1 / 18

Security and SecureICA Services

Learn about cryptography technologies, including Public/Private Key and Symmetric Key, and understand SecureICA Services, such as Kerberos and Diffie-Hellman Algorithm. Overview of SecureICA Services installation and configuration.

edecker
Download Presentation

Security and SecureICA Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Jay Tomlin Technical Support February 2000 Now everything computes Security and SecureICA Services

  2. Security Concepts and SecureICA Services Class Overview • Cryptography Overview • Various technologies and examples • SecureICA Services 1.22 • Overview • Server and client installation • Configuring SecureICA Services • Web clients and ICA files

  3. Cryptography Overview • Cryptography Technologies • Public/Private Key Cryptography • PGP • Diffie-Hellman key agreement algorithm • Symmetric Key (a.k.a. Secret Key) Cryptography • SecureICA Services • Kerberos • UNIX, Windows 2000

  4. Cryptography Overview • Public-key Cryptography • Each party maintains a pair of Keys, one public and one private • Messages encrypted with the public key can be decrypted using the private key • Dummies example: Inversion Public key: Multiply by x Private key: Divide by x • I give you my public key; you use it to encrypt the messages you send me • Then only I can decrypt those messages, using my private key • Example: PGP (“Pretty Good Privacy”), included with e-mail software Eudora

  5. Cryptography Overview • Secret-key Cryptography • Also called Symmetric-key cryptography • Each party shares a common secret key • Messages encrypted with the secret key can be decrypted using the same secret key • Dummies example: ROT-13 Shift all letters 13 characters to the right, wrapping from Z to A. CITRIX becomes PVGEVK; PVGEVK becomes CITRIX. • Security depends on communicating the secret key safely • Example: RC5, SecureICA Services

  6. Cryptography Overview • Diffie-Hellman Key Agreement Algorithm • Outlined in a 1976 IEEE article, “New Directions in Cryptography,” by Whitfield Diffie and Martin Hellman • Variation of public-key cryptography whose end result is a shared secret (symmetric) key • Allows two users to create a shared secret key without the need to communicate the key to one another

  7. Cryptography Overview • Diffie-Hellman Algorithm Begin with a large prime P and any integer G such that G < P (both P and G may be publicly known) For every number N between 1 and P-1, there is a power k of G such that Gk = N mod P Alice generates a random private value a where a < P-2 Bob generates a random private value b where b < P-2 Alice’s public key X is Ga mod P Bob’s public key Y is Gb mod P Alice and Bob exchange public values X and Y Alice computes Gab = Ya mod P = k Bob computes Gab = Xa mod P = k Alice and Bob now both know the secret value k Algorithm relies on the mathematical property that (Ga mod P)b mod P = Gab mod P and (Gb mod P)a mod P = Gab mod P

  8. Cryptography Overview • Diffie-Hellman Algorithm Begin with a large prime P and any integer G such that G < P (both P and G may be publicly known) For every number N between 1 and P-1, there is a power k of G such that Gk = N mod P Alice generates a random private value a where a < P-2 Bob generates a random private value b where b < P-2 Alice’s public key X is Ga mod P 63 mod 13 = 8 Bob’s public key Y is Gb mod P 69 mod 13 = 5 Alice and Bob exchange public values X and Y Alice computes Gab = Ya mod P = k 53 mod 13 = 8 Bob computes Gab = Xb mod P = k 85 mod 13 = 8 Alice and Bob now both know the secret value k Algorithm relies on the mathematical property that (Ga mod P)b mod P = Gab mod P and (Gb mod P)a mod P = Gab mod P Simple Example Let P = 13, G = 6, a = 3, & b = 9 Then: X = 8 & Y = 5 Secret: K = 8

  9. Cryptography Overview • RC5 • Named after its inventor, Ron Rivest, RC is short for “Rivest Cipher” or “Ron’s Code” • RC5 is a “fast block cipher” symmetric key algorithm which transforms a block of plain text into a block of encrypted text of the same length (think ROT-13) • This fixed length is called the block size (usually 64 bits) • The encryption is performed by a shared secret key • Rounds denote the number of times each block is passed through the encryption algorithm • RC5 allows variable block sizes, key lengths, and numbers of rounds

