This is Version 1.0 of ESM, the Encrypted Session Manager.
* The author of this software is Matt Blaze.
* Copyright (c) 1995 by AT&T.
* Permission to use, copy, and modify this software without fee
* is hereby granted, provided that this entire notice is included in
* all copies of any software which is or includes a copy or
* modification of this software and in all copies of the supporting
* documentation for such software.
*
* This software is subject to United States export controls.
*
* THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR IMPLIED
* WARRANTY. IN PARTICULAR, NEITHER THE AUTHORS NOR AT&T MAKE ANY
* REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE MERCHANTABILITY
* OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR PURPOSE.
ESM is an encrypted session layer for managing remote encrypted
sessions. It does 1024 bit DH key exchange (from RSAREF)
and 3-des in 8bit cfb mode for the traffic encryption. See the
man page (esm.1 in this distribution).
ESM is the first released part of a suite of session encryption tools that
are described in
Matt Blaze and Steve Bellovin. "Session-Layer Encryption."
Proc. 1995 USENIX Security Workshop, Salt Lake City, June 1995.
PostScript is available from
ftp://research.att.com/dist/mab/sesscrypt.ps
For most purposes, a package such as "ssh" or an encrypting Telnet is
a better choice (and network-layer encryption better still). ESM's main
purpose is providing end-to-end encryption across an application-layer
firewall. It also requires no "system support" to install, which is both
an advantage and a disadvantage.
To compile ESM you'll need the RSAREF 2.0 library, available for free
for non-commercial use in the US and Canada from RSA Laboratories
(anonymous ftp to rsa.com for details).
Once you have RSAREF working, this distribution should compile without
problems under SunOS 4.x and BSDI; you're on your own for other platforms.
NOTE: ESM RUNS ON FEWER PLATFORMS THAN CFS. COMPILE AT YOUR OWN RISK.
The best way to explain esm is with an example. Here's
an encrypted session from alice to bob:
alice$ esm
ESM v0.9 - encrypted session manager
by Matt Blaze, AT&T Bell Labs, April 1995
randomizing..........done
local layer ready (run 'esm -s' on remote)
alice$ rsh bob
bob$ exec esm -s
ESM v0.9 - encrypted session manager
by Matt Blaze, AT&T Bell Labs, April 1995
randomizing..........done
remote server ready
Starting remote side of 1024 bit key exchange.
(type any character to abort)
Starting local key exchange...calculating DH key...
(key hash is 8d60f517)
Entering ENCRYPTED mode; type ctrl-^ to escape
bob$
...
[encrypted session from alice to bob]
...
bob$ exit
Press <enter> to return CLEARTEXT mode:
alice$ exit
alice$
You can also hack ESM to provide an encrypted login session;
create a user "esm" with "esm -s -e 'sleep 3;login'" as the login
shell. (Getting this to work properly will require some tweaking
on your local system). Run esm -l on the local machine and from
there log in to the esm account on the remote machine. This is
not completely secure (I haven't audited it for this purpose and
there is the risk of a man-in-the-middle attack), so you
really shouldn't use ESM for this purpose. But such a
configuration does encrypt the real account name and password over
the network:
alice$ esm
ESM v0.9 - encrypted session manager
by Matt Blaze, AT&T Bell Labs, April 1995
randomizing..........done
local layer ready (run 'esm -s' on remote)
alice$ telnet bob
Trying 123.45.67.12...
Connected to bob
Escape character is '^]'.
bob login: esm
ESM v0.9 - encrypted session manager
by Matt Blaze, AT&T Bell Labs, April 1995
randomizing..........done
remote server ready
Starting remote side of 1024 bit key exchange.
(type any character to abort)
Starting local key exchange...calculating DH key...
(key hash is 8d60f517)
Entering ENCRYPTED mode; type ctrl-^ to escape
login: mab
Password:
bob$
...
ESM is primitive and slow, but seems to work. Comments, bug fixes,
ports to new platforms and complaints are welcome.
Matt Blaze
mab@research.att.com
(for esm or cfs questions, use cfs@research.att.com).