SecureICA
Secure ICA Technical Overview
Back to Secure ICA Section

Overview

The Citrix SecureICA Option Pack enhances the security of MetaFrame by allowing users to access MetaFrame servers over secure communications channels. This SecureICA Technical Overview provides details on the SecureICA encryption software.

Topics discussed include:

The SecureICA implementation
Encryption security
SecureICA performance characteristics
Security beyond encryption

 SecureICA Technical Overview
The Secure ICA Implementation
The RC5 Algorithm
Encryption Strength
SecureICA Performance
Other Security Concerns
 

SecureICA Features

SecureICA contains features to enhance the security of data communication across any type of connection supported by MetaFrame. The SecureICA Option Pack uses the RC5 encryption algorithm from RSA Data Security, Inc. The MetaFrame server and MetaFrame client use the Diffie-Hellman key agreement algorithm with a 1024-bit key to generate RC5 keys.

The SecureICA Option Pack offers the following features:

128-bit encryption during user authentication

To ensure account security, SecureICA uses 128-bit encryption during the authentication phase.

Strong session encryption and flexible encryption support

The 128-bit encryption level is considered virtually impossible to break with current technology. The 40-bit and 56-bit encryption levels require a significant investment in time and money to break with a brute force attack. The availability of 40-bit encryption for global use provides an international data encryption solution.

Per-connection encryption support

Different encryption levels can be used for each connection. For example, a dial-up connection with 40-bit encryption and a LAN connection with 128-bit encryption can be used simultaneously.

Cross client compatibility

SecureICA enabled clients are available for DOS, Win16, Win32, and the MetaFrame Web client Netscape plug-in and Internet Explorer ActiveX control.

Enforcable encryption levels

The MetaFrame administrator can enforce minimum encryption levels on a per-WinStation and per-user basis. MetaFrame client connections will only be allowed if the MetaFrame client is using at least the minimum level.

Dynamic key generation

The SecureICA MetaFrame server and client generate unique RC5 keys for each connection. A system service periodically generates new Diffie-Hellman parameters in the background, providing for an enhanced level of security.

Understanding Encryption

Encryption is the process of obscuring the true meaning of a message such that only the intended recipient can understand it.

The encryption process transforms data into a form that is unreadable to anyone without a special piece of information. This information allows the recipient to unscramble or decrypt the message. This piece of information is called a key.

The process used to create the scrambled message is called an encryption algorithm.

There are two general types of encryption algorithms. A symmetric key algorithm uses the same key to encrypt and decrypt the scrambled data. This means the secret key must never be revealed to anyone but the intended recipient of the data. The advantage of a symmetric key algorithm is its speed.

The disadvantage of a symmetric key algorithm is that the secret key used to encrypt the data must be sent to whoever needs to decrypt the data. If there was a secure channel to transmit the key, the data could be sent the same way and encryption would be unnecessary.

The second type of algorithm is a public-private key algorithm. It relies on certain mathematical properties to create a set of keys, such that one key can only encrypt data and the other key can only decrypt the data. The encrypt-only key is called a public key. The decrypt-only key is called a private key. A message encrypted with the public key can only be decrypted by the private key.

The public key can be openly transmitted without compromising the security of the encrypted data. Knowing the public key will not allow anyone to decrypt the encrypted data.

Many modern encryption programs combine the two types of algorithms. A symmetric key algorithm encrypts the data. The secret key is exchanged using a public-private key algorithm. This provides for the speed of a symmetric key algorithm with the security of a public-private key algorithm.

RC5 is a symmetric key algorithm. The Diffie-Hellman key agreement algorithm is a public-private key algorithm.

Understanding Government Export Restrictions

The United States government restricts the export of strong cryptography. Encryption strength is usually defined by the size of the keys used to encrypt and decrypt data.

Encryption products using keys greater than 40 bits are usually restricted from export. However, larger keys can be exported for use in authentication products.

The SecureICA Option Pack comes in two versions: North American and Global. The North American version of the SecureICA Option Pack uses a 128-bit key during user logon. A selectable 40, 56, or 128 bit key is used to encrypt the remainder of the session. The Global version uses a 128-bit key during user logon. A 40-bit key is used to encrypt the remainder of the session.

United States export policy regarding encryption has been known to allow for export of stronger data keys to subsidiaries of North American based financial institutions. The export of these stronger keys is controlled on a per application basis and must be applied for.