Browse Prior Art Database

TELNET Authentication Using KEA and SKIPJACK (RFC2951)

IP.com Disclosure Number: IPCOM000005144D
Original Publication Date: 2000-Sep-01
Included in the Prior Art Database: 2001-Aug-16
Document File: 12 page(s) / 21K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

R. Housley: AUTHOR [+3]

Abstract

This document defines a method to authenticate TELNET using the Key Exchange Algorithm (KEA), and encryption of the TELNET stream using SKIPJACK. Two encryption modes are specified; one provides data integrity and the other does not. The method relies on the TELNET Authentication Option.

This text was extracted from a ASCII document.
This is the abbreviated version, containing approximately 18% of the total text.

Network Working Group R. Housley Request for Comments: 2951 T. Horting Category: Informational P. Yee

SPYRUS September 2000

TELNET Authentication Using KEA and SKIPJACK

Status of this Memo

This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (2000). All Rights Reserved.

Abstract

This document defines a method to authenticate TELNET using the Key Exchange Algorithm (KEA), and encryption of the TELNET stream using SKIPJACK. Two encryption modes are specified; one provides data integrity and the other does not. The method relies on the TELNET Authentication Option.

1. Command Names and Codes

AUTHENTICATION 37

Authentication Commands:

IS 0 SEND 1 REPLY 2 NAME 3

Authentication Types:

KEA_SJ 12 KEA_SJ_INTEG 13

Modifiers:

AUTH_WHO_MASK 1 AUTH_CLIENT_TO_SERVER 0 AUTH_SERVER_TO CLIENT 1

Housley, et al. Informational [Page 1]

RFC 2951 TELNET Authentication Using KEA SKIPJACK September 2000

AUTH_HOW_MASK 2 AUTH_HOW_ONE_WAY 0 AUTH_HOW_MUTUAL 2

ENCRYPT_MASK 20 ENCRYPT_OFF 0 ENCRYPT_USING_TELOPT 4 ENCRYPT_AFTER_EXCHANGE 16 ENCRYPT_RESERVED 20

INI_CRED_FWD_MASK 8 INI_CRED_FWD_OFF 0 INI_CRED_FWD_ON 8

Sub-option Commands:

KEA_CERTA_RA 1 KEA_CERTB_RB_IVB_NONCEB 2 KEA_IVA_RESPONSEB_NONCEA 3 KEA_RESPONSEA 4

2. TELNET Security Extensions

TELNET, as a protocol, has no concept of security. Without negotiated options, it merely passes characters back and forth between the NVTs represented by the two TELNET processes. In its most common usage as a protocol for remote terminal access (TCP port 23), TELNET normally connects to a server that requires user-level authentication through a user name and password in the clear. The server does not authenticate itself to the user.

The TELNET Authentication Option provides for:

User authentication replacing or augmenting the normal host

password mechanism; Server authentication normally done in conjunction with user

authentication; Session parameter negotiation in particular, encryption key

and attributes; Session protection primarily encryption of the data and embedded command stream, but the encryption algorithm may also provide data integrity.

In order to support these security services, the two TELNET entities must first negotiate their willingness to support the TELNET Authentication Option. Upon agreeing to support this option, the parties are then able to perform sub-option negotiations to determine

Housley, et al. Informational [Page 2]

RFC 2951 TELNET Authentication Using KEA SKIPJACK September 2000

the authentication protocol to be used, and possibly the remote user name to be used for authorization checking. Encryption is negotiated...