





Network Working Group                    Internet Engineering Task Force
Internet-Draft		                         Telnet Working Group
                                                       D. Borman, Editor
                                                     Cray Research, Inc.
                                                              April 1990


                     TTeellnneett DDaattaa EEnnccrryyppttiioonn OOppttiioonn

Status of this Memo

 This draft document will be submitted to the RFC editor as a protocol
specification.  Distribution of this memo is unlimited.  Please send
comments to Dave Borman


1.  Command Names and Codes

   ENCRYPT        TBA
       START            0
       END              1
       SUPPORT          2
       REQUEST-START    3
       REQUEST-END      4

       ANY              0

2.  Command Meanings

   IAC WILL ENCRYPT

      The sender of this command is willing to send encrypted data.

   IAC WONT ENCRYPT

      The sender of this command refuses to send encrypted data.

   IAC DO ENCRYPT

      The sender of this command is willing to receive encrypted data.

   IAC DONT ENCRYPT

      The sender of this command refuses to accept encrypted data.

   IAC SB ENCRYPT START encryption-type IAC SE




Telnet Working Group                                            [Page 1]

Internet-Draft            Telnet Data Encryption Option            April 1990


      The sender of this command is stating that at this point in the
      data stream, all following data will be encrypted via the
      "encryption-type" method of data encryption.  An "encryption-type"
      value of ANY must not be used.  The current types of encryption
      are listed in the current version of the Assigned Numbers docu-
      ment[1].

   IAC SB ENCRYPT END IAC SE

      The sender of this command is stating that at this point in the
      data stream, all following data will no longer be encrypted.

   IAC SB ENCRYPT SUPPORT encryption-type-list IAC SE

      The sender of this command is stating what types of encryption it
      will support.

   IAC SB ENCRYPT REQUEST-START encryption-type IAC SE

      The sender of this command requests that the remote side begin en-
      cryption of the telnet data stream.  The "encryption-type" value
      is a request for a specific type of encryption.  If no specific
      type is needed, a value of ANY should be used.

   IAC SB ENCRYPT REQUEST-END IAC SE

      The sender of this command requests that the remote side stop en-
      cryption of the telnet data stream.


3.  Default Specification

   The default specification for this option is

      WONT ENCRYPT
      DONT ENCRYPT

   meaning there will not be any encryption of the Telnet data stream.

4.  Motivation

   The Telnet protocol has no form of protection from some intervening
   gateway looking at IP packets as they travel through the network.
   This is especially dangerous when passwords are sent as clear text
   over the network.  This option provides a method for encrypting part
   or all of the data stream.

   An entire session could be encrypted, but many times the user doesn't
   care that much about most of the data, and would rather not have to
   pay the price of encrypting and decrypting all the data.  In this si-



Telnet Working Group                                            [Page 2]

Internet-Draft            Telnet Data Encryption Option            April 1990


   tuation, usually all that needs to be protected is when the user is
   typeing a password.  When the ENCRYPT option used in conjunction with
   the LINEMODE option, a very simple heuristic can be used to identify
   many instances when passwords are being typed, and automatically en-
   crypt the data stream for the duration of the password.  If the
   client has the LINEMODE option enabled, and the current mode is EDIT,
   but the client is DO ECHO, then it can safely assume that something
   is being typed that is not appearing on the screen, and should be en-
   crypted.

   The front end telnet should have commands to allow the user to turn
   on and off encryption in both directions of the data stream.

5.  Implementation Rules

   TELNET options are never encrypted.  The sender of data must encrypt
   the data before the insertion of any TELNET options, and the receiver
   of encrypted data must remove any TELNET options before un-encrypting
   the data.

   WILL and DO are used only at the beginning of the connection to ob-
   tain and grant permission for future negotiations.  If encryption is
   needed in both directions, then the ENCRYPT option must be negotiated
   in both directions.

