[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: low-overhead encrypted telnet



Couple of comments:

1) Kerberos *does* work between corporate entities.  I can, for
example, go to Iastate (ISU) and get MIT Kerberos tickets, and then
rlogin -x to MIT, encrypting the session (I can, and I have).  Also,
it is possible (and I know someone who is doing it at this moment) for
someone from ISU, with ISU tickets, to log into an account here at
MIT.

2) Using your example, a user on host A telnets to host B, and from
host B they telnet to host C, if the A<->B link is encrypted, then so
long as the user trusts host B, then A<->C is secure as well (assuming
B<->C is encrypted).

3) Just encrypting from client->server will not necessarily reduce the
load on the server.  Also, doing something like DES is really not a
very high CPU operation, IMHO.  Maybe a better protocol than the one
done in rlogin -x is in order (this sends 8 characters over the link
for every successful "read", which means you can be getting anywhere
from 100% down to 12% throughput of plaintext in the cyphertext!)

4) Charon, which is based upon Kerberos, was developed exactly for
this type of problem: you want to authenticate securely over links
which may not otherwise be secure, but you trust the CPU in front of
you!  The paper describing Charon is available via anonymous ftp:
	ftp://toxicwaste.mit.edu/pub/charon/thesis.ps.Z

Enjoy!

-derek