PPP.KEYS(MST

ppp.Keys - PPP encryption keys file format

RESTRICTIONS

Encryption is not available in software exported from the USA, and therefore not available for international licenses.

The keys file named in the gw-crypt option on the pppd command line contains key values used by MST PPP 's implementation of link-level encryption . Before transmission, packets with source and destination address es matching the endpoints on a keys file line are encrypted using DES with the key specified on that keys file line. Upon reception, packets with source and destination addresses matching those on a keys file line are decrypted using DES with the key specified on that keys file line.

FORMAT

Each key specification is on its own single line of up to 1023 characters. Comments in the keys file begin with a#' and extend to the end of the line; blank lines, or lines beginning with a `# ', are ignored. Fields are separated by horizontal white space (blanks or tabs).

The first two words on a key line are compared with the source and destination addresses of each packet to be transmitted and each received packet. The endpoint address specifications may contain either host or network names, or host or network addresses. If a network is specified, either by name or by address, then the corresponding network mask must also be specified if it is of a different size than the default for that class of network. The mask is separated from the network name or address by a slash (/),and may be specified either as a series of decimal numbers separated by periods, or as a single 32-bit hexadecimal number, optionally with a C-style `0x ' prefix.

The remainder of the key line is a 56 bit (14 digit) hexadecimal number (without the C-style `0x' prefix), used as the DES key between the specified pair of hosts or networks. The digits may be separated by horizontal white space for readability. If the key contains fewer or more than 14 hexadecimal digits, the line is ignored. If the key is weak or semi-weak, a warning message will be printed in the log file and the specified key will be used for encryption anyway.

EXAMPLE

The following keys file provides pppd with keys for use when encrypting or decrypting traffic between the indicated pairs of hosts or networks:

# # Keys - PPP encryption keys file # # Format:

#endpoint endpoint key frobozz.foo.com glitznorf.baz.edu feed face 00d aa 147.225.0.0 38.145.211.0/0xffffffc0 b1ff a c001 d00d 1 128.49.16.0/0xffffff00 198.137.240.100 0123456789abcd 193.124.250.136 143.231.1.0/0xffffff00 e1c3870e1c3870

RECOMMENDATIONS

Avoid using weak or semi-weak keys . These are weak DES keys:

00000000000000 FFFFFFFFFFFFFF 1E3C78F1E3C78F E1C3870E1C3870

These are semi-weak DES keys :

01FC07F01FC07F FE03F80FE03F80 1FC07F00FE03F8 E03F80FF01FC07 01C007001E0078 E003800F003C00 1FFC7FF0FFC3FF FE3FF8FFE1FF87 003C00F001C007 1E007800E00380 E1FF87FF1FFC7F FFC3FF0FFE3FF8

SECURITY CONCERNS

The keys file should be mode 600 or 400, and owned by root .

Packets' IP headers are not encrypted, though their TCP , UDP, or ICMP headers are encrypted along with the user data portion. This allows encrypted packets to traverse normal internetworks, but permits snoopers to analyze traffic by its endpoints.

Since the TCP , UDP, or ICMP header is encrypted, protocol-based filters along the packet 's path will be unable to discern whether it is SMTP , Telnet, or any other network service. This means that encrypted traffic will only permeate packet-filtering firewalls if the firewall allows all traffic between the endpoints, regardless of traffic type. MST PPP /SLIP software for UNIX systems, when deployed as the endpoint gateways of the encrypted traffic, decrypt incoming encrypted traffic before applying their configured packet filtering rules.

PPP.KEYS(MST_PPP)

NAME

RESTRICTIONS

DESCRIPTION

FORMAT

EXAMPLE

RECOMMENDATIONS

SECURITY CONCERNS

SEE ALSO

COPYRIGHT INFORMATION