  10. Cryptography Overview • Kerberos • Developed at MIT (“Project Athena”) especially for UNIX computer networks • A dedicated Kerberos server maintains a database of all users’ private, symmetric keys • The Kerberos server uses these keys to authenticate users and generate “tickets” for client-server sessions • Ticket requests are encrypted using the user’s secret key; the Kerberos server decrypts the request and sends an encrypted ticket back to the client • In Windows 2000, at least one Domain Controller will act as the Kerberos Distribution Center (KDC)

  11. Citrix SecureICA Services SecureICA Services • Currently two versions: Global (40-bit) and North American (40-, 56-, and 128-bit) • Performs end-to-end encryption of the ICA data stream • All ICA session traffic on TCP 1494 is encrypted (not ICA Browser traffic on UDP 1604) • Requires services installed at the Citrix server and a secure client

  12. Citrix SecureICA Services SecureICA Services • SecureICA uses the RC5 algorithm to encrypt ICA commands • A pair of RC5 keys are negotiated for each session using the Diffie-Hellman key agreement algorithm • One symmetric key encrypts client-to-server traffic, the other is for server-to-client traffic • SecureICA uses a 64-bit block size, 12 rounds, and a 40-, 56-, or 128-bit key size during the session • Authentication is always encrypted using a 128-bit key, regardless of version or session key length

  13. Citrix SecureICA Services SecureICA DLL’s • The following DLL’s perform the encryption for SecureICA Win32 clients and servers (found in system32): No encryption: pdc0n.dll 40-bit encryption: pdc40n.dll 56-bit encryption: pdc56n.dll 128-bit encryption: pdc128n.dll • For Win16 clients, the filenames are pdc0w.dll, pdc40w.dll, and so on • For DOS/DOS32 clients, the filenames are pdc0.dd_, pdc40.dd_, etc. • No Macintosh, UNIX, or Java clients yet

  14. Citrix SecureICA Services Configuring SecureICA • Three places to configure Encryption preferences at the server: • At the listener or winstation • At the published application • Per user (Winframe only) • Per-user preferences not recommended in a mixed WinFrame/MetaFrame environment • Client must at least support the server’s requirements in order to connect • Also possible to filter Farm applications by encryption level (i.e., 40-bit clients won’t see 128-bit apps in their app set)

  15. Citrix SecureICA Services ICA file syntax [WFClient]Version=2[ApplicationServers]Outlook=[Outlook]Address=OutlookInitialProgram=#OutlookDesiredHRES=640DesiredVRES=480DesiredColor=2TransportDriver=TCP/IPWinStationDriver=ICA 3.0EncryptionLevelSession=EncRC5-40[EncRC5-40]DriverNameWin32=PDC40N.DLLDriverNameWin16=PDC40W.DLL

  16. Citrix SecureICA Services SecureICA Services 1.22 • SecureICA 1.21 works on WinFrame 1.7, WinFrame 1.8, TSE/Metaframe 1.0 and TSE/Metaframe 1.8 • SecureICA 1.22 will work on all of the above plus Metaframe 1.8 for Windows 2000 • Scheduled release: March 1, 2000 via downloadable maintenance upgrade • Global version has long been slated to increase its strength from 40- to 56-bit, but changes in US export regulation will probably allow us to export 128-bit encryption

  17. Citrix SecureICA Services Export Regulations • Bill Clinton signed a law on January 14, 2000 relaxing U.S. Export restrictions • SecureICA 1.22 should consist of a single version (pending review) • Customers who upgrade from Global 1.21 to 1.22 will have their license automatically converted to a North American license • SecureICA license format: Domestic (128-bit): CTX-0004-10D7-XXXX-XXXXXX Global (40-bit): CTX-0004-10E7-XXXX-XXXXXX • Descriptions will be changed to read “128-bit Encryption” or “56-bit Encryption” instead of “North American” or “Global”

  18. Now everything computes

More Related