew Gream. ph: (02)-821-2043. M.Gream@uts.edu.au. PGPMail and brown paperbags accepted. - Non Servatum -
participants (3)
-
Jonathan Corbet -
mgream@acacia.itd.uts.edu.au -
Perry E. Metzger