Newsgroups: comp.protocols.tcp-ip
Path: utzoo!henry
From: henry@utzoo.uucp (Henry Spencer)
Subject: Re: Secure access over TCP/IP networks.
Message-ID: <1989Apr17.211659.5483@utzoo.uucp>
Organization: U of Toronto Zoology
References: <4814@ditmela.oz>
Date: Mon, 17 Apr 89 21:16:59 GMT

In article <4814@ditmela.oz> smart@ditmela.oz.au (Robert Smart) writes:
>The first thing a Secure-TELNET daemon does when it receives a 
>connection is send a random number (say 4 bytes) to the client.

Why?  Since this number is sent over the network and is visible to any
snoopers, it adds nothing to security.

>The client has to know the servers "magic number". It combines
>that magic number with the random number to obtain two random
>number sequences. The server does the same. From then on each
>byte in the TCP stream is XORed with the low order byte of the 
>appropriate random number sequence...
>I think this would have a low overhead and be very hard for
>someone watching the data stream to decrypt...

It depends entirely on how good your random-number-sequence generator
is.  If it's, say, the one from your local C library, you have very
little security, because methods of breaking such things are widely
known.  If it's of crypto quality, okay -- but where are you going
to get one like that?  What you've invented is the supporting
substructure of a cryptosystem -- a secret key known to both ends
and XOR-based combination with the plaintext.  What you haven't done
is to specify the crucial part:  how a short key gets turned into a
very long sequence of very random-looking bits.  The standard sorts
of random-number generators used in computing are ridiculous toys
by cryptographic standards.
-- 
Welcome to Mars!  Your         |     Henry Spencer at U of Toronto Zoology
passport and visa, comrade?    | uunet!attcan!utzoo!henry henry@zoo.toronto.edu