Transcript VTCP/Secure: A Remote VPN for the Macintosh A Case Study

VTCP/Secure: A Remote
VPN for the Macintosh
Stacey Lum, InfoExpress
The Third Annual Macintosh Cryptography and
Internet Commerce Software Development
Workshop
Remote VPN Definition
Provide Secure Remote
Access Over Untrusted
Networks
Secure Usually Means
Encryption
Data Integrity
Authentication
Access Control
Corporate
Network
Gateway
Untrusted
Network
Remote PC
Remote VPN Environments
• ISDN, Cable Modem, DSL, 56k Dial-up
• Network Address Translation (NAT)
– Single and Multiple IP at NAT Device
• Extranet Capabilities
– Remote Firewall
– Proxy Traversal
Remote VPN Features
• Performance
• Ease of Use
• Application Compatibility
– TCP and UDP
– ICMP
– File Sharing
– Non-IP Protocol Applications
Where to Filter Data?
• Need to Intercept Network Calls
• Characteristics of VPN Differs Depending
on Which Layer is Intercepted
Layer 3 Advantages
• Compatibility Above IP
Application
• Can be IPSEC Compliant
• Gateway Performance
TCP/UDP
IP
NIC,Modem
Layer 4 Advantages
• Media and OS
Compatibility
(Ethernet, Dial-up)
• Extranet, NAT, and
Proxy Friendly
• End User Performance
Application
TCP/UDP
IP
NIC,Modem
Mac Layer 4 Filtering
• STREAMS Filtering
OT App
– TCP + UDP (Autopush)
– DNS (SAD Push)
TCP
UDP
• Tunneling Component
– OT GUI Application
IP
– Encryption and Integrity
– Authentication
NIC,Modem
Security Model
Authentication Server
Shared Key
Gateway
Gateway Public Key
Client
Diffie-Hellman Public Key
• Royalty Free
• Based on Discrete Logarithms
• Simple Math
–
y
x
G
mod P =
x
y
G
mod P
– n is hard to calculate from (Gn modulus P) with
certain values of P and G
• Private key: n
Public key: (Gn modulus P)
Standard D-H Exchange
Gateway
Mac Client
Contents
o Server public key
Untrusted
Network
Contents
o Server public key
o Server private key
Create DH key pair
Send public key
Calculate D-H
secret key using
client’s private key &
server’s public key
Encrypted
Authentication
Calculate D-H
secret key using
server’s private key &
client’s public key
Extended D-H Exchange with
Past Secrecy
Gateway
Mac Client
Contents
o Server public key
Generate two
D-H key pairs and
send public keys
Calculate D-H using
client’s private keys &
server’s public keys
Encrypted
Authentication
Untrusted
Network
Contents
o Server public key
o Server private key
Generate D-H
key pair and
send public key
Calculate D-H using
server’s private key &
client’s public keys
Symmetric Key For Encryption
• Compression for Performance (LZ)
• Crypto Checksum for Integrity (MD5)
• Initialization Vector for Sequencing
• Encryption (DES, and Triple DES)
• Chain Messages > Block Length (CBC)
Demo
• Diffie-Hellman Key Exchange
• DES Encryption
• Authentication using SecurID
• Download File