Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!news.wildstar.net!news.sdsmt.edu!news.mid.net!mr.net!www.nntp.primenet.com!nntp.primenet.com!enews.sgi.com!news.sgi.com!nntp-hub2.barrnet.net!nntp-hub3.barrnet.net!mars.hyperk.com!darkstar!cmott From: Charles Mott <cmott@srv.net> Newsgroups: comp.unix.bsd.freebsd.misc Subject: TCP Encryption Date: Sat, 28 Sep 1996 18:12:56 -0600 Organization: SRVnet, Inc. Lines: 29 Message-ID: <Pine.BSF.3.91.960928164946.15233A-100000@darkstar> NNTP-Posting-Host: ras89.srv.net Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Sender: cmott@darkstar A well known and worrisome aspect of two standard TCP applications, Telnet and FTP, is that usernames and passwords are sent in the clear, as well as the rest of the data stream in a given session. Ethernet listening software is increasingly available to less skilled users -- and malicious hackers are usually among this less skillful group. Rather than using a kerberos-like solution, which seems to me bulky and difficult to set up, an automatic encryption system embedded in TCP option header words seems a better long terms solution. When a TCP connection is opened with an initial SYN packet, a public key could be embedded in the optional words of the header. If the computer at the other end of the connection recognizes the encryption option, it could send back an ACK message with its own public key, and the rest of the two-way data stream could then be completely encrypted. If the encryption option is not recognized, a standard, un-encrypted connection would be established. I don't think the goal of such an encryption system should be to defeat the NSA or foreign intelligence agencies, but rather to defeat more numerous but marginally competent hackers (the computer equivalent of a radio scanner listener). In practice, even a breakable encryption system would greatly complicate any automatic intelligence gathering software embedded in backbone routers by the NSA or related spy agencies. I think it would be interesting to try to develop a simple, efficient TCP encryption scheme as a FreeBSD extension. If it gains acceptance, other operating systems might also adopt it. I would be interested in hearing from others interested in working on such a project. Charles Mott