RFC 2773 (rfc2773) - Page 2 of 9
Encryption using KEA and SKIPJACK
Alternative Format: Original Text Document
RFC 2773 Encryption using KEA and SKIPJACK February 2000
FTP Security Extensions [1] provides:
* user authentication -- augmenting the normal password
mechanism;
* server authentication -- normally done in conjunction with user
authentication;
* session parameter negotiation -- in particular, encryption keys
and attributes;
* command connection protection -- integrity, confidentiality, or
both;
* data transfer protection -- same as for command connection
protection.
In order to support the above security services, the two FTP entities
negotiate a mechanism. This process is open-ended and completes when
both entities agree on an acceptable mechanism or when the initiating
party (always the client) is unable to suggest an agreeable
mechanism. Once the entities agree upon a mechanism, they may
commence authentication and/or parameter negotiation.
Authentication and parameter negotiation occur within an unbounded
series of exchanges. At the completion of the exchanges, the
entities will either be authenticated (unilateral or mutually), and
may, additionally, be ready to protect FTP commands and data.
Following the exchanges, the entities negotiate the size of the
buffers they will use in protecting the commands and data that
follow. This process is accomplished in two steps: the client offers
a suggested buffer size and the server may either refuse it, counter
it, or accept it.
At this point, the entities may issue protected commands within the
bounds of the parameters negotiated through the security exchanges.
Protected commands are issued by applying the protection services
required to the normal commands and Base64 encoding the results. The
encoded results are sent as the data field within a ENC (integrity
and confidentiality) command. Base64 is an encoding for mapping
binary data onto a textual character set that is able to pass through
most 7-bit systems without loss. The server sends back responses in
new result codes which allow the identical protections and Base64
encoding to be applied to the results. Protection of the data
transfers can be specified via the PROT command which supports the
Housley, et al. Experimental