RFC 2773 (rfc2773) - Page 2 of 9


Encryption using KEA and SKIPJACK



Alternative Format: Original Text Document



RFC 2773           Encryption using KEA and SKIPJACK      February 2000


   FTP Security Extensions [1] provides:

      *  user authentication -- augmenting the normal password
         mechanism;

      *  server authentication -- normally done in conjunction with user
         authentication;

      *  session parameter negotiation -- in particular, encryption keys
         and attributes;

      *  command connection protection -- integrity, confidentiality, or
         both;

      *  data transfer protection -- same as for command connection
         protection.

   In order to support the above security services, the two FTP entities
   negotiate a mechanism.  This process is open-ended and completes when
   both entities agree on an acceptable mechanism or when the initiating
   party (always the client) is unable to suggest an agreeable
   mechanism.  Once the entities agree upon a mechanism, they may
   commence authentication and/or parameter negotiation.

   Authentication and parameter negotiation occur within an unbounded
   series of exchanges.  At the completion of the exchanges, the
   entities will either be authenticated (unilateral or mutually), and
   may, additionally, be ready to protect FTP commands and data.

   Following the exchanges, the entities negotiate the size of the
   buffers they will use in protecting the commands and data that
   follow.  This process is accomplished in two steps: the client offers
   a suggested buffer size and the server may either refuse it, counter
   it, or accept it.

   At this point, the entities may issue protected commands within the
   bounds of the parameters negotiated through the security exchanges.
   Protected commands are issued by applying the protection services
   required to the normal commands and Base64 encoding the results. The
   encoded results are sent as the data field within a ENC (integrity
   and confidentiality) command.  Base64 is an encoding for mapping
   binary data onto a textual character set that is able to pass through
   most 7-bit systems without loss.  The server sends back responses in
   new result codes which allow the identical protections and Base64
   encoding to be applied to the results.  Protection of the data
   transfers can be specified via the PROT command which supports the





Housley, et al.               Experimental