vtcp/secure: a remote vpn for the macintosh
DESCRIPTION
VTCP/Secure: A Remote VPN for the Macintosh. Stacey Lum, InfoExpress The Third Annual Macintosh Cryptography and Internet Commerce Software Development Workshop. Remote VPN Definition. Corporate Network. Provide Secure Remote Access Over Untrusted Networks - PowerPoint PPT PresentationTRANSCRIPT
VTCP/Secure: A Remote VTCP/Secure: A Remote VPN for the MacintoshVPN for the Macintosh
Stacey Lum, InfoExpressThe Third Annual Macintosh Cryptography and Internet Commerce Software Development Workshop
CorporateNetwork
Remote VPN DefinitionRemote VPN Definition
Provide Secure Remote Provide Secure Remote Access Over Untrusted Access Over Untrusted NetworksNetworks
Secure Usually MeansSecure Usually MeansEncryption Encryption Data IntegrityData IntegrityAuthenticationAuthenticationAccess ControlAccess Control
Remote PC
UntrustedNetwork
Gateway
Remote VPN Remote VPN EnvironmentsEnvironments• ISDN, Cable Modem, DSL, 56k Dial-upISDN, Cable Modem, DSL, 56k Dial-up
• Network Address Translation (NAT)Network Address Translation (NAT)– Single and Multiple IP at NAT DeviceSingle and Multiple IP at NAT Device
• Extranet Capabilities Extranet Capabilities – Remote Firewall Remote Firewall
– Proxy TraversalProxy Traversal
Remote VPN FeaturesRemote VPN Features
• PerformancePerformance
• Ease of UseEase of Use
• Application CompatibilityApplication Compatibility– TCP and UDPTCP and UDP
– ICMPICMP
– File SharingFile Sharing
– Non-IP Protocol ApplicationsNon-IP Protocol Applications
Where to Filter Data?Where to Filter Data?
• Need to Intercept Network CallsNeed to Intercept Network Calls
• Characteristics of VPN Differs Characteristics of VPN Differs Depending on Which Layer is Depending on Which Layer is InterceptedIntercepted
Layer 3 AdvantagesLayer 3 Advantages
• Compatibility Above IPCompatibility Above IP
• Can be IPSEC Can be IPSEC CompliantCompliant
• Gateway PerformanceGateway Performance
Application
TCP/UDP
IP
NIC,Modem
Layer 4 AdvantagesLayer 4 Advantages
• Media and OS Media and OS Compatibility Compatibility (Ethernet, Dial-up)(Ethernet, Dial-up)
• Extranet, NAT, and Extranet, NAT, and Proxy FriendlyProxy Friendly
• End User End User PerformancePerformance
Application
TCP/UDP
IP
NIC,Modem
Mac Layer 4 FilteringMac Layer 4 Filtering
• STREAMS FilteringSTREAMS Filtering– TCP + UDP (Autopush)TCP + UDP (Autopush)
– DNS (SAD Push)DNS (SAD Push)
• Tunneling ComponentTunneling Component– OT GUI ApplicationOT GUI Application
– Encryption and IntegrityEncryption and Integrity
– AuthenticationAuthentication
OT App
TCP
IP
NIC,Modem
UDP
Security ModelSecurity Model
Authentication Server
Gateway
Client
Gateway Public Key
Shared Key
Diffie-Hellman Public KeyDiffie-Hellman Public Key
• Royalty FreeRoyalty Free
• Based on Discrete LogarithmsBased on Discrete Logarithms
• Simple MathSimple Math
– GGxxyy mod P = G mod P = Gyyxx
mod P mod P
– n is hard to calculate from (Gn is hard to calculate from (Gnn modulus P) with modulus P) with certain values of P and Gcertain values of P and G
• Private key: nPrivate key: nPublic key: (GPublic key: (Gnn modulus P) modulus P)
Standard D-H ExchangeStandard D-H Exchange
Contents
o Server public key
Create DH key pairSend public key
Contents
o Server public keyo Server private key
Mac Client Gateway
UntrustedNetwork
Calculate D-Hsecret key usingclient’s private key & server’s public key
Encrypted Authentication
Calculate D-Hsecret key usingserver’s private key & client’s public key
UntrustedNetwork
Extended D-H Exchange with Extended D-H Exchange with Past SecrecyPast Secrecy
Contents
o Server public key
Generate two D-H key pairs andsend public keys
Contents
o Server public keyo Server private key
Generate D-Hkey pair andsend public key
Mac Client Gateway
Calculate D-H usingclient’s private keys &server’s public keys
Calculate D-H usingserver’s private key &client’s public keys
Encrypted Authentication
Symmetric Key For Symmetric Key For EncryptionEncryption• Compression for Performance (LZ)Compression for Performance (LZ)
• Crypto Checksum for Integrity (MD5)Crypto Checksum for Integrity (MD5)
• Initialization Vector for SequencingInitialization Vector for Sequencing
• Encryption (DES, and Triple DES)Encryption (DES, and Triple DES)
• Chain Messages > Block Length (CBC)Chain Messages > Block Length (CBC)
DemoDemo
• Diffie-Hellman Key ExchangeDiffie-Hellman Key Exchange
• DES EncryptionDES Encryption
• Authentication using SecurIDAuthentication using SecurID
• Download FileDownload File