Secure Telnet

The following paper was originally published in the Proceedings of the Fifth USENIX UNIX Security Symposium Salt Lake City, Utah, June 1995.

STEL: Secure TELnet

David Vincenzetti, Stefano Taino, and Fabio Bolognesi Computer Emergency Resource Team Italy Department of Computer Science University of Milan, Italy

For more information about USENIX Association contact: 1. Phone: 510 528-8649 2. FAX: 510 548-5738 3. Email: [email protected] 4. WWW URL: http://www.usenix.org

STEL Secure TELnet

David Vincenzetti

Stefano Taino

Fabio Bolognesi

fvince k taino k b ologdsiunimiit

CERTIT

Computer Emergency Response Team ITaly

Department of Computer Science

University of Milan

ITALY

June

Abstract

Eavesdropping is b ecoming rampant on the Internet We as CERTIT have recorded a great

numb er of sning attacks in the Italian community In fact sning is the most p opular hackers

attack technique all over the Internet This pap er presents a secure telnet implementation whichhas

b een designed by the Italian CERT to makeeavesdropping ineective to remote terminal sessions

It is not to b e considered as a denitive solution but rather as a bandaid solution to deal with

one of the most serious security threats of the moment

Intro duction

STEL stands for Secure TELnet We started developing STEL at the University of Milan

when we realized that eavesdropping was a very serious problem and we did not like the freeware

solutions that were available at that time It was ab out three years ago Still as far as we know

e tapping problem and there are no really satisfying packages able to solve the line active and passiv

to b e simple enough to use and to maintain by the average system administrator In fact in our

honest opinion we b elieve that the actual securitypackages available on the Internet suer from at

least one of the following drawbacks

Not secure enough

The SRA package is an example It is based on Suns Secure RPC and makes use of the

Die Hellman key exchange algorithm to negotiate session keys However the mo dulus used

with DH is to o small it is only bits and the session key is only used to encrypt users

To o large and complicated to install

Ie Kerb eros Several version of kerb erized telnet exist But Kerb eros is large and you have

you set up a whole Kerb eros environment in order to make use of kerb erized telnet The p oint

is that Kerb eross paradigm is very dierent from STELs STEL in fact is intended as a

plug and play solution You just need stel and steld in order to p erform p ointtopoint

authenticated encryption

To o complex to use and maintain

STELs conguration system is very scalable STEL can p erform extensivechecks and supp ort

dierent authentication metho ds But suchchecks are not mandatory and the basic installation

is accomplished by just compiling the executables and running steld

Unable to cop e with a distributed environment

STEL is not a distributed system But is supp orts distributed SKey management so SKey

keys can b e centralized in a single p ointandnetwork accessed in a secure fashion

Sub ject to exp ort regulations so not suitable for users outside the USA

STEL has b een develop ed in Italy Italy is not sub ject to crypto regulations and exp ort restric

tions STEL uses encryption algorithms and functions that have b een develop ed or reinvented

outside the United States It uses in fact a lib des package develop ed in Australia an imple

mentation of the Swiss IDEA cipher an implementation of the Die Hellman key exchange

system whichwas develop ed in Italy and a collection of some other minor crypto routines

develop ed in Italy by the authors

Description

STEL is a simple package and it is intended to act as a secure surrogate replacement for

telnetd rlogind rcmd or rshd However STEL is not compatible with standard telnet system

STEL is able to provide secure communications b etween the client and the server and supp orts

dierent authentication metho ds in order to b e as simple exible and convenient as p ossibile

STEL has several advantages in resp ect to other systems

It is very simple to install use and maintain There are very few conguration les and two

executables only

All data transmissions any kind are sent encrypted with a random session key

There are three encryption algorithms available DES Triple DES and IDEA

The metho d uses the Die Hellman algorithm to exchange session keys and the DH mo dulus

is reasonably sized

Since Die Hellman is vulnerable to Man In The Middle attacks the system has b een

strenghtened with the Interlo ck proto col in order to makesuchanattack infeasible

The metho d is able to provide mutual authentication

The metho d is reasonably fast it adds ab out a couple of seconds to a connection on a Sparc

station I I class machine

Up on establishing a secure channel a variety of authentication metho ds are available standard

Unix passwords SKey and SecurID

Even standard Unix passwords b eing the communication channel encrypted provide a reason

able level of security in resp ect to telnet and rlogin

An optional SKey daemon is included in the package skeyd makes it p ossible to centralize

