From: Adam Shostack <adam@bwh.harvard.edu>
Date: Wed, 2 Mar 94 07:15:34 PST
To: Rolf.Michelsen@delab.sintef.no (Rolf Michelsen)
Subject: Re: low-overhead encrypted telnet
In-Reply-To: <Pine.3.88.9403020801.B1102-0100000@svme.er.sintef.no>
Message-ID: <199403021514.KAA03435@duke.bwh.harvard.edu>
MIME-Version: 1.0
Content-Type: text/plain


Rolf wrote:

| I am currently working on a project which requires encrypted TELNET.  We 
| will be encrypting *all* transmitted data to protect sensitive 
| information -- not just passwords.  Does anybody know the current status 
| of standardization of an encryption option for TELNET?


	I don't, but I would question the wisdom of putting lots of
effort into a telnet encryption scheme.  I would think it would be
much more productive to build an encryption scheme at the network
level, say, as packets are being encapsulated, so that users can
specify that they want an encrypted session for telnet or ftp, or even
sendmail could encrypt automatically when sending to certain hosts.

	By using a public key scheme to exchange session keys (much
like PGP), you could obtain the public key affiliated with your
destination IP, and know your packets are getting to the right place.

	A general framework, based on public key encryption would be a
far more flexible, powerful and useful tool for generating security on
the net than simply securing TELNET.


Adam

-- 
Adam Shostack 				       adam@bwh.harvard.edu

Politics.  From the greek "poly," meaning many, and ticks, a small,
annoying bloodsucker.

Have you signed the anti-Clipper petition?