Public/Private Key Cryptography PGP Diffie-Hellman key agreement algorithm Symmetric Key (a.k.a. Secret Key) Cryptography SecureICA Services Kerberos UNIX, Windows 2000

(1)

Security and

SecureICA Services

Jay Tomlin

Technical Support

February 2000

(2)

Class Overview



Cryptography Overview



Various technologies and

examples



SecureICA Services 1.22



Overview



Server and client installation



Configuring SecureICA Services



Web clients and ICA files

(3)

Cryptography Overview

Cryptography Technologies



Public/Private Key Cryptography

PGP

Diffie-Hellman key agreement algorithm



Symmetric Key (a.k.a. Secret Key)

Cryptography

SecureICA Services



Kerberos

(4)

Cryptography Overview

Public-key Cryptography

Each party maintains a pair of Keys, one public and one private

Messages encrypted with the public key can be decrypted using the private key

Dummies example: Inversion Public key: Multiply by x

Private key: Divide by x

I give you my public key; you use it to encrypt the messages you send me

Then only I can decrypt those messages, using my private key

(5)

Cryptography Overview

Secret-key Cryptography

Also called Symmetric-key cryptography

Each party shares a common secret key

Messages encrypted with the secret key can be decrypted using the same secret key

Dummies example: ROT-13

Shift all letters 13 characters to the right, wrapping from Z to A. CITRIX becomes PVGEVK; PVGEVK becomes CITRIX.

Security depends on communicating the secret key safely

(6)

Cryptography Overview

Diffie-Hellman Key Agreement

Algorithm

Outlined in a 1976 IEEE article, “New

Directions in Cryptography,” by Whitfield Diffie and Martin Hellman

Variation of public-key cryptography whose end result is a shared secret (symmetric) key

(7)

Cryptography Overview

Diffie-Hellman Algorithm

Begin with a large prime P and any integer G such that G < P (both P and G may be publicly known)

For every number N between 1 and P-1, there is a power k of G such that Gk_{= N mod P}

Alice generates a random private value a where a < P-2 Bob generates a random private value b where b < P-2 Alice’s public key X is Ga_{mod P}

Bob’s public key Y is Gb_{mod P}

Alice and Bob exchange public values X and Y Alice computes Gab = Ya mod P = k

Bob computes Gab = Xa mod P = k

Alice and Bob now both know the secret value k

Algorithm relies on the mathematical property that (Ga_{mod P)}b_{mod P = G}ab_{mod P}

(8)

Cryptography Overview

Diffie-Hellman Algorithm

Begin with a large prime P and any integer G such that G < P (both P and G may be publicly known)

For every number N between 1 and P-1, there is a power k of G such that Gk_{= N mod P}

Alice generates a random private value a where a < P-2 Bob generates a random private value b where b < P-2 Alice’s public key X is Ga_{mod P} ₆3_{mod 13 = 8}

Bob’s public key Y is Gb_{mod P} ₆9_{mod 13 = 5}

Alice and Bob exchange public values X and Y Alice computes Gab = Ya mod P = k 53 mod 13 = 8

Bob computes Gab = Xb mod P = k 85 mod 13 = 8

Alice and Bob now both know the secret value k

Algorithm relies on the mathematical property that (Ga_{mod P)}b_{mod P = G}ab_{mod P}

and (Gb_{mod P)}a_{mod P = G}ab_{mod P}

Simple Example Let P = 13, G = 6,

a = 3, &

b = 9 Then: X = 8 & Y = 5

(9)

Cryptography Overview

RC5

 Named after its inventor, Ron Rivest, RC is short for “Rivest Cipher” or “Ron’s Code”

 RC5 is a “fast block cipher” symmetric key

algorithm which transforms a block of plain text into a block of encrypted text of the same length (think ROT-13)

 This fixed length is called the block size (usually 64 bits)

 The encryption is performed by a shared secret

key

 Rounds denote the number of times each block is passed through the encryption algorithm

(10)

Cryptography Overview

Kerberos

 Developed at MIT (“Project Athena”) especially for UNIX computer networks

 A dedicated Kerberos server maintains a database of all users’ private, symmetric keys

 The Kerberos server uses these keys to

authenticate users and generate “tickets” for client-server sessions

 Ticket requests are encrypted using the user’s secret key; the Kerberos server decrypts the

request and sends an encrypted ticket back to the client

(11)

SecureICA Services

Currently two versions: Global (40-bit) and North American (40-, 56-, and 128-bit)

Performs end-to-end encryption of the ICA data stream

All ICA session traffic on TCP 1494 is encrypted (not ICA Browser traffic on UDP 1604)

Requires services installed at the Citrix server and a secure client

(12)

SecureICA Services

SecureICA uses the RC5 algorithm to encrypt ICA commands

A pair of RC5 keys are negotiated for each session using the Diffie-Hellman key agreement algorithm

One symmetric key encrypts client-to-server traffic, the other is for client-to- server-to-client traffic

SecureICA uses a 64-bit block size, 12 rounds, and a 40-, 56-, or 128-bit key size during the session

Authentication is always encrypted using a 128-bit key, regardless of version or

(13)

SecureICA DLL’s

The following DLL’s perform the

encryption for SecureICA Win32 clients and servers (found in system32):

No encryption: pdc0n.dll 40-bit encryption: pdc40n.dll 56-bit encryption: pdc56n.dll 128-bit encryption: pdc128n.dll

For Win16 clients, the filenames are

pdc0w.dll, pdc40w.dll, and so on

For DOS/DOS32 clients, the filenames are

pdc0.dd_, pdc40.dd_, etc.

(14)

Configuring SecureICA

 Three places to configure Encryption preferences at the server:

1. At the listener or winstation 2. At the published application 3. Per user (Winframe only)

 Per-user preferences not recommended in a mixed WinFrame/MetaFrame

environment

 Client must at least support the server’s requirements in order to connect

(15)

ICA file syntax

[WFClient] Version=2

[ApplicationServers] Outlook=

[Outlook]

Address=Outlook

InitialProgram=#Outlook DesiredHRES=640

DesiredVRES=480 DesiredColor=2

TransportDriver=TCP/IP WinStationDriver=ICA 3.0

EncryptionLevelSession=EncRC5-40

[EncRC5-40]

DriverNameWin32=PDC40N.DLL DriverNameWin16=PDC40W.DLL

(16)

SecureICA Services 1.22

 SecureICA 1.21 works on WinFrame 1.7, WinFrame 1.8, TSE/Metaframe 1.0 and TSE/Metaframe 1.8

 SecureICA 1.22 will work on all of the above plus Metaframe 1.8 for Windows 2000

 Scheduled release: March 1, 2000 via downloadable maintenance upgrade

 Global version has long been slated to increase its strength from 40- to 56-bit, but changes in US export regulation will probably allow us to export 128-bit

encryption

(17)

Export Regulations

 Bill Clinton signed a law on January 14, 2000 relaxing U.S. Export restrictions

 SecureICA 1.22 should consist of a single version (pending review)

 Customers who upgrade from Global 1.21 to 1.22 will have their license

automatically converted to a North American license

 SecureICA license format:

Domestic (128-bit): CTX-0004-10D7-XXXX-XXXXXX

Global (40-bit): CTX-0004-10E7-XXXX-XXXXXX

 Descriptions will be changed to read “128-bit Encryption” or “56-bit Encryption” instead of “North American” or “Global”

(18)