Public/Private Key Cryptography PGP Diffie-Hellman key agreement algorithm Symmetric Key (a.k.a. Secret Key) Cryptography SecureICA Services Kerberos UNIX, Windows 2000

(1)

SecureICA Services

(2)

(3)

Public/Private Key Cryptography

PGP

Diffie-Hellman key agreement algorithm

Cryptography

SecureICA Services

(4)

Public-key Cryptography

Each party maintains a pair of Keys, one public and one private

Messages encrypted with the public key can be decrypted using the private key

Dummies example: Inversion Public key: Multiply by x

Private key: Divide by x

I give you my public key; you use it to encrypt the messages you send me

Then only I can decrypt those messages, using my private key

(5)

Secret-key Cryptography

Also called Symmetric-key cryptography

Each party shares a common secret key

Messages encrypted with the secret key can be decrypted using the same secret key

Dummies example: ROT-13

Shift all letters 13 characters to the right, wrapping from Z to A. CITRIX becomes PVGEVK; PVGEVK becomes CITRIX.

Security depends on communicating the secret key safely

(6)

Algorithm

Outlined in a 1976 IEEE article, “New

Directions in Cryptography,” by Whitfield Diffie and Martin Hellman

Variation of public-key cryptography whose end result is a shared secret (symmetric) key

(7)

Diffie-Hellman Algorithm

Begin with a large prime P and any integer G such that G < P (both P and G may be publicly known)

For every number N between 1 and P-1, there is a power k of G such that Gk = N mod P

Alice generates a random private value a where a < P-2 Bob generates a random private value b where b < P-2 Alice’s public key X is Ga mod P

Bob’s public key Y is Gb mod P

Alice and Bob exchange public values X and Y Alice computes Gab = Ya mod P = k

Bob computes Gab = Xa mod P = k

Alice and Bob now both know the secret value k

Algorithm relies on the mathematical property that (Ga mod P)b mod P = Gab mod P

(8)

Diffie-Hellman Algorithm

Begin with a large prime P and any integer G such that G < P (both P and G may be publicly known)

For every number N between 1 and P-1, there is a power k of G such that Gk = N mod P

Alice generates a random private value a where a < P-2 Bob generates a random private value b where b < P-2 Alice’s public key X is Ga mod P 63 mod 13 = 8

Bob’s public key Y is Gb mod P 69 mod 13 = 5

Alice and Bob exchange public values X and Y Alice computes Gab = Ya mod P = k 53 mod 13 = 8

Bob computes Gab = Xb mod P = k 85 mod 13 = 8

Alice and Bob now both know the secret value k

Algorithm relies on the mathematical property that (Ga mod P)b mod P = Gab mod P

and (Gb mod P)a mod P = Gab mod P

Simple Example Let P = 13, G = 6,

a = 3, &

b = 9 Then: X = 8 & Y = 5

(9)

RC5

Named after its inventor, Ron Rivest, RC is short for “Rivest Cipher” or “Ron’s Code”

RC5 is a “fast block cipher” symmetric key

algorithm which transforms a block of plain text into a block of encrypted text of the same length (think ROT-13)

This fixed length is called the block size (usually 64 bits)

The encryption is performed by a shared secret

key

Rounds denote the number of times each block is passed through the encryption algorithm

(10)

Kerberos

Developed at MIT (“Project Athena”) especially for UNIX computer networks

A dedicated Kerberos server maintains a database of all users’ private, symmetric keys

The Kerberos server uses these keys to

authenticate users and generate “tickets” for client-server sessions

Ticket requests are encrypted using the user’s secret key; the Kerberos server decrypts the

request and sends an encrypted ticket back to the client

(11)

SecureICA Services

Currently two versions: Global (40-bit) and North American (40-, 56-, and 128-bit)

Performs end-to-end encryption of the ICA data stream

All ICA session traffic on TCP 1494 is encrypted (not ICA Browser traffic on UDP 1604)

Requires services installed at the Citrix server and a secure client

(12)

SecureICA Services

SecureICA uses the RC5 algorithm to encrypt ICA commands

A pair of RC5 keys are negotiated for each session using the Diffie-Hellman key agreement algorithm

One symmetric key encrypts client-to-server traffic, the other is for client-to- server-to-client traffic

SecureICA uses a 64-bit block size, 12 rounds, and a 40-, 56-, or 128-bit key size during the session

Authentication is always encrypted using a 128-bit key, regardless of version or

(13)

SecureICA DLL’s

The following DLL’s perform the

encryption for SecureICA Win32 clients and servers (found in system32):

No encryption: pdc0n.dll 40-bit encryption: pdc40n.dll 56-bit encryption: pdc56n.dll 128-bit encryption: pdc128n.dll

For Win16 clients, the filenames are

pdc0w.dll, pdc40w.dll, and so on

For DOS/DOS32 clients, the filenames are

pdc0.dd_, pdc40.dd_, etc.

(14)

Configuring SecureICA

Three places to configure Encryption preferences at the server:

1. At the listener or winstation 2. At the published application 3. Per user (Winframe only)

Per-user preferences not recommended in a mixed WinFrame/MetaFrame

environment

Client must at least support the server’s requirements in order to connect

(15)

ICA file syntax

[WFClient] Version=2

[ApplicationServers] Outlook=

[Outlook]

InitialProgram=#Outlook DesiredHRES=640

DesiredVRES=480 DesiredColor=2

TransportDriver=TCP/IP WinStationDriver=ICA 3.0

EncryptionLevelSession=EncRC5-40

[EncRC5-40]

DriverNameWin32=PDC40N.DLL DriverNameWin16=PDC40W.DLL

(16)

SecureICA Services 1.22

SecureICA 1.21 works on WinFrame 1.7, WinFrame 1.8, TSE/Metaframe 1.0 and TSE/Metaframe 1.8

SecureICA 1.22 will work on all of the above plus Metaframe 1.8 for Windows 2000

Global version has long been slated to increase its strength from 40- to 56-bit, but changes in US export regulation will probably allow us to export 128-bit

encryption

(17)

Export Regulations

Bill Clinton signed a law on January 14, 2000 relaxing U.S. Export restrictions

SecureICA 1.22 should consist of a single version (pending review)

Customers who upgrade from Global 1.21 to 1.22 will have their license

automatically converted to a North American license

Domestic (128-bit): CTX-0004-10D7-XXXX-XXXXXX

Global (40-bit): CTX-0004-10E7-XXXX-XXXXXX

Descriptions will be changed to read “128-bit Encryption” or “56-bit Encryption” instead of “North American” or “Global”

(18)

Updating...

Updating...