Re: pcanywhere encryption

["Crist Clark" <crist.clark () globalstar com>]

hermit1 wrote:
> I wouldn't bother people with this, except Symantec tech support claims to
> know nothing about how their encryption works.  (Actually, they claim their
> product does not do encryption, it merely passes the data to Microsoft
> programs for encryption when appropriate.  Doesn't that make you feel safe?)
>
> My organization is looking into ways of expanding remote access
> capabilities.  One program we are trying is pcAnywhere from Symantec.  The
> documentation claims there are 4 levels of encryption available:
> 1.  None  -  Symantec recommends against using this
> 2.  pcAnywhere  -  Symantec also recommends against using this
> 3.  Symmetric key  -  recommended
> 4.  Public key  -   recommended as stronger than #3.  But as near as I can
> tell, this has the same level of encryption as #3 except you need a
> certificate setup to use it.

My guess, and from vague recollections of research I did on PCAnywhere 
long ago, is that option #3 involves encryption without authentication.
It is possible for two machines to agree on an encryption key for symetric
crypo without having a shared secret and without ever sending secret 
information on the wire. The venerable Diffie-Hellman algorithm is the 
classic example and one of the easier public key algorithms to understand.
The drawback is that there is no authentication and you are vulnerable to 
an active man-in-the-middle attack.
 
> For symmetric keys, the manual states "pcAnywhere generates a unique public
> key and uses this key to encrypt and safely pass the symmetric key used to
> encrypt the session."

Yep. Sounds Diffie-Hellman-like.
 
> Since there is no provision for selecting how the encrypted key gets
> decrypted by which client or server (there is no statement about which end
> of the connection generates the keys), the only conclusion I can draw is
> that the "unique public key" can be decrypted by ANY pcAnywhere host or
> client anywhere. 

Hrm. Any two PCAnywhere hosts can agree on a symetric key by exchanging
public information. No one else, even someone who observed the exchange,
can determine the key the two have decided on (within the ususal limits 
of cryptoanalysis). That's what public key crypo is about.

> Well, I can draw another conclusion that both the public
> and private keys are sent at the same time, but that procedure seems even
> more stupid than my first conclusion.

If I am right, the symetric key is probably calculated from the exchanged 
of public keys. The symetric key should never go on the wire.
-- 
Crist J. Clark                                Network Security Engineer
crist.clark () globalstar com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmaster () globalstar com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards