> "Jeffrey Altman" <[EMAIL PROTECTED]> wrote in message
> 9umtg9$lej$[EMAIL PROTECTED]">news:9umtg9$lej$[EMAIL PROTECTED]...
>
> However, the Telnet Encryption option regardless of the key strength
> does not provide integrity protection and so it should no longer
> be used. Instead, STARTTLS should be used to negotiate a TLS
> cipher to protect the session and run Telnet over that with an
> optional Kerberos 5 authentication to verify the TLS session.
> (Kerberos 5 could also be used as the key exchange method in the
> TLS negotiation.)
In order to solve the integrity problem, we have implemented following
variant where the negotiations are identical to the DES_CFB64 except
for the type:
Encrypted data is sent as follows:
4 byte length of the GSS Wrapped message
GSS Wrapped message.
If the Receiver is expecting encrypted data then it reads 4 bytes, and
then reads bytes specified by the previous 4 bytes and UNWRAPS
using the GSS calls.
Salil
