From: Adam Shostack <adam@bwh.harvard.edu>
To: cypherpunks@toad.com
Message Hash: a901fd3c8845d4d978d2f6dceb37350eccf89465a8a2b5c697408d5fa6dc7d7a
Message ID: <199405251712.NAA22131@spl.bwh.harvard.edu>
Reply To: N/A
UTC Datetime: 1994-05-25 17:13:26 UTC
Raw Date: Wed, 25 May 94 10:13:26 PDT
From: Adam Shostack <adam@bwh.harvard.edu>
Date: Wed, 25 May 94 10:13:26 PDT
To: cypherpunks@toad.com
Subject: IBM's NetSP
Message-ID: <199405251712.NAA22131@spl.bwh.harvard.edu>
MIME-Version: 1.0
Content-Type: text/plain
(This is a set of excerpts from a 1000 line file I got from a guy
@IBM. If anyone wants the whole thing, just ask.)
| Network Security Program Version 1 Release 2 is a distributed authentication
| and key distribution program. The Network Security Program authenticates the
| identity of two communicating principals in the network and provides each
| with the ability to verify the identity of the other via a common third-party
| server.
| Network Security Program provides secured single sign-on (SSO) to 3270 host
| applications via an EHLLAPI emulator interface to a RACF* host system.
| Through the implementation of PassTickets, the user at the client workstation
| need only provide one log-on password that will allow secured access to
| multiple host applications. In addition to the TCP/IP transfer protocols for
| these platforms NetBIOS is supported on AIX*, OS/2*, DOS*, and Windows; LU6.2
| is supported on AIX and OS/2.
|
| Network Security Program provides distributed security services that user
| applications may invoke through the Generic Security Services Application
| Programming Interface (GSSAPI). GSSAPI is approved as an Request for Comment
| (RFC) by the Internet Engineering Task Force (IETF). The underlying security
| mechanism is based on KryptoKnight, an advanced authentication technology
| developed by IBM Research Laboratories in Zurich, Switzerland and Yorktown
| Heights, New York.
|
| In V1R2 we are extending our platforms from the AIX/6000, OS/2 and DOS
| operating systems to include HP, SUN, and DOS/Windows for client and
| application server workstations. IPX/SPX is supported on OS/2 and Windows
| for authentication servers and clients running on workstations with Novell
| Netware. TCP/IP is supported on all the specified platforms. Single sign-on
| (SSO) support for OS/2 has been extended to LanServer and Novell.
| In DCE environments, Network Security Program is offered to customers whose
| environments pose authentication problems at the transport layer and below.
| Because of its compact tickets and flexible authentication protocols, Network
| Security Program can be more effective in satisfying this set of
| requirements. Network Security Program also provides secure LU2 sign-on to
| RACF host applications without requiring re-entry of host user names or
| passwords. Single sign-on to LANServer and Novell is also available. DCE is
| the recommended solution for customers requiring authentication above the
| transport layer (through secure RPC), for use by the application layer, for
| more complete security services, or for integration with other services, such
| as data access control or integration with resource managers.
| DATA CONFIDENTIALITY
|
| Commercial Data Masking Facility (CDMF) is a new technology recently
| developed by the IBM Crypto Competence Center. CDMF has a scrambling
| algorithm that will be supported under the GSS-API (GSS-SEAL / GSS-UNSEAL API
| calls). It provides the application programmer the capability to easily
| scramble selected packets of data sent in the network. Data confidentiality
| is secured from indiscriminate use and your assets stay protected.
|
| CDMF alleviates the worry of having your data flow across the network in
| clear text. The degree of security is equivalent to encryption using DES but
| with keys limited to 40 bits. IBM has obtained approval from the US
| Government to export CDMF in products without the license required to export
| products containing DES.
| TEXT
|
| TECHNICAL DESCRIPTION
|
| Network Security Program was developed to exploit key distribution and
| authentication technologies based on a third party authentication server.
| Several technologies exist in the industry today, one of which is
| KryptoKnight, which was developed by the IBM Research Division laboratories
| in Yorktown Heights, NY, and Zurich, Switzerland. The KryptoKnight
| technology, from a user viewpoint, appears on the surface much the same as
| another security service developed at MIT, Kerberos. Though Kerberos has
| been made widely available through public access, it presents several
| limitations in certain network environments. Network Security Program
| provides extensions to the Kerberos technology that can prove most desirable
| to customers operating such networks environments. For example, the smaller
| KryptoKnight tokens make implementation of security at lower networking
| layers possible. Other technical advantages include a use of cryptography
| that is not subject to export controls, flexibility in authentication
| protocols for situations in which the client cannot contact the
| authentication server directly and the reduced dependency on clock
| synchronization among communicating principals.
| Network Security Program is being developed as an 'open' multi-platform
| security solution. The intent is to provide a port to as many different
| systems as is possible given the time and resource constraints. In the
| workstation environment, a customer typically will have many varieties of
| hardware/software in their network. Interoperability is a key requirement
| for any security solution. This release of the Network Security Program will
| address the AIX/6000, OS/2, DOS, DOS/Windows, SUN and HP platforms.
|
| Network Security Program is developed with a user-friendly Graphical User
| Interface (GUI). The security mechanisms residing below the Application
| Programming Interface (API) are transparent to the client. At the
| Authentication Server, there is also an administration interface. Industry
| standards are supported to provide as seamless a transition among all
| platforms as possible; MOTIF standards for AIX/6000 and CUA91 standards for
| OS/2 and DOS.
| RISC System/6000* POWERstation*. The client code shipped with the Network
| Security Program runs on the following workstations: OS/2, DOS/Windows,
| AIX/6000, SUN, and HP. The minimum machine requirements are:
| o DOS Workstation
| Approximately 400KB of free disk space is required for the Network
| Security Program. If the Network Security Program software is installed
| o SUN Workstation
| - A SUN microsystem spark [sic] station running Solaris 1.1 or later.
(Most UNIX systems req. 5mb disk, 8mb ram. Seems that Solaris
2 is not later enough to count as 'solaris 1.1 or later;' It was not
listed as a supported OS.)
--
Adam Shostack adam@bwh.harvard.edu
Politics. From the greek "poly," meaning many, and ticks, a small,
annoying bloodsucker.
Return to May 1994
Return to “Adam Shostack <adam@bwh.harvard.edu>”
1994-05-25 (Wed, 25 May 94 10:13:26 PDT) - IBM’s NetSP - Adam Shostack <adam@bwh.harvard.edu>