SKey passwords in order to administer passwords in a single p oint

It is p ossible to control logins bychecking IP address authentication typ e terminal name user

name as describ ed in

Optional automatic killing of IPOPTIONS

A builtin SKey calculator is included in the escap e b menu

As a feature SKey can makeuseofakeypad le to make dictionary attacks infeasible

Sources are freely available

Practical examples

STEL is client server based The client is named stel and it is intended to b e directly run

by users the server is named steld and can b e run as a standalone daemon by the sup eruser or b e

invoked by inetd

The purp ose of STEL is to provide the user a remote terminal session very similar to a telnet or

rlogin remote terminal session The dierence is of course that all the trac b etween client and

server is encrypted and that the resulting authentication is much stronger in resp ect to telnet or

rlogin

First let us have a lo ok at the usage

stel

dsiunimiit STEL Secure TELnet BETA bugs to stelauthorsideasec

stelcv vince Exp vince

Usage stel hostname l logname p portnum rimentvD commands

hostname the system you want to connect to

l logname the username on the remote system

p portnumber set port number default port is

r enter a random string to enhance randomness

use triple DES encryption default is single DES

i use IDEA encryption default is DES

m use bits modulus default is bits

e disable escape features b is enabled by default

n do not use data encryptionatall

t do not use pseudo terminals

v be verbose

D be extra verbose

In the following example the user connects with STEL to ideasecdsiunimiit as ro ot The authen

tication is p erformed using the SecurID system b eing ro ot a registered SecurID user on idea

stel ideasecdsiunimiit l root

Connected to ideasecdsiunimiit

This session is using DES encryption for all data transmissions

Escape character is b

SECURID authentication required

Enter PASSCODE for root

Passcode accepted

Welcome to idea

idea hostname

idea

idea date

Fri Feb MET

idea exit

Connection with ideasecdsiunimiit closed

So the user has STEL connected to ideasecdsiunimiit and heshe has authenticated hisherself

using SecurID All data transmission are DES optionally DES or IDEA encrypted with a session

key that is generated with the DH algorithm

When the user is authenticated heshe is provided with a very comprehensive set of environment

variables that are inherited from the client and all the terminal settings are inherited from the

clientaswell For instance since the DISPLAY LINES and COLUMNS environmentvariables are

inherited in the remote session it is p ossible to remotely execute commands like

stel bar xterm fn x bg black fg white

stel foo l root vi etcrc

stel somesite l joe ps aux tmpxx vi tmpxx

In the following example the user verb osely connects to ghost as vince and sp ecies bincsh as

the command to b e executed The authentication is p erformed using SKey

stel ghost l vince v bincsh

Connected to ghost on port

DiffieHellman modulo is bits secret exponent is bits

Exchanging keys with DH scheme can be a lengthy process

D Shared encryptionkey CAAACEA

This session is using DES encryption for all data transmissions

Escape character is b

SKEY authentication required

skey cr

Response DRUB BARB NOD RET COCO OUTS

SunOS Release U GENERIC Wed Oct PDT

ghost e hostname

ghost

ghost e exit

Connection with ghost closed

In the last example the user STEL connects to idea again and makes use of some features of the

escap e menu In particular heshe takes advantage of the builtin SKey calculator to lo cally and

thus safely generate the required SKey resp onse

stel idea

Connected to idea

This session is using DES encryption for all data transmissions

Escape character is b

SKEY authentication required

skey cr

Response

stel

Commands may be abbreviated Commands are

close close current connection

skey generate skey response

status display operating parameters

escape set escape character

shell escape

z suspend telnet

print help information

stel stat

Connected to idea

Connection time Fri Feb

Elapsed time hours minutes seconds

User keystrokes

Session output is bytes

Escape character is b

DES data encryption is on

stel skey

Reminder Do not use this while logged in via telnet or dialin

Enter seed cr

enter sequence number

enter secret password

use mjr DES mode n y

CORD AD FLY FEAR NAY ARAB

stel

CORD AD FLY FEAR NAY ARAB

Welcome to idea

idea date

Fri Feb MET

idea hostname

idea

idea idea exit

Connection with idea closed

The proto col

STEL is not compatible with the standard telnet system in fact it uses its own proto col

Formal details ab out STELs proto col will b e given in a forthcoming Internet Draft Informally

STELs insights can b e summarized in a numberofsteps

Key exchange

STEL uses the Die Hellman exp onential based metho d to determine a common DES or DES

