Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.cs.su.oz.au!metro!metro!munnari.OZ.AU!spool.mu.edu!uwm.edu!nntp.primenet.com!arclight.uoregon.edu!news.sprintlink.net!news-peer.sprintlink.net!newsfeed.internetmci.com!in2.uu.net!bonkers!not-for-mail
From: skrenta@incog.com (Rich Skrenta)
Newsgroups: comp.unix.bsd.freebsd.announce
Subject: SKIP IP-layer encryption source release 1.0
Date: 25 Oct 1996 18:22:01 -0500
Organization: Sun Microsystems, Internet Commerce Group
Lines: 263
Sender: daemon@taronga.com
Approved: peter@taronga.com
Message-ID: <54ri2p$t1n@bonkers.taronga.com>
NNTP-Posting-Host: localhost.taronga.com
Sun Microsystems is pleased to announce a new release of the source to
the reference SKIP IP-layer encryption package. SKIP allows all network
traffic to be encrypted at the packet layer; applications don't need
to be modified to take advantage of encryption.
The package is available from http://skip.incog.com/
Due to US export law, only US citizens may download this software.
Sorry. :-(
Here is the readme from the release:
1.0 Release of SKIP Reference Source for SunOS 4.1.3 and FreeBSD
-----------------------------------------------------------------
Overview and Release Notes
This represents an official source release of the SKIP software. Two
Alphas and two Betas have preceded this - but this is it - 1.0 Both
new users and alpha/beta users should read this README for details on
features. If you're impatient, at least read the Release notes section
of this file. If you're REALLY impatient, the file BUILD describes how to
build this release and the file INSTALL gives a quickstart
installation guide. This document contains release features and notes.
Overview
--------
SKIP is a Key-management protocol for IP based protocols. It is an
acronym for Simple Key-management for Internet Protocols. The SKIP
protocol specification is available at http://skip.incog.com.
>From this public domain source release, you can build a fully
functional IP-layer encryption package which supports DES,
Triple-DES and SAFER for SunOS 4.1.3 and FreeBSD 2.1.0, FreeBSD 2.1.5.
This means that every IP networked application can have it's network
traffic encrypted - without modification. Unlike application level
encryption packages, this package encrypts IP packets. Thus, applications
do not need to be recompiled or modified to take advantage of
encryption. The package does not require you to replace the IP stack
on your machine. In fact, it does not require any kernel
modifications.
The SKIP source is possible through the efforts of engineers in Sun
Microsystems Internet Commerce Group. The developers and designers
are Ashar Aziz, Tom Markson, Martin Patterson, Hemma Prafullchandra,
Joseph Reveane, and Rich Skrenta. Linda Cavanaugh and Betty Wenzel
worked on the documentation.
We have developed and tested this release. We believe it is both well
architected and robust. However, like any major software release, this
one will contain its share of bugs. Even though this is an unsupported
software release, we are always interested in bug reports, fixes,
suggestions and comments. We are also interested in ports to other
operating systems. To contact the development team, send mail to
freeskip@incog.com.
A legal warning: Because this package contains strong encryption, the
Software must not be transferred to persons who are not US citizens or
permanent residents of the US, or exported outside the US (except
Canada) in any form (including by electronic transmission) without
prior written approval from the US Government. Non-compliance with
these restrictions constitutes a violation of the U.S. Export Control
Laws.
This source release may be used for both commercial and noncommercial
purposes, subject to the restrictions described in the software and
patent license statements.
Furthermore, Sun Microsystems has licensed the Stanford public key patents
from Cylink Corp. which are available to users of this package on a royalty
free basis. The patent statement is in README.PATENT. Be sure to read this,
as it contains some restrictions and other important information.
Also included in this release is a high speed Big Number package written
by Colin Plumb. bnlib/legal.c contains Colin's software license statement.
The documentation in this release is minimal, but we think it is
sufficient. We've all been so busy coding, we've hardly had time to
really document the system and it's interfaces. This document gives an
overview of the release. BUILD contains instruction on how to build
this release. INSTALL explains how to INSTALL the package once it's
been built.
There are ROADMAP files in most directories to explain the contents of that
directory, and man pages are available on major topics. The User's Guide
(provided in various formats) provides in-depth instructions on
installation and use (specifically of the GUI).
This is *must* reading. The advanced.TOPICS file in this directory
covers some advanced SKIP topics with regards to keying. In the worst
case, "use the source, Luke."
For a general description of SKIP and it's implementation, we have
included a paper which was presented at INET'95. This paper gives
an overview of SKIP and discusses the architecture of the SKIP software.
While this paper discusses an older version of SKIP, the section on
SKIP architecture provides a good overview as to the design of the system
and the pieces. The paper specifically discusses the Solaris 2
implementation, but much of it will also pertain to this release.
