[AG-TECH] Encryption of Access Grid 2.x Sessions

Allan Spale aspale at evl.uic.edu
Thu Jan 29 16:56:42 CST 2004


I was talking with Obana-son of NTT concerning a conference that EVL and
some other Japanese institutions will be participating in, and he
expressed an interest in using AG 2.x to have the encrypted AG session
(i.e. key-based/non-default encryption where some keys mst be exchanged).
I would like to know whether it is possible to reserve an AG 2 room that
would provide this capability.  If this is not possible, how difficult
would it be to set up a venue server that could provide these capabilities
and what additional software would be needed to do this (such as the
different things you describe below)?

Currently we are running vic and rat using the -K command line argument to
specify an encryption key.

Thanks for your help.


On Wed, 21 Jan 2004, Robert Olson wrote:

> At 10:03 AM 1/21/2004, Allan Spale wrote:
> >Thanks for the information and your prompt reply.  Do you know which of
> >the ANL virtual venues are encrypted?  Also, are ANL instutional rooms
> >encrypted and would each institution have control over that?
> In the ag1 venue server, only the rooms named "Secure Room" and "Secure2" 
> have encryption enabled (well, the Encryption Test Room does too but it 
> doesn't have access control turned on); they are available for reservation.
> In an ag2 venue server, I believe that encryption is on by default; I don't 
> recall the key-changing policiy offhand. You will want to ensure the 
> encryption keys there are of the form Rijndael/<key> in order to ensure 
> that AES/Rijndael encryption is used in the tools, and that they have been 
> freshly generated.
> Essential for the security you're looking for is the proper configuration 
> of access control to the encrypted venues; without that everyone is just 
> given the keys upon entry.
> You need to also make sure of physical security on the computers involved, 
> as well as restriction of remote access to them (if one had access to a 
> media capture machine, there may be windows of time where the key was 
> visible in a temp file; if one had root access on a capture machine one 
> could likely find the key in memory).
> --bob 

More information about the ag-tech mailing list