IDEA key This completely eliminates the need of keyservers to store and manage user keys and

greatly simplies the overall system design

Initiallyclient and server whom we call X and Y b eing the system symmetric share a large prime

numb er P and a generator that is Then b oth parties cho ose a secret value S is chosen byX

and S is chosen by Y making the choice at random among the set of values in mo dulo P arithmetic

The length of the mo dulo can b e or bits Mo duli whose length is bits or in general

smaller than bits are not secure

S S

X Y

In the next stage X and Y form the exp onentials and resp ectively and they exchange the

S S

X Y

exp onentials A malicious hacker could intercept and by reading the network but due the

diculty of computing logarithms in nite elds heshe can not calculate the S S values

X Y

In the nal stage X and Y compute a further exp onential In the case of X the received value

is raised to the p ower is raised to the p ower S Asa S In the case of Y the received value

Y X

S S

Y X

S S S S

X Y X Y

thus consequence b oth partecipants now share the same secret that is

a session key is generated by digesting the shared value through MD

Mutual authentication

The basic DH metho d is very clever but it provides no authentication b etween the two parties

A malicious hacker Z using an active line tap could intercept and change all messages imp ersonating

XtoYandY toXXandYwould not realize that for example all messages sentbyX toY would

b e received by Z the Man In The Middle decrypted by Z using Xs session key encrypted again

using Ys session key and senttoYXandYwould share dierent session keys yet not realizing

that b ecause they have exchanged no information b efore key exchange

This is whywe added a further step to the proto col in order to make this attack ineective

If the user wishing to login on the remote system ownsalenamedstelsecret in hisher remote

home directory then the information contained in the le is exploited to p erform mutual authenti

cation b etween the parties This is the Interlo ck Proto col an idea by Shamir and Rivest describ ed

Let DH b e equal to Xs session key as generated by the Die Hellman key exchange system Let

DH b e equal to Ys session key Under normal conditions that is there is no Monkey In The

Middle DH should b e equal to DH

X Y

Let ST b e the secret shared by the parties by means of the contents of the estelsecret le

on the remote system This is a a priori secret it should have b een previously transmitted via a

trusted path ie byphysically accessing the remote system logging on at the console and directly

editing estelsecret

XandYnow construct authenticators A and A resp ectively Let A b e equal to E DH

X Y X ST X

that is Xs session key DES encrypted using ST as encryption key Similarlylet A b e equal to

DH that is Ys session key DES encrypted twice using ST as encryption key E

ST Y

In case Z is actively tapping the communication line the session keysusedby the parties are dierent

DH DH What is more Z do es not know ST The goal of this authentication step is in

X Y

fact to verify that the session keys are the same at b oth sides

A b e equal A and A are divided in two halves Let A b e equal to A followed by A and

Y X Y X X X

to A followed by A

Y Y

The exchangeisby alternating messages X sends its rst half A Y replies with A then X

X Y

sends A and Y sends A It is not p ossible for Z to translate A knowing only half of the

X Y X

cipher blo ck yet Y will not reply until heshe receives something so Z is forced to conco ct a value

A in order to receive A Ys reply cannot b e traslated by Z and passed on at the correct time

X Y

to X since Z only receives one half of A at a time After the exchange is complete X and Y can

decrypt the authenticators A and A resp ectively and nd out if they are really sharing the same

X Y

session key If not they are b eing imp ersonated byZ

It should b e noticed that A is single encrypted while A is double encrypted This is done on

X Y

purp ose to prevent a malicious hacker from tricking one side into encrypting others side exchange

What is more since X and Y share a common secret that is ST they can calculate all the halves in

advance and thus validate each single half as so on as it as arrives In case that Y for instance receives

an incorrect A value from X a random A half is generated and sent to X as a consequence

X Y

The Man In The Middle can not launcha chosen plaintext attack This metho d is supp osed to foil

the attacks exp osed in

Encryption

All data transmitted from the client to the server and vice versa is encrypted using the sp ecied

encryption algorithm The default algorithm is single DES since it is faster but triple DES and

IDEA are available as well

DES is used in CBC mo de when transmitting environmentvariables or exchanging large numb ers

in the DH scheme CFB mo de is used when making terminal IO b etween client and server A

random Initialization Variable is used and the source of randomness is optionallycombined with

a garbage random string which the user is required to typ e in

Environment settings

A pseudo terminal is usually allo cated by the server and attached to the remote pro cess it is

p ossible however to sp ecify that no pseudo terminal should b e used in the remote session a la rshd

Terminal settings are transmitted encrypted from clienttoserver so it is not usually needed to

stty parameters at all

Also the following environmentvariables are sent to the server in order to make the session as

friendly as p ossibile

TERM

DISPLAY

LINES

COLUMNS

WINDOWID

Prior to executing the users shell or eventually the commands sp ecied by the remote user the

server sets the following environmentvariables

LOGNAME

USER

USERNAME

SHELL

MAIL

User authentication

It has b een said already that there are three authentication metho ds available These metho ds

can b e listed according to their security in decreasing order

SecurID

SKey

Unix passwords

The rst metho d is very strong since SecurID cards are hardware one time password generators

SecurID cards basically contains a DES chip and a clo ck The clo ckissynchronized with the

computers clo ck and all the user should do to authenticate himherself is to read the password on the

LCD cards display and typeitinattheEnter PASSCODE prompt The card of course cannot b e

copied analyzed or tamp ered with This is probably the strongest p ointinfavour of SecurID cards

and similar authentication devices such as those marketed by Enigma Logic or Digital Pathways

It must b e said that despite STEL considers SecurID the preferred authentication metho d it is

So using understo o d that SecurID cards are not largely widespread in the Internet community

SecurID is not mandatory and SecurIDs supp ort co de can b e compiled out from STEL completely

SKey is a very p opular authentication system It is able to generate one time passwords based up on

a seed More details in SKey is vulnerable to dictionary attacks so STEL uses a mo dication

of the SKey system as prop osed byMJRanum SKey system is cheap and convenient yet

it is not as secure as SecurID since one time passwords when printed on pap er can b e stolen and

xerox copied

An optional SKey daemon has b een intro duced to administer all SKey passwords on a single

host We consider the abilitytocentralize SKey passwords as a ma jor feature in our SKey system

skeyd severely simplies SKey passwords management since passwords are stored in a single le

and thus the passwords synchronization problem is solved Data transmission b etween SKey clients

and the SKey server is DESCBC encrypted The encryption key is stored in etcskeydconf for

all the clients and the server this is an approach common to other security systems ie Kerb eross

kdb stash

Unix passwords are insecure and are used by STEL as the last resort authentication metho d

Conventional passwords can b e stolen by reading the network and are vulnerable to dictionary

cracking and replay attacks However STEL never sends Unix passwords unencrypted so sning

the network is useless even if Unix password authentication is used

The three metho ds are checked in order If the user is SecurID registered then SecurID authentica

tion is required Else if the user is SKey registered heshe is prompted with an SKey challenge

If the user is not SKey registered Unix passwords are used but b efore that username is checked

against a set of rules as dened in etcskeyaccess It is p ossible in fact to p ermit deny Unix

passwords using a wide range of criteria as describ ed in Finally when the user is authenticated

hisher username is checked against etcloginaccess to control login using similar criteria

STEL verb osely rep orts errors and login failures via syslog

Availability

STEL has already b een p orted to HPUX SunOS IRIX Solaris and Linux At present a

selected team of b eta testers is working on STEL by pro ceeding this waywe exp ect to makeSTEL

more secure reliable and bug free When the b eta testing pro cess is over STEL will b e made

available as

ftpftpdsiunimiitpubsecuritycertitsteltargz

Future directions

Our development eorts will b e fo cused on

Having a more comprehensive set of crypto algorithms and authentication metho ds

Making STEL optionally work at the session layer

Acknowledgements

The authors thank Giordano Pezzoli and Paul Leyland for very helpful comment on STELs

enema overall design and the security of some of STELs crypto co de Many thanks to Wietse V

Marcus J Ranum and H The Hobbit for granting us p ermission to use bytes of their excellentC

co de inside the STEL package

References

Security for Computer Networks DW Davies and L Price

The logdaemon package by Wietse Venema wietsewzvwintuenlavailable as ftp

ftpwintuenlsecuritylogdaemontargz

A mo dication of the SKey client program by Marcus J Ranum mjrtis com to make dic

tionary attacks infeasible Available as ftpftptiscom pubrewallsto olkitpatches skey

tarZ

Computation of Discrete Logarithms in Prime Fields Brian A La Macchia and Adrew M

Odlyzko available as ftpftpdsiunimiitpubsecurity cryptdo cseldps

An AttackontheInterlo ck Proto col When Used for Authentication Steven Bellovin Michael

Merrit

Secure RPC authentication SRA for TELNET and FTP D Saord D Hess D Schales

SessionLayer Encryption MBlaze SBellovin to app ear in the pro ceedings of the Fifth

USENIX Unix Security Symp osium