   Once the two hosts have exchanged a WILL and a DO, the sender of the
   DO ENCRYPT must send a ENCRYPT SUPPORT command to let the remote side
   know what types of encryption it is willing to accept.  In the re-
   quest, a list of supported encryption schemes is sent.  Only the
   sender of the DO may send a list of supported encryption types (IAC
   SB ENCRYPT SUPPORT encryption-type-list IAC SE).  Only the sender of
   the WILL may actually transmit encrypted data.  This is initiated via
   the "IAC SB ENCRYPT START encryption-type IAC SE" command, and ter-
   minated via the "IAC SB ENCRYPT END IAC SE" command.  If a START is
   received, and then a second START is received before receiving an
   END, the second START is assumed to terminate the first START com-
   mand, and then begin a (possibly) new method of encryption.

   If the sender of the DO would like the remote side to begin sending
   encrypted data, it can send the "IAC SB ENCRYPT REQUEST-START
   encryption-type IAC SE" command.  The "encryption-type" may contain a
   specific type of encryption that is requested, or it may contain ANY
   if no specific type of encryption is preferred.  If the sender of the
   DO would like the remote side to stop sending encrypted data, it can
   send the "IAC SB ENCRYPT REQUEST-STOP IAC SE" command.

   The current list of encryption types are listed in the current AS-
   SIGNED NUMBERS RFC [1].

   If the receiver of the SUPPORT command does not support any of the



Telnet Working Group                                            [Page 3]

Internet-Draft            Telnet Data Encryption Option            April 1990


   encryption types listed in the SUPPORT command, it should send an IAC
   WONT ENCRYPT command to turn off the ENCRYPT option.

   If the receiver of a REQUEST-START receives an encryption type that
   is not supported, it may choose to use any other type of encryption
   that was received in the initial SUPPORT command.

   The order of the encryption types may be ordered to indicate a
   preference for different encryption types, the first type being the
   most preferred, and the last type the least preferred.

   Only the user data is encrypted.  Telnet options and commands are in-
   serted into the data stream after the user data has been encrypted,
   and removed from the data stream before the data is de-crypted.

   If this option is used in conjunction with the LINEMODE [2] option,
   then when the client side has EDIT mode on, and is DO ECHO, it can
   assume that a password has been requested, and automatically start
   encrypting the data stream until either a WONT ECHO has been re-
   ceived, or the EDIT mode has been turned off.

   If the LINEMODE option is not being used, then the server side should
   send a REQUEST-START when server side terminal driver has echo dis-
   abled and line editing enabled, and send a REQUEST-END when the ter-
   minal driver has either echo re-enabled, or line editing disabled.

   If the ENCRYPT option has been enabled, and encrypted date is is be-
   ing received, the receipt of an "IAC WONT ENCRYPT" implies the re-
   ceipt of an "IAC SB ENCRYPT END IAC SE", e.g., the Telnet data stream
   is no longer encrypted.

   The following is an example of use of the option:

       _H_o_s_t_1                            _H_o_s_t_2
       IAC DO ENCRYPT
                                        IAC WILL ENCRYPT
       IAC SB ENCRYPT SUPPORT 1 2 3 IAC
       SE
       [ Host2 is now free to send encrypted data ]
       IAC SB ENCRYPT REQUEST-START 1
       IAC SE
                                        IAC SB ENCRYPT START 2 IAC SE
       [ Host2 did not support encryption type 1, so it chose type 2.
         All data from Host2 to Host1 is now encrypted.  ]
                                        IAC SB ENCRYPT START 3 IAC SE
       [ Host2 has now stopped using encryption type 2, and is now using
         encryption type 3.  ]
                                        IAC SB ENCRYPT END IAC SE
       [ All data from Host2 to Host1 is now in clear text again.  ]




Telnet Working Group                                            [Page 4]

Internet-Draft            Telnet Data Encryption Option            April 1990


   It is expected that any implementation that supports the Telnet EN-
   CRYPT option will support all of this specification.

6.  References


   [1] Reynolds, Joyce, and Postel, Jon, "Assigned Numbers", RFC 993,
       ISI, November 1986
   [2] Internet Engineering Task Force, "Telnet Linemode Option", RFC
       1116, D. Borman, Editor, Cray Research, Inc., August 1989

Author's Address

   David A. Borman, Editor
   Cray Research, Inc.
   1440 Northland Drive
   Mendota Heights, MN 55120

   Phone: (612) 681-3398

   Mailing List: telnet-ietf@CRAY.COM
   EMail: dab@CRAY.COM































Telnet Working Group                                            [Page 5]

