Q: How is SafeTP better than kerberos?
Q: Is there a Mac version of SafeTP available?
Q: I want to install SafeTP on my UNIX workstation (or laptop). How can I do
this?
Q: How do I uninstall SafeTP?
Q: How can I test/troubleshoot my SafeTP client installation?
Q: What is the encryption strength used by SafeTP?
Q: Sometimes when I try to FTP to a secure server, I get a
message warning me of a "959 dropdown attack" and the connection gets
terminated. What's going on?
Q: Every time I connect to an insecure
server, I get a warning about sending my password in the clear. Why?
Q:
Users are automatically given the server's DSA public key when they connect - can this behavior be disabled to increase security?
Q: I've installed SafeTP and now it takes a few seconds longer
to log into my FTP server. Why?
Q: I've installed SafeTP and now my data transfers seem considerably
slower. Why?
Q: My network applications seem somewhat slower now that I've installed
SafeTP, and the disk runs more than usual. What's wrong?
Q: I can connect securely using SafeTP, but the FTP connection freezes
as soon as I try to initiate a data transfer (or get the first file listing).
Q: All my network applications are getting errors like
"can't create socket" or "network subsystem failure". What's the
problem?
Q: All my network applications are getting errors like
"This layer requires a Winsock 2.2-compliant Base Protocol. This Base Protocol Provider
only supports versions 110.0-0.0". What's the problem?
Q: SafeTP seems to interfere with the behavior of a particular network
application. What can I do?
Q: I'm using Windows 95 or 98 and my 16-bit network application doesn't
work correctly now that I've installed SafeTP. I get a message about SafeTP not supporting
16-bit applications and my program gets terminated. Why?
Q: I'm a berkeley student using SafeTP to connect to ftp-write. I see the
status message from SafeTP saying the control channel is secure, but when I try to login I
get a message: "User <your_username> access denied". What's the deal?
Q: My windows Kerberos FTP client no longer works now that I've installed SafeTP. Why?
Q: SafeTP doesn't detect my FTP connection to a non-standard FTP port. Why?
Q: SafeTP has trouble with firewalls. Why?
Q: Why do I see a "Safetp Entropy Gathering" dialog the first time I login to a machine?
Q: How is SafeTP better than kerberos? (top)
A: SafeTP has the advantage that it saves you the trouble of messing with
kerberos tickets, and for the Windows users it's completely transparent, allowing you to
continue using your favorite FTP client.
Q: Is there a Mac version of SafeTP available? (top)
A: Not yet. Our current thinking on Mac clients is that it should be
possible to port the UNIX-style client to Mac, but no work has been done thus far (mainly
because neither of the developers has a Mac or knows them very well). However, the source
code is available, and we keep hoping perhaps some intrepid Mac guru will take a crack at
it...
By the way, the SafeTP protocol has been made public and is very stable, so if you were
interested in writing your own Mac client from scratch that included a GUI, you could
certainly do so (we'd of course be happy to offer help, suggestions, etc.). Contact us for details.
Q: I want to install SafeTP on my UNIX workstation (or laptop).
How can I do this? (top)
A: There is a UNIX client called 'sftpc' available. If you're a Berkeley
student with access to an account on a machine that mounts SWW, you can copy the 'sftpc'
executable file from /usr/sww/pkg/safetp. You can also download the source code and build
the executable yourself from the SafeTP web page.
Q: How do I uninstall SafeTP? (top)
A: When the SafeTP layer is active, it becomes an integral part of the
windows network stack. If you ever need to uninstall SafeTP, it's VERY important to do it
properly, or you could damage the windows networking subsystem.
If you delete the SafeTP files while the layer is active, the windows network
stack will cease to function!
To uninstall correctly, you can either:
-or-
(Windows NT Note: You must be logged in with administrative priviledges to uninstall SafeTP.)
Q: How can I test/troubleshoot my SafeTP client installation?(top)
A: If your administrator hasn't setup a SafeTP server for you yet, or you want to try out
/ troubleshoot your SafeTP client installation, there's a working public SafeTP "test" FTP server
available here:
Q: What is the encryption strength used by SafeTP?(top)
A:
SafeTP uses so-called "strong" cryptography.
The details of the protocol are here:
http://safetp.cs.berkeley.edu/protocol.txt
http://safetp.cs.berkeley.edu/doc.html
The executive summary is that SafeTP uses a public-key handshake based on 1024-bit Elgamal and DSA keys,
followed by a 168-bit Triple-DES-CBC symmetric cipher. (The DSA keys are 1024 bits by default -
your server administrator may have chosen to generate longer keys for additional security.)
NOTE - many people ask if SafeTP has "128-bit encryption", however it makes little
sense to discuss bit length without stating an algorithm or cipher.
