Return to BSD News archive
Newsgroups: comp.unix.bsd.freebsd.misc,sci.crypt Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!nntp.coast.net!news.sgi.com!enews.sgi.com!news.mathworks.com!newsfeed.internetmci.com!in1.uu.net!quack!quack.kfu.com!nsayer From: nsayer@quack.kfu.com (Nick Sayer) Subject: FreeBSD SRA & IDEA Telnet patch Message-ID: <nzUwgOa@quack.kfu.com> Sender: news@quack.kfu.com (0000-News(0000)) Organization: The Duck Pond public unix, +1 408 249 9630, log in as guest. Date: Thu, 19 Sep 1996 23:52:23 UTC Lines: 41 Xref: euryale.cc.adfa.oz.au comp.unix.bsd.freebsd.misc:27568 sci.crypt:49804 After long and turbulent testing, I believe I have SRA & IDEA working rather well. ftp://ftp.kfu.com/pub/sra-idea.tgz is a set of files and a patch to add SRA & IDEA to the FreeBSD 2.x (tested on 2.2-960801-SNAP) telnet/telnetd/libtelnet. It should be reasonably easy to add this to any other Telnet suite that has the Kerberos stuff (like what comes with FreeBSD's secure dist). I was able to shoehorn this code into an SRA Telnet source dist on a Sun in order to test it cross-endian. Since there's encryption code in there, it would be best if folks outside North America didn't get this until/unless our government gets a clue. One caveat: I have not hacked kerberos to have it set up an IDEA key at the same time that it sets up the DES_[CO]FB64 key. This shouldn't be hard for someone using Kerberos instead of SRA to add. Also, if you're on a big endian machine, be sure to add -DHIGHFIRST, or the idea code (stolen from PGP) won't work (well, it will work, but it won't interoperate well). To recap, SRA is an authentication method invented by Dave Safford when he was at Texas A&M. It is based loosely on Secure RPC and does not require any key management. It is the world's easiest authentication/encryption scheme since using it is no different than using ordinary telnet, yet provides strong enough encryption that sniffers would be hard pressed indeed to get you (it is, however, vulnerable to monkey-in-the-middle. Being the monkey between two arbitrary Internet sites is far, far more complicated and unlikely than someone just sniffing, though). SRA is only an authentication mechanism, but as a side effect, it can generate a common DES or IDEA encryption key to be used by the appropriate encryption modules. After all, what's the point of performing encrypted authentication if someone can watch you use 'su'? -- Nick Sayer <nsayer@quack.kfu.com> | "[The Democrats] turned the N6QQQ @ N0ARY.#NORCAL.CA.USA.NOAM | safety net into a hammock." +1 408 249 9630, log in as 'guest' | URL: http://www.kfu.com/~nsayer/ | -- Phil Graham