Re: Encrypted TCP Tunneler

[Enzo Michelangeli <enzo@ima.com>]

On Mon, 23 Oct 1995, Tatu Ylonen wrote:

> > an ETT client and an ETT server, using Diffie-Hellman and DSA for
> 
> You are aware that RSADSI claims they have exclusive licensing rights
> for DSA?

Adding MD5 support wouldn't be a bad idea. Same for algorithms 
alternative to Blowfish (3DES etc.) and DH (e.g., with Elliptic 
functions-based key exchange), all automatically negotiated at connection 
time.

> Are you familiar with ssh [http://www.cs.hut.fi/ssh]?  It has many of
> the features that you are planning.

I think that Wei's idea is for something more general, similar to the
CryptoTCP 0.9 posted a few months ago by ModX and available from 
ftp://utopia.hacktic.nl/pub/replay/crypto/CRYPTOapps/ctcp.0.9.tar.gz
(that one used unauthenticated DH key exchange and 3DES, IMHO with a 
highly questionable PRNG for the generation of the session key).

It would be enormously more useful and popular if someone could write a
Winsock redirector loadable after WINSOCK.DLL but before any Winsock
application, hooking the API functions used to open TCP connections. That
would mean instant transport-level crypto capability for most Winsock
apps, just like NEC's SocksCap provides instant SOCKS (alas, V.4)
compliance. 

Also Perry's invitation to join the IPSEC effort should be given proper
attention (I would do it, if only my spare time were not in such short
supply). I would try to implement it on SLiRP, a free SLIP/PPP simulator
largely based on BSD TCP/IP code (but running in user mode). That would
allow to experiment without having to hack the kernel, and would have a
practical value for converting conventional login accounts into
IPSEC-compliant SLIP/PPP accounts (instant crypto, again). Networking
technologies gain much faster popularity once a critical mass of users
actually use them. And to reach that mass, we must enlist all the 
non-techies who just run unmodified Windows applications.

Enzo