Index of /thouis/vnc

diffs from vnc-3.3.2r2_unixsrc are in vnc-encrypt.diff.gz.  if you
applied a previous version of these patches, you should probably
re-apply them from that base.  i apologize for the inconvenience, but
the public/private key changes were larger than i expected.
----------------------------------------

VNC has been changed to use public key methods for verification and to
communicate session keys.  the RC4 stream cipher is used to encrypt data
transferred between server and client.

cryptographic functions are from the (very nice) SSLeay library.

~/.vnc/passwd has been changed to be an RSA public/private key pair of
1024 bits length (though this could be made an option).  the private
key is encrypted using IDEA, with a secret passphrase.  the server
encrypts session keys with the public key, and the client decodes the
session keys to establish encrypted communication.  the keyfile is in
PEM (ASN1?) format, since SSLeay deals with files in that form with a
minimum of hassle.

the keyfile is sent to the client at connect, rather than requiring it
to be copied around by the user.

the auth protocol now looks like this:

server                                client

length of keyfile           -->

keyfile                     -->       reads passphrase and unencrypts
                                      private key 

length of encrypted key 1   -->

session key 1,              -->       reads and decodes key 1 with
encrypted with public key             private key

length of encrypted key 2   -->

session key 2,              -->       reads and decodes key 2 with
encrypted with public key             private key

E1(CHALLENGE)               -->       decodes with key 1

decodes with key 2,         <--       E2(CHALLENGE)
checks for match

all further exchanges are encrypted.

CHALLENGE is 16 random bytes
the session keys are also 16 random bytes.
the passphrase is no longer limited to 8 characters.

some caveats:

code assumes SSLeay is installed in /usr/local/ssl/...

the PEM/ASN1 code in SSL works on FILE*s, so the client writes the
private key to a temporary file and reads it back out.

old password files are no longer even remotely compatible.

data passed to WriteCipher gets clobbered by encryption in place.
some changes have been made to copy data before sending it to
WriteCipher for this reason.

there's no backwards compatibility with older versions of
vncviewer/server.  logic to provide the old protocol should probably
be added.

the various ciphers should be selectable by the client or server,
rather than being set values.

it is reasonably likely that i haven't shaken all the bugs out of this
code, yet.  please let me know if you have problems.  if anyone needs
info about the changes i've made, feel free to mail me.

ray jones
rjones@pobox.com


  Name                Last modified     Size  Description              

  Parent directory
  README              13-Aug-98 23:10     3K 
  vnc-encrypt.diff.gz 13-Aug-98 23:07    10K 

2 files