RE: pcanywhere encryption

[Ben.Grubin () guardent com]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> -----Original Message-----
> > From: hermit1 [mailto:hermits () mac com]
> Sent: Friday, January 26, 2001 12:08 PM
> To: firewall-wizards () nfr net
> Subject: [fw-wiz] pcanywhere encryption
>
>
> I wouldn't bother people with this, except Symantec tech 
> support claims to 
> know nothing about how their encryption works.  (Actually, 
> they claim their 
> product does not do encryption, it merely passes the data to 
> Microsoft 
> programs for encryption when appropriate.  Doesn't that make 
> you feel safe?)

It's what Microsoft's Crypto API was designed for.  There is quite a
selection of perfectly reasonable algorithms that plug in.

> My organization is looking into ways of expanding remote access 
> capabilities.  One program we are trying is pcAnywhere from 
> Symantec.  The 
> documentation claims there are 4 levels of encryption available:
> 1.  None  -  Symantec recommends against using this
> 2.  pcAnywhere  -  Symantec also recommends against using this
> 3.  Symmetric key  -  recommended
> 4.  Public key  -   recommended as stronger than #3.  But as 
> near as I can 
> tell, this has the same level of encryption as #3 except you need a
>  certificate setup to use it.
>
> For symmetric keys, the manual states "pcAnywhere generates a 
> unique public 
> key and uses this key to encrypt and safely pass the 
> symmetric key used to 
> encrypt the session."

Precisely.  My guess is #3 is just generating a public/private
kepair, whereas #4 is able to utilize your existing X.509
certificates.  Your certs might be more secure in that the keypairs
it generates on its own might be of a low keylength. 
 
> Since there is no provision for selecting how the encrypted key
> gets  decrypted by which client or server (there is no statement 
> about which end 
> of the connection generates the keys), the only conclusion I 
> can draw is 
> that the "unique public key" can be decrypted by ANY 
> pcAnywhere host or 
> client anywhere.  Well, I can draw another conclusion that 
> both the public 
> and private keys are sent at the same time, but that 
> procedure seems even 
> more stupid than my first conclusion.

You don't seem to understand the nature of a public/private keypair
or the persuant exchange.  The public key is not used for decryption.
 It is used for ENcryption of the data destined for the host that
sent the key.  That's why it's safe to send that key over the wire in
the clear, which is precisely what happens.  Each side of the
connection generates a public/private keypair, and sends the public
key to the other side.  Now each side can use that public key to
encrypt the data to the other, which posesses the matching private
key.

> Can anyone help out by explaining what Symantec is actually 
> doing to set up 
> encrypted sessions?  Symantec can't explain it.

That's because the manual already did.  They probably had no idea
what you were asking.  Software support desks are inherently for
those that can't read the manual.  Since you already did, you knew as
much, if not more, than they did.

Cheers,
Ben

- --------------------------------------------------
Benjamin P. Grubin            bgrubin () guardent com
Guardent, Inc.             http://www.guardent.com
PGP Key:  D33D 22C2 6552 0F6B  44E4 5254 0172 0E10

"The world isn't run by weapons anymore, or energy, or money.  It's
run by little ones and zeros, little bits of data.. it's all just
electrons."

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0

iQA/AwUBOnMLlCmSO0d5/rT7EQJPqwCg+UggwazBAkuMrmFtT/K46UbyF/sAoLwn
wVEV9vth51QpR75DcSiEYk9s
=hLLN
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards