### Security and

### Security and

## SecureICA Services

## SecureICA Services

### Jay Tomlin

### Technical Support

### February 2000

### Class Overview

###

_{Cryptography Overview}

_{Cryptography Overview}

###

**Various technologies and **

**examples**

###

**SecureICA Services 1.22**

###

**Overview**

###

**Server and client installation**

###

**Configuring SecureICA Services**

###

**Web clients and ICA files**

*Cryptography Overview*

### Cryptography Technologies

###

**Public/Private Key Cryptography**

**PGP**

**Diffie-Hellman key agreement algorithm**

###

**Symmetric Key (a.k.a. Secret Key) **

**Cryptography**

**SecureICA Services**

###

**Kerberos**

*Cryptography Overview*

### Public-key Cryptography

**Each party maintains a pair of Keys, one **
**public and one private**

**Messages encrypted with the public key can **
**be decrypted using the private key**

**Dummies example: Inversion**
**Public key: Multiply by ****x**

**Private key: Divide by ****x **

**I give you my public key; you use it to **
**encrypt the messages you send me**

**Then only I can decrypt those messages, **
**using my private key**

*Cryptography Overview*

### Secret-key Cryptography

**Also called Symmetric-key cryptography**

**Each party shares a common secret key**

**Messages encrypted with the secret key **
**can be decrypted using the same secret **
**key**

**Dummies example: ROT-13**

**Shift all letters 13 characters to the right, **
**wrapping from Z to A. CITRIX becomes **
**PVGEVK; PVGEVK becomes CITRIX.**

**Security depends on communicating the **
**secret key safely**

*Cryptography Overview*

### Diffie-Hellman Key Agreement

### Algorithm

**Outlined in a 1976 IEEE article, “New **

**Directions in Cryptography,” by Whitfield **
**Diffie and Martin Hellman**

**Variation of public-key cryptography **
**whose end result is a shared secret **
**(symmetric) key**

*Cryptography Overview*

### Diffie-Hellman Algorithm

**Begin with a large prime P and any integer G such that G < **
**P (both P and G may be publicly known)**

**For every number N between 1 and P-1, there is a power ****k**** of **
**G such that G****k**_{ = N mod P}

**Alice generates a random private value ****a ****where ****a**** < P-2**
**Bob generates a random private value ****b ****where ****b**** < P-2**
**Alice’s public key X is G****a**_{ mod P}

**Bob’s public key Y is G****b**_{ mod P}

**Alice and Bob exchange public values X and Y**
**Alice computes G****ab**** = Y****a**** mod P = ****k**

**Bob computes G****ab**** = X****a**** mod P = ****k**

**Alice and Bob now both know the secret value ****k**

**Algorithm relies on the mathematical property that**
**(G****a**_{ mod P)}**b**_{ mod P = G}**ab**_{ mod P}

*Cryptography Overview*

### Diffie-Hellman Algorithm

**Begin with a large prime P and any integer G such that G < **
**P (both P and G may be publicly known)**

**For every number N between 1 and P-1, there is a power ****k**** of **
**G such that G****k**_{ = N mod P}

**Alice generates a random private value ****a ****where ****a**** < P-2**
**Bob generates a random private value ****b ****where ****b**** < P-2**
**Alice’s public key X is G****a**_{ mod P}_{6}**3**_{ mod 13 = 8}

**Bob’s public key Y is G****b**_{ mod P}_{6}**9**_{ mod 13 = 5}

**Alice and Bob exchange public values X and Y**
**Alice computes G****ab**** = Y****a**** mod P = ****k ****5****3**** mod 13 = 8**

**Bob computes G****ab**** = X****b**** mod P = ****k****8****5**** mod 13 = 8**

**Alice and Bob now both know the secret value ****k**

**Algorithm relies on the mathematical property that**
**(G****a**_{ mod P)}**b**_{ mod P = G}**ab**_{ mod P}

**and** **(G****b**_{ mod P)}**a**_{ mod P = G}**ab**_{ mod P}

**Simple **
**Example**
**Let**
**P = 13,**
**G = 6,**

**a**** = 3, &**

**b**** = 9**
**Then:**
**X = 8 &**
**Y = 5**

*Cryptography Overview*

### RC5

**Named after its inventor, Ron Rivest, RC is short **
**for “Rivest Cipher” or “Ron’s Code”**

**RC5 is a “fast block cipher” symmetric key **

**algorithm which transforms a block of plain text **
**into a block of encrypted text of the same length **
**(think ROT-13)**

**This fixed length is called the ****block size**** (usually **
**64 bits)**

**The encryption is performed by a shared secret **

**key**

**Rounds**** denote the number of times each block **
**is passed through the encryption algorithm**

*Cryptography Overview*

### Kerberos

**Developed at MIT (“Project Athena”) especially for **
**UNIX computer networks**

**A dedicated Kerberos server maintains a database **
**of all users’ private, symmetric keys**

**The Kerberos server uses these keys to **

**authenticate users and generate “tickets” for **
**client-server sessions**

**Ticket requests are encrypted using the user’s **
**secret key; the Kerberos server decrypts the **

**request and sends an encrypted ticket back to the **
**client**

### SecureICA Services

**Currently two versions: Global (40-bit) **
**and North American (40-, 56-, and 128-bit)**

**Performs end-to-end encryption of the **
**ICA data stream**

**All ICA session traffic on TCP 1494 is **
**encrypted (not ICA Browser traffic on **
**UDP 1604)**

**Requires services installed at the Citrix **
**server and a secure client **

### SecureICA Services

**SecureICA uses the RC5 algorithm to **
**encrypt ICA commands**

**A pair of RC5 keys are negotiated for **
**each session using the Diffie-Hellman **
**key agreement algorithm**

**One symmetric key encrypts **
**client-to-server traffic, the other is for client-to-**
**server-to-client traffic**

**SecureICA uses a 64-bit block size, 12 **
**rounds, and a 40-, 56-, or 128-bit key size **
**during the session**

**Authentication is always encrypted using **
**a 128-bit key, regardless of version or **

### SecureICA DLL’s

**The following DLL’s perform the **

**encryption for SecureICA Win32 clients **
**and servers (found in system32):**

**No encryption:** pdc0n.dll
**40-bit encryption:** pdc40n.dll
**56-bit encryption:** pdc56n.dll
**128-bit encryption:** pdc128n.dll

**For Win16 clients, the filenames are **

pdc0w.dll, pdc40w.dll**, and so on**

**For DOS/DOS32 clients, the filenames are **

pdc0.dd_**, **pdc40.dd_**, etc.**

### Configuring SecureICA

**Three places to configure Encryption **
**preferences at the server:**

**1. At the listener or winstation**
**2. At the published application**
**3. Per user (Winframe only)**

**Per-user preferences not recommended **
**in a mixed WinFrame/MetaFrame **

**environment**

**Client must at least support the server’s **
**requirements in order to connect**

**ICA file syntax**

[WFClient] Version=2

[ApplicationServers] Outlook=

[Outlook]

Address=Outlook

InitialProgram=#Outlook DesiredHRES=640

DesiredVRES=480 DesiredColor=2

TransportDriver=TCP/IP WinStationDriver=ICA 3.0

EncryptionLevelSession=EncRC5-40

[EncRC5-40]

DriverNameWin32=PDC40N.DLL DriverNameWin16=PDC40W.DLL

### SecureICA Services 1.22

**SecureICA 1.21 works on WinFrame 1.7, **
**WinFrame 1.8, TSE/Metaframe 1.0 and **
**TSE/Metaframe 1.8**

**SecureICA 1.22 will work on all of the **
**above plus Metaframe 1.8 for Windows **
**2000**

**Scheduled release: March 1, 2000 via **
**downloadable maintenance upgrade**

**Global version has long been slated to **
**increase its strength from 40- to 56-bit, **
**but changes in US export regulation will **
**probably allow us to export 128-bit **

**encryption**

### Export Regulations

**Bill Clinton signed a law on January 14, **
**2000 relaxing U.S. Export restrictions**

**SecureICA 1.22 should consist of a **
**single version (pending review)**

**Customers who upgrade from Global **
**1.21 to 1.22 will have their license **

**automatically converted to a North **
**American license**

**SecureICA license format:**

**Domestic (128-bit):** CTX-0004-**10D7**-XXXX-XXXXXX

**Global (40-bit): ** CTX-0004-**10E7**-XXXX-XXXXXX

**Descriptions will be changed to read “128-bit **
**Encryption” or “56-bit Encryption” instead of **
**“North American” or “Global”**