Secure Telnet

Graduation Thesis written by Asgaut Eng

The Norwegian Institute of Technology

Abstract:

This thesis proposes standards for authentication, encryption and integrity of Telnet connections. An existing standard for authentication is extended with a new method based on the popular e-mail encryption program, PGP.

New solutions are proposed for implementing encryption and integrity checks. These are ``open'' standards, which use negotiation between the Telnet client and server to select a specific type of encryption or integrity check. New encryption and integrity types can easily be added.

All solutions use the common Telnet option-code scheme, and are intended to be simple to implement in existing Telnet applications.

• Contents
• List of Figures
• Introduction
• Background
  • The Telnet Protocol
    • The Network Virtual Terminal
    • The Principle of Negotiated Options
    • Documenting Telnet options
    • Examples of option code negotiations
  • Passive attacks
  • Active attacks
  • IDEA
  • Block cipher modes
    • Electronic codebook mode
    • Cipher block chaining
    • Cipher feedback mode
  • RSA
    • Description of the RSA algorithm
  • Cryptographic hash functions
  • PGP
    • Basic principles of operation
    • The Web of Trust
    • Multi-precision integers
  • Generation of random numbers
    • Introduction
    • Fundamental information theory
    • Recommended random number sources
  • RFC 1416 - Telnet authentication option
    • Definitions
    • Use of the option
• Proposed design
  • Environment model
  • Security policy
  • Authentication option
    • Why use PGP?
    • Design goals
    • PGP authentication scheme
      • Authentication information
      • Format of the ``challenge''
      • Selecting encryption keys
    • Command name and codes
    • Sub-option command meanings
    • Example
  • Encryption option
    • Design goals
    • Placement in the protocol model
    • Selecting an encryption algorithm
    • Modified CFB mode
    • Command name and codes
    • Command meanings and usage
    • Example
  • Integrity option
    • Design goals
    • The integrity information
    • Placement in the protocol model
    • Generating the integrity information
      • Integrity type: 32-bit CRC and IDEA in modified CFB mode
    • Command name and codes
    • Command meanings and usage
    • Implementation rules
  • The test implementation
    • The framework
    • The PGP authentication implementation
    • Testing
• Discussion and recommendations
  • Authentication option
    • Key management
    • Session key exchange
    • Security considerations
  • Encryption option
    • Security considerations
  • Integrity option
  • System complexity issues
• Conclusion
• Authentication draft
• References
• About this document ...