From owner-freebsd-security Fri Nov 24 06:42:17 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id GAA22253 for security-outgoing; Fri, 24 Nov 1995 06:42:17 -0800 Received: from time.cdrom.com (time.cdrom.com [192.216.222.226]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id GAA22237 for ; Fri, 24 Nov 1995 06:42:13 -0800 Received: from localhost (localhost [127.0.0.1]) by time.cdrom.com (8.6.12/8.6.9) with SMTP id GAA01869 for ; Fri, 24 Nov 1995 06:40:18 -0800 To: security@freebsd.org Subject: I wonder how much trouble something like this would be to do? :) Date: Fri, 24 Nov 1995 06:40:17 -0800 Message-ID: <1867.817224017@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-security@freebsd.org Precedence: bulk Someone sent me this. It sounds like "one of those really simple engineering ideas that marketing got ahold of and hyped the heck outta" but still - I can think of more than a few MIS managers who'd just eat this up. Jordan ---- UG565-07 DEC's SECURE INTERNET ROUTE Tunneling - transporting data from one point to another encapsulated in wrapper packets - is a networking technique that's been around for some years. Claiming to have its neck ahead of the pack, Digital Equipment Corp says its Internet Tunnel has extended this capability to provide encryption and authentication technologies for the Internet enabling corporate data to be transmitted securely over the net (UX No 562). Digital Internet Tunnel uses a regular Internet Protocol (IP) jacket, encrypted and encapsulated inside a TCP/IP packet. The source and destination IP applications work as normal, but data on the network between the two tunnel servers appears scrambled. When a client wants to initiate a connection with an Internet Group Tunnel server, a connection request is sent over the network. The connection request message contains an identification message that is encrypted by the client with the server's public key, and then decrypted by the server with its own private key. The server's database contains a list of clients that are authorised to establish tunnels. If and when the request has been granted, the tunnel server sends a response encrypted using the client's public key, which is then decrypted by the client using its private key. After the authentication session, the two parties exchange portions of a session key, which is then combined to form a secret session key. DEC uses the encryption technology, devised by Rivest, Shamir and Adeleman, known as RSA. Versions for the US and Canada use a 128-bit RC4 key, international versions (because of US government restrictions) a 40-bit version only. The session key is changed periodically to enhance security. The tunnel comes in two flavours, the Group tunnel and the Personal tunnel. The Group tunnel software runs on Digital Unix, with a SLIP (Serial Line Internet Protocol), PPP (Point to Point protocol), Ethernet or FDDI (Fibre distributed data interface) connection. It manages the construction and operation of tunnels from other tunnel servers. Performance is based on system configuration and end-to-end network throughput; DEC claims to support up to 512 tunnel connections. The authentication key generation and management software is included with the Tunnel product. Personal Tunnel software installed on a PC must have Windows 95 TCP/IP software active, connected to a network with connectivity and using a valid IP address for the local subnet. Personal Tunnel includes a Win32 Windows-based application to enable the request, operation and management of an encrypted tunnel. The Internet Tunnel is meant to complement firewall products, and unlike other tunnel products is said to be firewall-independent. DEC reckons its tunneling technology differs from router and firewall vendors because it offers connections from home or mobiles to the corporate network, whereas routers only provide a single private data circuit and do not support end to end or trans-Internet privacy. Firewall tunneling products require the use of their tunnels at both ends, since interoperability standards don't exist, says the company. DEC says its approach also wins out over Netscape's SSL (Secure Socket layer) protocol, which also uses RSA encryption, because its used at a different level of the IP stack. SSL encrypts information for applications, while tunnels establish a link for all connections between two networks. With Netscape applications the need to encrypt a specific session, such as Web browsers, Telnet or FTP must be modified to enable the request for an encrypted link. In contrast, Digital Internet tunnel applications are not modified, it says, and all the traffic between the tunnels is encrypted. The international version is due next month. Prices start at $10,000 on Digital Unix and comes with DEC's own Firewall Unix, $3,600 on PCs.