SecureICA
Secure ICA Frequently Asked Questions
Back to Secure ICA Section

What is Secure ICA?

Secure ICA provides advanced, end-to-end encryption of the ICA data stream. MetaFrame today includes a basic level of data encryption in the base product. Though this base level is satisfactory for most MetaFrame users, some customers have asked for more cryptographically secure methods of protecting the information that is sent between the MetaFrame client and server. Secure ICA provides this advanced level of encryption.

What level of encryption is being offered in Secure ICA?

Secure ICA is being offered in three different levels of encryption or key lengths - a 40-bit key, 56-bit key and 128-bit key.

The purpose of providing these three different levels is:

  1. US export laws currently limit the strength of the encryption that can be exported outside of North America. It is believed that strong encryption in the hands of an enemy nation can be used as a weapon by scrambling transmissions of sensitive information. To reduce the risk of US-developed technology from being used against the US government, these laws have limited the strength of exportable encryption to a 40-bit key.
  2. The US government recognizes that US-based financial institutions conduct business and financial transactions with their own subsidiaries overseas. For this purpose, the government has relaxed the laws surrounding these institutions and has begun to allow independent corporations to apply for export licenses on encryption stronger than the current 40-bit maximum. For these markets, Secure ICA includes a 56-bit encryption key.
  3. North American based corporations are free to encrypt data at any level they choose to. For these customers Secure ICA includes a 128-bit encryption key .

What is Key Length?

The reference to key length when describing the strength of encryption refers to the number of bits that need to be accurately aligned or flipped when encrypting or decrypting data. The easiest way to envision the level of security gained by a given key length is to picture a house or car key. Each of the notches in the key needs to be aligned perfectly to gain access to the house or to start the car. The wrong key, will not turn because it's notches do not align with the pins (or bits) of the lock. A longer key such as a 128bit key is comparable to a house or car key that has 128 pins to align. The longer the key, the more difficult it would be for a person to pick the lock. The same holds true for encryption. The longer the key the less likely it is that someone would be able to break the code.

How strong is 128-bit encryption?

Many educational institutions and large corporations, as well as the US government have done studies on cracking encryption. The net result is that cracking the code is a function of available processing power. Processing power is simply a function of money. The more processing power (money) available to attack the encryption, the faster the encryption will be broken. The following table illustrates the amount of time and money necessary to break an encrypted file in a brute-force attack against various key lengths using processor power pricing data from 1995.  

Length of Key in Bits
Cost

40

56

64

80

112

128
$100K

2 seconds

35 hours

1 year

70,000 years

1014 years

1019 years
$1 M

.2 seconds

3.5 hours

37 days

7000 years

1013 years

1018 years
$10 M

.02 seconds

21 minutes

4 days

700 years

1012 years

1017 years
$100 M

2 milliseconds

13 seconds

9 hours

70 years

1011 years

1016 years
$1 B

.2 milliseconds

1 second

1 hour

7 years

1010 years

1015 years
$10 B

.02 milliseconds

.1 seconds

5.4 minutes

245 days

109 years

1014 years
$100 B

2 microseconds

.01 seconds

32 seconds

24 days

108 years

1013 years
$1 T

.2 microseconds

1 millisecond

3 seconds

2.4 days

107 years

1012 years

What does this table mean?

Using $1,000,000,000,000 of processing power against a 128-bit encrypted file it would take 1,000,000,000,000 years to break the code.

Will Secure ICA impact MetaFrame systems performance? Is the key length a factor on system performance?

An individual user should not see a measurable change in response time when using Secure ICA. But encryption does require processing power on both the client and the server. Depending on the application, customers may want to increase system resources (memory and processor) when running this advanced encryption.

Key length is not a factor in the impact on system performance. There will be no difference in performance using a 40-bit key versus a 128-bit key.

Will Secure ICA work with any protocol and any connection type?

Yes, Secure ICA will operate properly over all MetaFrame supported protocols and connections including RAS and direct ASYNC ICA connections. Some users may choose to turn the encryption off on the PPP RAS connection during an ICA session to reduce overhead.

Does Secure ICA work for all client platforms?

Secure ICA includes clients for DOS, Win16 and Win32. Web clients (NS plugin and ActiveX control) are also included.

Will ICA thin client devices support Secure ICA?

Secure ICA is architected to work with any client that supports the ICA protocol stack. Devices such as Wyse WinTerms or Boundless TCs are capable of using Secure ICA. ICA device vendors will have to supply the client-side protocol drivers for encryption, meaning that they will have to flash their ROM.