SafeTP's resistance to brute-force attacks is comparable to popular implementations
of RSA, which typically use 1024-bit RSA keys and 128-bit IDEA symmetric keys.
Q: Sometimes when I try to FTP to a secure server, I get a
message warning me of a "959 dropdown attack" and the connection gets
terminated. What's going on? (top)
A: This warning prevents hackers from mounting a special kind of attack
that exploits the fact that SafeTP transparently supports both secure and insecure FTP
servers. The warning indicates that you're connecting to a server which SafeTP knows to be
secure (from a previous connection) but which is now behaving like an insecure server.
For example, if you've previously connected to secure SafeTP server at port 353 of
IP address X, and are now connecting to an insecure FTP server on port 21 of the same
IP, you will see this warning of a potential attack.
If you're certain that you're connecting to the correct port,
it's possible the server no longer supports SafeTP, although this is pretty unlikely and
should be verified through other channels. If you're certain this is the case, you
can stop the warning by deleting the corresponding server key in the SafeTP Manager.
Q: Every time I connect to an
insecure server, I get a warning about sending my password in the clear. Why? (top)
A: The warning is there to prevent you from accidentally sending your
password in the clear where it would be visible to packet sniffers watching the network.
If it really bothers you, you can disable this warning from the SafeTP Manager.
Q: Users are automatically given the server's DSA public key when they connect - can this behavior be disabled to increase security?
(top)
A:
There is no support for this, because it wouldn't make any sense - the purpose of the DSA key is to authenticate the server to the client, not vice versa. The client is authenticated to the server by means of the user/password combo, which is sent over the encrypted link. If you can't trust username/password to authenticate your users, then you should reconsider your entire authentication scheme (for example, implement tighter controls over who has a password and how often they must change it).
The public DSA key truly is meant to be a public key, which is made accessible to anyone who wants it so they can verify that the holder of the corresponding private key (ie. the SafeTP proxy on your server machine) really is who it claims to be when it signs cryptographic messages during secure connection establishment. Hiding this public key wouldn't make your setup any more secure, it would simply make it harder for legitimate users to connect and authenticate via user/password.
If you're worried about users connecting with trust-first-time and want to prevent that, you can internally distribute the server public key along with your internal copy of the SafeTP client archive so they get installed together (see the client help file for instructions).
Q: I've installed SafeTP and now it takes a few seconds longer to
log into my FTP server. Why? (top)
A: That extra time is due to the SafeTP negotiation sequence that must
take place to establish a secure link over which you can send your password. The length of
the negotiation sequence is primarily determined by: the speed and current load on the
server machine, the latency of the network connection, and the speed of your machine.
Q: I've installed SafeTP and now my data transfers seem
considerably slower. Why? (top)
A: You probably have data channel encryption turned on. This protects
your data from prying eyes and modification attacks, but it slows down the transfer speed
because of the encryption/decryption overhead. The difference is especially noticeable
over a modem connection because the encrypted file blocks are less amenable to the
hardware compression that takes place in your modem. Unless you're paranoid about other
people seeing/messing with your data, you can probably safely turn off data encryption
from the SafeTP Manager.
Another data file protection option added in
SafeTP version 1.9 is tamper-proof, which provides integrity and authentication
(i.e. prevents malicious or accidental alteration of your file contents) without
the overhead of full encryption. This is accomplished by sending the data in the
clear, along with a cryptographically secure (unforgeable) digital signature.
Under Tamper-proof, your file contents may be
observed by third parties, but they cannot be altered or replaced.
Q: My network applications seem somewhat slower now that I've
installed SafeTP, and the disk runs more than usual. What's wrong? (top)
A: SafeTP should not have a noticeable performance impact on non-FTP
network applications. If they seem slow, you should verify that the SafeTP debugging log
is turned off. To do this, run the SafeTP Manager (STPMGR.EXE), select "Advanced
Settings", and uncheck the option "Log debugging information".
Q: I can connect securely using SafeTP, but the FTP connection freezes
as soon as I try to initiate a data transfer (or get the first file listing).
What's the problem? (top)
A: The FTP protocol uses 2 types of connections to get its work done -
the control channel is used for authentication and sending commands and replies, while
separate data channel connections are used to transmit files and file listings.
Failure to establish a data connection while using SafeTP is almost always caused by a
firewall, proxy or NAT product sitting on the network somewhere between the client
and the server - this may include things like corporate firewalls, Linux IP masquerading,
software or harware based
"home firewalls", or even things like Microsoft Internet Connection Sharing. These products
typically try to eavesdrop on the FTP control channel to get clues about the data
connections being established, but SafeTP is specifically designed to prevent such
eavesdropping on the control channel, so these products frequently get confused
and fail to work properly.
