Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: pcanywhere encryption

From: "Loomis, Rip" <GILBERT.R.LOOMIS () saic com>
Date: Fri, 26 Jan 2001 18:07:27 -0500
I'll simplify discussion on this by a general
statement, which might help understanding of
the options (many folks reading this already
know this part):

Since asymmetric (public/private key) encryption
is hard to break because it uses Difficult Math (tm),
it's not really effective to use for bulk encryption.
Even if you are using hardware cryptography, your main
data stream is almost always going to be encrypted
with a symmetric key (A/K/A secret key or "shared key")
algorithm.  The most that your public/private key
pair can do is provide a secure channel to exchange
the secret key.

The thing is, however, that the key management
piece (getting both sides to use the same symmetric
key) is one of the hardest parts...and since that's
one of the pieces that public/private key cryptography
*does* address well, it's fairly common for some
combination of algorithms to be used.  The key
exchange algorithm is more likely to be Diffie-Hellman
rather than full-up X.509 certificates, but I've
seen both.  I suspect that your option 4 is some
combination of algorithms, rather than just public/
private key stuff...and if you can get it up and
running, the long term benefit may be worth
the additional initial effort.

(Insert discussion of IPSec here...I'm running out
the door, and don't want to do it off the top of
my head when others here are involved in advancing
the standard...)

It's been awhile since I poked at PCAnywhere, but
I need to take a harder look at it next week for
a friend anyway--so I'll follow up if I find anything
interesting.  In particular, if anyone knows for
sure that PCAnywhere *really* does its mainstream
encryption using public/private key cryptography,
please post that...but I would be very surprised.

Rip Loomis              Voice Number: (410) 953-6874
--------------------------------------------------------
Senior Security Engineer
Center for Information Security Technology
Science Applications International Corporation
http://www.cist.saic.com


-----Original Message-----
From: hermit1 [mailto:hermits () mac com]
Sent: Friday, January 26, 2001 12:08 PM
To: firewall-wizards () nfr net
Subject: [fw-wiz] pcanywhere encryption


I wouldn't bother people with this, except Symantec tech 
support claims to 
know nothing about how their encryption works.  (Actually, 
they claim their 
product does not do encryption, it merely passes the data to 
Microsoft 
programs for encryption when appropriate.  Doesn't that make 
you feel safe?)

My organization is looking into ways of expanding remote access 
capabilities.  One program we are trying is pcAnywhere from 
Symantec.  The 
documentation claims there are 4 levels of encryption available:
1.  None  -  Symantec recommends against using this
2.  pcAnywhere  -  Symantec also recommends against using this
3.  Symmetric key  -  recommended
4.  Public key  -   recommended as stronger than #3.  But as 
near as I can 
tell, this has the same level of encryption as #3 except you need a 
certificate setup to use it.

For symmetric keys, the manual states "pcAnywhere generates a 
unique public 
key and uses this key to encrypt and safely pass the 
symmetric key used to 
encrypt the session."

Since there is no provision for selecting how the encrypted key gets 
decrypted by which client or server (there is no statement 
about which end 
of the connection generates the keys), the only conclusion I 
can draw is 
that the "unique public key" can be decrypted by ANY 
pcAnywhere host or 
client anywhere.  Well, I can draw another conclusion that 
both the public 
and private keys are sent at the same time, but that 
procedure seems even 
more stupid than my first conclusion.

Can anyone help out by explaining what Symantec is actually 
doing to set up 
encrypted sessions?  Symantec can't explain it.

Thanks,
hermit1
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: