Security and
Security and
SecureICA Services
SecureICA Services
Jay Tomlin
Technical Support
February 2000
Class Overview
Cryptography Overview
Various technologies and
examples
SecureICA Services 1.22
Overview
Server and client installation
Configuring SecureICA Services
Web clients and ICA files
Cryptography Overview
Cryptography Technologies
Public/Private Key Cryptography
PGP
Diffie-Hellman key agreement algorithm
Symmetric Key (a.k.a. Secret Key)
Cryptography
SecureICA Services
Kerberos
Cryptography Overview
Public-key Cryptography
Each party maintains a pair of Keys, one public and one private
Messages encrypted with the public key can be decrypted using the private key
Dummies example: Inversion Public key: Multiply by x
Private key: Divide by x
I give you my public key; you use it to encrypt the messages you send me
Then only I can decrypt those messages, using my private key
Cryptography Overview
Secret-key Cryptography
Also called Symmetric-key cryptography
Each party shares a common secret key
Messages encrypted with the secret key can be decrypted using the same secret key
Dummies example: ROT-13
Shift all letters 13 characters to the right, wrapping from Z to A. CITRIX becomes PVGEVK; PVGEVK becomes CITRIX.
Security depends on communicating the secret key safely
Cryptography Overview
Diffie-Hellman Key Agreement
Algorithm
Outlined in a 1976 IEEE article, “New
Directions in Cryptography,” by Whitfield Diffie and Martin Hellman
Variation of public-key cryptography whose end result is a shared secret (symmetric) key
Cryptography Overview
Diffie-Hellman Algorithm
Begin with a large prime P and any integer G such that G < P (both P and G may be publicly known)
For every number N between 1 and P-1, there is a power k of G such that Gk = N mod P
Alice generates a random private value a where a < P-2 Bob generates a random private value b where b < P-2 Alice’s public key X is Ga mod P
Bob’s public key Y is Gb mod P
Alice and Bob exchange public values X and Y Alice computes Gab = Ya mod P = k
Bob computes Gab = Xa mod P = k
Alice and Bob now both know the secret value k
Algorithm relies on the mathematical property that (Ga mod P)b mod P = Gab mod P
Cryptography Overview
Diffie-Hellman Algorithm
Begin with a large prime P and any integer G such that G < P (both P and G may be publicly known)
For every number N between 1 and P-1, there is a power k of G such that Gk = N mod P
Alice generates a random private value a where a < P-2 Bob generates a random private value b where b < P-2 Alice’s public key X is Ga mod P 63 mod 13 = 8
Bob’s public key Y is Gb mod P 69 mod 13 = 5
Alice and Bob exchange public values X and Y Alice computes Gab = Ya mod P = k 53 mod 13 = 8
Bob computes Gab = Xb mod P = k 85 mod 13 = 8
Alice and Bob now both know the secret value k
Algorithm relies on the mathematical property that (Ga mod P)b mod P = Gab mod P
and (Gb mod P)a mod P = Gab mod P
Simple Example Let P = 13, G = 6,
a = 3, &
b = 9 Then: X = 8 & Y = 5
Cryptography Overview
RC5
Named after its inventor, Ron Rivest, RC is short for “Rivest Cipher” or “Ron’s Code”
RC5 is a “fast block cipher” symmetric key
algorithm which transforms a block of plain text into a block of encrypted text of the same length (think ROT-13)
This fixed length is called the block size (usually 64 bits)
The encryption is performed by a shared secret
key
Rounds denote the number of times each block is passed through the encryption algorithm
Cryptography Overview
Kerberos
Developed at MIT (“Project Athena”) especially for UNIX computer networks
A dedicated Kerberos server maintains a database of all users’ private, symmetric keys
The Kerberos server uses these keys to
authenticate users and generate “tickets” for client-server sessions
Ticket requests are encrypted using the user’s secret key; the Kerberos server decrypts the
request and sends an encrypted ticket back to the client
SecureICA Services
Currently two versions: Global (40-bit) and North American (40-, 56-, and 128-bit)
Performs end-to-end encryption of the ICA data stream
All ICA session traffic on TCP 1494 is encrypted (not ICA Browser traffic on UDP 1604)
Requires services installed at the Citrix server and a secure client
SecureICA Services
SecureICA uses the RC5 algorithm to encrypt ICA commands
A pair of RC5 keys are negotiated for each session using the Diffie-Hellman key agreement algorithm
One symmetric key encrypts client-to-server traffic, the other is for client-to- server-to-client traffic
SecureICA uses a 64-bit block size, 12 rounds, and a 40-, 56-, or 128-bit key size during the session
Authentication is always encrypted using a 128-bit key, regardless of version or
SecureICA DLL’s
The following DLL’s perform the
encryption for SecureICA Win32 clients and servers (found in system32):
No encryption: pdc0n.dll 40-bit encryption: pdc40n.dll 56-bit encryption: pdc56n.dll 128-bit encryption: pdc128n.dll
For Win16 clients, the filenames are
pdc0w.dll, pdc40w.dll, and so on
For DOS/DOS32 clients, the filenames are
pdc0.dd_, pdc40.dd_, etc.
Configuring SecureICA
Three places to configure Encryption preferences at the server:
1. At the listener or winstation 2. At the published application 3. Per user (Winframe only)
Per-user preferences not recommended in a mixed WinFrame/MetaFrame
environment
Client must at least support the server’s requirements in order to connect
ICA file syntax
[WFClient] Version=2
[ApplicationServers] Outlook=
[Outlook]
Address=Outlook
InitialProgram=#Outlook DesiredHRES=640
DesiredVRES=480 DesiredColor=2
TransportDriver=TCP/IP WinStationDriver=ICA 3.0
EncryptionLevelSession=EncRC5-40
[EncRC5-40]
DriverNameWin32=PDC40N.DLL DriverNameWin16=PDC40W.DLL
SecureICA Services 1.22
SecureICA 1.21 works on WinFrame 1.7, WinFrame 1.8, TSE/Metaframe 1.0 and TSE/Metaframe 1.8
SecureICA 1.22 will work on all of the above plus Metaframe 1.8 for Windows 2000
Scheduled release: March 1, 2000 via downloadable maintenance upgrade
Global version has long been slated to increase its strength from 40- to 56-bit, but changes in US export regulation will probably allow us to export 128-bit
encryption
Export Regulations
Bill Clinton signed a law on January 14, 2000 relaxing U.S. Export restrictions
SecureICA 1.22 should consist of a single version (pending review)
Customers who upgrade from Global 1.21 to 1.22 will have their license
automatically converted to a North American license
SecureICA license format:
Domestic (128-bit): CTX-0004-10D7-XXXX-XXXXXX
Global (40-bit): CTX-0004-10E7-XXXX-XXXXXX
Descriptions will be changed to read “128-bit Encryption” or “56-bit Encryption” instead of “North American” or “Global”