See the SafeTP firewall page for information about how to
solve these problems.
Q: All my network applications are getting errors like
"can't create socket" or "network subsystem failure". What's the
problem? (top)
A: There are 2 possible explanations:
Q: All my network applications are getting errors like
"This layer requires a Winsock 2.2-compliant Base Protocol. This Base Protocol Provider
only supports versions 110.0-0.0". What's the
problem? (top)
A: You have a non-standard networking component installed on your
system. Most often, such components are so-called "spyware" - programs that are clandestinely
installed along with other products to monitor your internet usage for advertising purposes.
You can inspect the networking providers currently installed on your system using the
SPOrder tool
from the Microsoft Winsock SDK (be careful not to change any of
the Microsoft providers using this tool, or your network may get messed up further).
There are several freeware tools out there for safely removing spyware, such as
Lavasoft Ad-Aware.
Q: SafeTP seems to interfere with the behavior of a particular
network application. What can I do? (top)
A: First, PLEASE
email us
and let us know about the application and the problem you're having - we're continually
working to make SafeTP more compatible with existing software.
You should also check the list of known problems to
see if we've already discovered the problem you're encountering.
Second, you can selectively turn off the SafeTP layer for a particular application from
the SafeTP Manager (STPMGR.EXE). See the online help for details.
Q: I'm using Windows 95 or 98 and my 16-bit network application
doesn't work correctly now that I've installed SafeTP. I get a message about SafeTP not
supporting 16-bit applications and my program gets terminated. Why? (top)
A: This was a limitation of earlier versions of SafeTP on Windows 95 and 98.
SafeTP version 1.6 and later include support for 16-bit network apps.
Download and install the newest version from the webpage.
Q: I'm a berkeley student using SafeTP to connect to ftp-write. I
see the status message from SafeTP saying the control channel is secure, but when I try to
login I get a message: "User <your_username> access denied". What's the
deal?. (top)
A: If you see the SafeTP status message, then SafeTP is working
correctly. However, you either don't have an account within the mammoth domain, (so your
home directory is not mounted on ftp-write), or you're being denied FTP access for some
other reason by the server.
Typically for one to access a server via ftp the following conditions must be satisfied:
If you still can't figure out why you don't have access, contact the system administrator
Q: My windows Kerberos FTP client no longer works now that I've installed SafeTP. Why?. (top)
A: SafeTP uses the same protocol framework used by Kerberos to secure your FTP connections.
As a consequence, Kerberos FTP clients are NOT compatible with SafeTP. In order to use a Kerberos
FTP client while SafeTP is installed, you should add the client to the list of excluded applications
on the Advanced Settings Screen in the SafeTP Manager.
Q: SafeTP doesn't detect my FTP connection to a non-standard FTP port. Why?. (top)
A: SafeTP uses the destination port number for outgoing network connections
as a heuristic to distinguish FTP connections from non-FTP outgoing connections.
Currently, the SafeTP client recognizes outgoing connections to port 21 (the standard FTP port),
and to ports 353 and 2123 (non-standard FTP ports designated for miscellaneous usage)
as possible FTP connections and attempts to secure them. Connections to FTP servers residing on ports
other than these three will be ignored by the proxy client by default.
Starting in SafeTP v1.9, the advanced settings dialog in the SafeTP Manager
can be used to add new recognized ports, although we highly recommend
you stick with the three ports above whenever possible.
Q: SafeTP has trouble with firewalls. Why?. (top)
A: There are some sticky issues related to SafeTP and firewalls. Please see the dedicated firewall FAQ for more information.
Q: Why do I see a "Safetp Entropy Gathering" dialog the first time I login to a machine?. (top)
A:
SafeTP maintains its settings and secure key data on a per-user basis, for security reasons (this is meant primarily to handle multi-user systems such as public labs where the mutual trust level between different users is not absolute). When each user first logs into a SafeTP-enabled system, he will be prompted for random entropy to initialize his private security keys, which are stored in the user portion of the Windows registry.
You can disable this behavior for a machine by removing the SafeTPKeyCheck entry from the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
but this is not advisable from a security perspective because without this check, new users may start out with empty key data, and thus the one-time encryption keys used during their first secure connection may be somewhat guessable to would-be attackers (in this case, the "true" entropy in their keys will accumulate over time as SafeTP is used more and gradually reach the level of security one would get from providing entropy directly via the dialog prompt). Depending on your encryption needs and level of paranoia, this may be an acceptable policy, but not one that we feel comfortable advising for all users/systems (hence the default prompt for entropy).
The SafeTPKeyCheck registry value is also required for correct operation of the "automatic" client key refresh feature, which prompts for entropy and regenerates the client keys after they've aged a given number of days, as an optional increased measure of security.