*BSD News Article 77584


Return to BSD News archive

Newsgroups: comp.unix.bsd.freebsd.misc
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!nntp.coast.net!news.dacom.co.kr!vyzynz!nielsen!nebo.vii.com!xmission!charnel.ecst.csuchico.edu!psgrain!quack!quack.kfu.com!nsayer
From: nsayer@quack.kfu.com (Nick Sayer)
Subject: Re: more telnet encryption
Message-ID: <nyHpc9b@quack.kfu.com>
Sender: news@quack.kfu.com (0000-News(0000))
Supersedes: <nyFP3r2@quack.kfu.com>
Organization: The Duck Pond public unix, +1 408 249 9630, log in as guest.
References: <nyFP3r2@quack.kfu.com>
Date: Fri, 6 Sep 1996 06:52:47 UTC
Lines: 78

ARGH!!!!

nsayer@quack.kfu.com (Nick Sayer) writes:

>Stop me before I code again!

>Well, steal, more like.

>I took idea.[ch] from pgp and put together support for IDEA
>as an encryption method for Telnet. I can't post this because
>it contains encryption, but I _will_ post the hookup code
>and directions:

>Apply the patch below. It will muck around in
>/usr/src/secure/lib/libtelnet, fiddle /usr/src/include/arpa/telnet.h
>a little and finally leave a file called idea.pat in the current
>directory.

>Go get the source to pgp. copy idea.c and idea.h to
>/usr/src/secure/lib/libtelnet.

>Apply the patch in idea.pat to the idea files from pgp. It just
>comments out some random number stuff that isn't needed.

>make clean all install in /usr/src/secure/libtelnet.

>There! You can use the command 'encrypt type idea' from a telnet
>prompt and you'll be using IDEA in a CFB mode to encrypt your
>session!

>problems:

0. The code in the patch I posted was broken to a pretty significant
degree.

0a. The fix is that if start() is called before the session key
is established, the establishment of the session key has to "kick"
the other end into calling either is() or reply(). This is done
by sending a dummy is to the other side. There seems to be no other
way to do this. Feh.

>1. IDEA is covered by a yucky patent, aparently.

>2. I haven't fiddled SRA to use the expanded keyspace offered by
>IDEA. Coming soon

Done. Had to hack pk.c a bit to do it. The _way_ I did it was...
perhaps non-optimal. It implies that if more ciphers are added,
common_key() will get more and more arguments. Fnord.

I have not hacked kerberos to call encrypt_session_key() with a
SK_IDEA key. IDEA won't work with non-SRA authentications until
this is done.

>3. A couple of XXX sections in enc_idea.c

>4. It appears that the default encryption type for a session is
>chosen by magical means. It always comes up DES_CFB64. You can
>change this on the fly with the encrypt type command, though.

I figured this out. The first cipher listed in the encryptions[]
table is prefered. I put IDEA first. :-)

>Have fun!

[...]

The patch is getting to big to post. If you want it AND YOU ARE INSIDE
THE US OR CANADA, go get ftp://ftp.kfu.com/pub/sra.idea.tar.gz.
Unpack this in /usr/src/secure/lib/libtelnet. Move the telnet.h
file to /usr/include/arpa and /usr/src/include/arpa. Build a new
libtelnet and install it. That's it.

-- 
Nick Sayer <nsayer@quack.kfu.com>  | "Objection!"   "Overruled."
N6QQQ @ N0ARY.#NORCAL.CA.USA.NOAM  | "Exception!"   "Noted."
+1 408 249 9630, log in as 'guest' | "FRUSTRATION!" "Vented."
URL: http://www.kfu.com/~nsayer/   |   -- Dan & Harry, "Night Court"