Firewall Wizards mailing list archives
RE: pcanywhere encryption
From: "Loomis, Rip" <GILBERT.R.LOOMIS () saic com>
Date: Fri, 26 Jan 2001 18:07:27 -0500
I'll simplify discussion on this by a general statement, which might help understanding of the options (many folks reading this already know this part): Since asymmetric (public/private key) encryption is hard to break because it uses Difficult Math (tm), it's not really effective to use for bulk encryption. Even if you are using hardware cryptography, your main data stream is almost always going to be encrypted with a symmetric key (A/K/A secret key or "shared key") algorithm. The most that your public/private key pair can do is provide a secure channel to exchange the secret key. The thing is, however, that the key management piece (getting both sides to use the same symmetric key) is one of the hardest parts...and since that's one of the pieces that public/private key cryptography *does* address well, it's fairly common for some combination of algorithms to be used. The key exchange algorithm is more likely to be Diffie-Hellman rather than full-up X.509 certificates, but I've seen both. I suspect that your option 4 is some combination of algorithms, rather than just public/ private key stuff...and if you can get it up and running, the long term benefit may be worth the additional initial effort. (Insert discussion of IPSec here...I'm running out the door, and don't want to do it off the top of my head when others here are involved in advancing the standard...) It's been awhile since I poked at PCAnywhere, but I need to take a harder look at it next week for a friend anyway--so I'll follow up if I find anything interesting. In particular, if anyone knows for sure that PCAnywhere *really* does its mainstream encryption using public/private key cryptography, please post that...but I would be very surprised. Rip Loomis Voice Number: (410) 953-6874 -------------------------------------------------------- Senior Security Engineer Center for Information Security Technology Science Applications International Corporation http://www.cist.saic.com
-----Original Message----- From: hermit1 [mailto:hermits () mac com] Sent: Friday, January 26, 2001 12:08 PM To: firewall-wizards () nfr net Subject: [fw-wiz] pcanywhere encryption I wouldn't bother people with this, except Symantec tech support claims to know nothing about how their encryption works. (Actually, they claim their product does not do encryption, it merely passes the data to Microsoft programs for encryption when appropriate. Doesn't that make you feel safe?) My organization is looking into ways of expanding remote access capabilities. One program we are trying is pcAnywhere from Symantec. The documentation claims there are 4 levels of encryption available: 1. None - Symantec recommends against using this 2. pcAnywhere - Symantec also recommends against using this 3. Symmetric key - recommended 4. Public key - recommended as stronger than #3. But as near as I can tell, this has the same level of encryption as #3 except you need a certificate setup to use it. For symmetric keys, the manual states "pcAnywhere generates a unique public key and uses this key to encrypt and safely pass the symmetric key used to encrypt the session." Since there is no provision for selecting how the encrypted key gets decrypted by which client or server (there is no statement about which end of the connection generates the keys), the only conclusion I can draw is that the "unique public key" can be decrypted by ANY pcAnywhere host or client anywhere. Well, I can draw another conclusion that both the public and private keys are sent at the same time, but that procedure seems even more stupid than my first conclusion. Can anyone help out by explaining what Symantec is actually doing to set up encrypted sessions? Symantec can't explain it. Thanks, hermit1 _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: pcanywhere encryption Henry Sieff (Jan 29)
- <Possible follow-ups>
- RE: pcanywhere encryption Loomis, Rip (Jan 29)
- RE: pcanywhere encryption Ben . Grubin (Jan 29)
- RE: pcanywhere encryption hermit1 (Jan 29)
- Re: pcanywhere encryption Randy Witlicki (Jan 29)
- RE: pcanywhere encryption Hackett, James (Jan 30)