Features of this release
------------------------
o Support for SunOS 4.1.3 and FreeBSD2.1.0, FreebSD 2.1.5
o SKIP V2 compliant implementation using ESP and AH encapsulation.
o Support for Authentication using keyed-MD5.
o Support for DES, 3DES, and SAFER 128SK for traffic and key
encryption.
o Support for nomadic users
o Support for multiple local identities with different sets of
parameters.
o Support for multiple CA (Certificate Authority) certificates.
o Transport mode is supported.
o New Certificate Discovery protocol.
o Highly configurable key manager.
o Support for RAW AH and ESP protocols.
o Diffie-Hellman Public Key Agreement based system.
o Full Support for manual establishment of master keys.
o Support for multiple NSIDs and multiple local certificates.
o GUI tool for user friendly manipulation of access control lists
and key statistics.
o Command line tools for manipulating access control lists, etc.
o Implementation of the Certificate Discovery protocol fully
integrated into SKIP.
o Implementation of X.509 public key certificates.
o Implementation of DSA signature algorithm for certificate
signatures.
o Implementation for MD2, MD5 and SHA message digest algorithms.
o Implementation of ASN.1 DER encoding/decoding.
o SunScreen(tm) SKIP compatibility mode.
o Implementation of hashed public keys as defined in the SKIP
draft. Implementation of programs to generate hashed public
keys, to convert X.509 Certificates to hashed
keys and print both X.509 and Hashed certificates.
o High performance Big Number library for Diffie-Hellman
calculations.
o Implementation is effectively "public domain" and may be used both
commercially and non-commercially.
o Patent Agreement with Cylink allows royalty-free use of the
Diffie-Hellman and other Stanford patents with this package for
commercial and non-commercial use. Read README.PATENT for
some restrictions.
o Inclusion of prime generation program used to generate the
primes in SKIP draft.
Release Notes
-------------
Here are the release notes for this 1.0 release of the SKIP source.
o This release is the Official 1.0 release of SKIP source.
Areas of change since beta2.3 include:
o Addition of tunnel address CDP target
o Fixes to tunnel mode in skiptool
o GUI is smarter about dealing with Tunnel Addresses.
o MANY MANY bug fixes.
o A new command to manage ACLs is now provided
called skipif.
o The release should interoperate with the Beta 2.3 release
previously distributed over the net. This release will also
interoperate with the Sun Microsystems Sunscreen(TM) products
such as Sunscreen SKIP for Solaris, Sunscreen EFS and
Sunscreen SPF-100.
o The Beta2.3 release interoperated with multiple vendors using a
variety of algorithms. It interoperated with SKIP from Checkpoint,
Toshiba, and ETH SKIP (kitk0.ethz.ch) It was tested at the
SKIP developer's workshop in June 1996. However, the certificate
discovery protocol does not interoperate. We expect this release
will interoperate, as well.
o X.509 Certificates are supported, but only with DSA signatures.
If you need to use other signatures algorithms with X.509
certificates, you'll have to add them yourself. Note: Read
the Patent license statement carefully before adding additional
signature algorithms.
o The Certificate library cannot verify RSA signatures.
It will assume an RSA signed certificate is good without
verifying, but will print a warning on the console to this
effect. This "accept without verifying" behavior can be
turned off in certs/lib/Sig.C
o The system no longer supports only 1 local secret. A machine
may have multiple local identities it uses to talk to different
hosts (say a 512bit modulus host and a 1024 bit mode)
o This package does not currently compile or run on FreeBSD 2.2.
FreeBSD 2.2 is still work in progress and thus, is not
supported for this release. A cursory compile on FreeBSD 2.2
indicates a change in the loadable kernel interface that we
didn't have time to look into fully.
o The secret is kept in the clear. The file
/etc/skip/localid/?.secret contains your private key.
It is not encrypted. Protect it well.
o While this release is protocol compatible with the Sun
SunScreen SPF-100 product, the certificates are incompatible. If
you are a SunScreen SPF-100 customer and wish to use this with the
SunScreen, please contact Sun ICG at sunscreen@incog.com.
o The algorithm discovery message as defined in the SKIP draft has
not yet been implemented. This means that one host has no way
of telling another host which encryption algorithms it supports.
Encryption algorithms must be negotiated out of band.
o The certificate discovery protocol uses one port 1640 to receive
certificate requests. Data sent to this port is not encrypted.
o the skip_dump_certs, skip_init_certbase, skip_add_cert and
skip_del_cert no longer exist. They have been combined into
a database command called skipdb. There are now two additional
commands for managing local identities and CAs: skiplocal and
skipca. See the man pages for details.
o On-Disk storage of the secret cache is not implemented in this
release.
o Cookies for the Certificate discovery have not yet been
implemented.
o The max_certdb_size option in skipd.conf is not implemented.
o Nomadic support for sunscreen mode, although in the GUI and
skiphost commands, does not work at this time.
Running the SKIP Reference Implementation
-----------------------------------------
Please see the INSTALL file, the User's Guide or the online manual on
http://skip.incog.com for information on running this release. Please
note that the simple-case installations are documented in these manuals.
For information on Nomadic users, multihomed hosts, and naming issues
please read the advanced.TOPICS files.
Overview of the Source
----------------------
This source release consists of 4 major pieces:
1. The SKIP End-System. (skip/...)
2. The Certificate Library. (certs/...)
3. BigNum library. (bnlib/...)
4. The Berkeley Database library (libdb/)
The best way to explore the source is to use the ROADMAP files setup in
the directories. They try to explain what each file and directory below
them does.
--------------------------------------------
Special note on Primes used in the SKIP Draft
--------------------------------------------
The prime numbers specified in the SKIP draft for "p" were generated using
the BN package included in this release. To regenerate these primes yourself,
run the dhtest program located in bnlib/test directory. The file Gandhi
contains the seed used to generate the prime. To recreate these primes, do
something like this:
example% 4bin.sun4/dhtest `cat Gandhi`
Note: This product includes software developed by the University of
California, Berkeley and its contributors.