1994-05-25 - IBM’s NetSP

Header Data

From: Adam Shostack <adam@bwh.harvard.edu>
To: cypherpunks@toad.com
Message Hash: a901fd3c8845d4d978d2f6dceb37350eccf89465a8a2b5c697408d5fa6dc7d7a
Message ID: <199405251712.NAA22131@spl.bwh.harvard.edu>
Reply To: N/A
UTC Datetime: 1994-05-25 17:13:26 UTC
Raw Date: Wed, 25 May 94 10:13:26 PDT

Raw message

From: Adam Shostack <adam@bwh.harvard.edu>
Date: Wed, 25 May 94 10:13:26 PDT
To: cypherpunks@toad.com
Subject: IBM's NetSP
Message-ID: <199405251712.NAA22131@spl.bwh.harvard.edu>
MIME-Version: 1.0
Content-Type: text/plain



(This is a set of excerpts from a 1000 line file I got from a guy
@IBM.  If anyone wants the whole thing, just ask.)

|   Network Security Program Version 1 Release 2 is a distributed authentication
|   and key distribution program.  The Network Security Program authenticates the
|   identity of two communicating principals in the network and provides each
|   with the ability to verify the identity of the other via a common third-party
|   server.

|   Network Security Program provides secured single sign-on (SSO) to 3270 host
|   applications via an EHLLAPI emulator interface to a RACF* host system.
|   Through the implementation of PassTickets, the user at the client workstation
|   need only provide one log-on password that will allow secured access to
|   multiple host applications.  In addition to the TCP/IP transfer protocols for
|   these platforms NetBIOS is supported on AIX*, OS/2*, DOS*, and Windows; LU6.2
|   is supported on AIX and OS/2.
| 
|   Network Security Program provides distributed security services that user
|   applications may invoke through the Generic Security Services Application
|   Programming Interface (GSSAPI).  GSSAPI is approved as an Request for Comment
|   (RFC) by the Internet Engineering Task Force (IETF).  The underlying security
|   mechanism is based on KryptoKnight, an advanced authentication technology
|   developed by IBM Research Laboratories in Zurich, Switzerland and Yorktown
|   Heights, New York.
| 
|   In V1R2 we are extending our platforms from the AIX/6000, OS/2 and DOS
|   operating systems to include HP, SUN, and DOS/Windows for client and
|   application server workstations.  IPX/SPX is supported on OS/2 and Windows
|   for authentication servers and clients running on workstations with Novell
|   Netware.  TCP/IP is supported on all the specified platforms.  Single sign-on
|   (SSO) support for OS/2 has been extended to LanServer and Novell.


|   In DCE environments, Network Security Program is offered to customers whose
|   environments pose authentication problems at the transport layer and below.
|   Because of its compact tickets and flexible authentication protocols, Network
|   Security Program can be more effective in satisfying this set of
|   requirements. Network Security Program also provides secure LU2 sign-on to
|   RACF host applications without requiring re-entry of host user names or
|   passwords.  Single sign-on to LANServer and Novell is also available.  DCE is
|   the recommended solution for customers requiring authentication above the
|   transport layer (through secure RPC), for use by the application layer, for
|   more complete security services, or for integration with other services, such
|   as data access control or integration with resource managers.


|   DATA CONFIDENTIALITY
| 
|   Commercial Data Masking Facility (CDMF) is a new technology recently
|   developed by the IBM Crypto Competence Center.  CDMF has a scrambling
|   algorithm that will be supported under the GSS-API (GSS-SEAL / GSS-UNSEAL API
|   calls).  It provides the application programmer the capability to easily
|   scramble selected packets of data sent in the network.  Data confidentiality
|   is secured from indiscriminate use and your assets stay protected.
| 
|   CDMF alleviates the worry of having your data flow across the network in
|   clear text.  The degree of security is equivalent to encryption using DES but
|   with keys limited to 40 bits.  IBM has obtained approval from the US
|   Government to export CDMF in products without the license required to export
|   products containing DES.


| TEXT
| 
|   TECHNICAL DESCRIPTION
| 
|   Network Security Program was developed to exploit key distribution and
|   authentication technologies based on a third party authentication server.
|   Several technologies exist in the industry today, one of which is
|   KryptoKnight, which was developed by the IBM Research Division laboratories
|   in Yorktown Heights, NY, and Zurich, Switzerland.  The KryptoKnight
|   technology, from a user viewpoint, appears on the surface much the same as
|   another security service developed at MIT, Kerberos.  Though Kerberos has
|   been made widely available through public access, it presents several
|   limitations in certain network environments.  Network Security Program
|   provides extensions to the Kerberos technology that can prove most desirable
|   to customers operating such networks environments.  For example, the smaller
|   KryptoKnight tokens make implementation of security at lower networking
|   layers possible.  Other technical advantages include a use of cryptography
|   that is not subject to export controls, flexibility in authentication
|   protocols for situations in which the client cannot contact the
|   authentication server directly and the reduced dependency on clock
|   synchronization among communicating principals.



|   Network Security Program is being developed as an 'open' multi-platform
|   security solution.  The intent is to provide a port to as many different
|   systems as is possible given the time and resource constraints.  In the
|   workstation environment, a customer typically will have many varieties of
|   hardware/software in their network.  Interoperability is a key requirement
|   for any security solution.  This release of the Network Security Program will
|   address the AIX/6000, OS/2, DOS, DOS/Windows, SUN and HP platforms.
| 
|   Network Security Program is developed with a user-friendly Graphical User
|   Interface (GUI).  The security mechanisms residing below the Application
|   Programming Interface (API) are transparent to the client.  At the
|   Authentication Server, there is also an administration interface.  Industry
|   standards are supported to provide as seamless a transition among all
|   platforms as possible; MOTIF standards for AIX/6000 and CUA91 standards for
|   OS/2 and DOS.

|   RISC System/6000* POWERstation*.  The client code shipped with the Network
|   Security Program runs on the following workstations: OS/2, DOS/Windows,
|   AIX/6000, SUN, and HP.  The minimum machine requirements are:

|   o   DOS Workstation
|       Approximately 400KB of free disk space is required for the Network
|       Security Program. If the Network Security Program software is installed


|   o   SUN Workstation
|       -   A SUN microsystem spark [sic] station running Solaris 1.1 or later.

	(Most UNIX systems req. 5mb disk, 8mb ram.  Seems that Solaris
2 is not later enough to count as 'solaris 1.1 or later;' It was not
listed as a supported OS.)

-- 
Adam Shostack 				       adam@bwh.harvard.edu

Politics.  From the greek "poly," meaning many, and ticks, a small,
annoying bloodsucker.






Thread