DSNlink NE (No Encryption) Version 3.0 for Tru64 UNIX Readme First 1-February-2001 Dear Customer, This letter contains a brief description of DSNlink NE Version 3.0 for Tru64[TM] UNIX. It also explains how to get the software and documentation from the DSNlink Web site. DSNlink NE Version 3.0 for Tru64 UNIX (where "NE" means no en- cryption), is a special kit for customers who cannot install DSNlink Version 3.0, which encrypts all communications. Although DSNlink NE Version 3.0 does not encrypt communications or con- tain encryption software, it does have all the new features and bug fixes that are in DSNlink Version 3.0. 1 Improved Authentication When either your system or the Compaq host initiates a con- nection, the systems first perform authentication. The goal of the process is for the customer and host systems to verify their identities to each other before establishing a communi- cation connection. The systems must successfully authenticate themselves before messages are exchanged. Authentication has been enhanced with the addition of stronger, hash-based message authentication code (HMAC) functions. During the authentication process, DSNlink NE Version 3.0 combines a message with your authentication key and processes the result with industry-standard secure hash functions to generate a hash-based message authentication code (HMAC) for the digital signature. The HMAC algorithm follows RFC 2104 guidelines. The HMAC functions in DSNlink NE Version 3.0 are: o MD5_V3 uses the MD5 cryptographic hash function to produce a 128-bit signature. o RMD160 uses the cryptographic hash function RIPEMD-160 to produce a 160-bit signature. o SHA1 uses the cryptographic hash function SHA-1 to produce a 160-bit signature. o SR160 uses both of the RIPEMD-160 and SHA-1 cryptographic hash functions to produce a 160-bit signature. The advantage of this method is that an adversary would have to break both the SHA-1 and RIPEMD-160 functions to break the signature. This is the default authentication method. The older MD5 authentication method, which produces a 128-bit signature, was used in earlier versions of DSNlink. Your system will use MD5 if the host system is running DSNlink Version 2.2 instead of Version 3.0. This method does not follow RFC 2104 guidelines and is not as secure as the HMAC methods mentioned above. 1.1 New Authentication Key Previously, DSNlink used only MD5 to authenticate all connec- tions. Both your system and the Compaq host had identical MD5 keys. In DSNlink NE Version 3.0, a key that is compatible with the HMAC functions is required for authentication. It is a single key for the MD5, SHA-1, and RIPEMD authentication methods. It has this location and file name format: /usr/lib/dsn/keys/HMAC-DIGITAL-access_number If you install DSNlink NE Version 3.0 on a system with an ear- lier version of DSNlink, the installation renames the existing MD5-DIGITAL-access_number keys to HMAC-DIGITAL-access_number. The contents of the MD5 key are not changed, just the file name. If you install DSNlink NE Version 3.0 on a system without an earlier version of DSNlink, the installation prompts you for the authentication key. You can use the DSNlink authentication key from another of your DSNlink systems. If you have no previous versions of DSNlink, Compaq provides an authentication key for you to enter at the installation prompt for a key. If new or existing customers request an authentication key, the HMAC key they receive is 16 characters longer than the MD5 keys. Customers are encouraged to request the key because it is harder for an adversary to break. For more information, contact Compaq. 2 How to Download the Kit from the Compaq DSNlink Web Site To download the kit from the DSNlink Web site: 1. Using a browser, go to the following Web address: http://www.support.compaq.com/dsnlink/kit_unix_v30.htm The Web page titled "The DSNlink Version 3.0 for Compaq Tru64 UNIX Kit" displays. 2. Download the appropriate files according to the instructions on the Web page. 3 After You Copy the Files, Follow These Instructions 1. Become root and create a kit area on your disk by making a kit directory and extracting the kit archive. For example: # mkdir kit # cd kit # tar xvf ../DSNANE300.tar . . . 2. Print or display the DSNlink Version 3.0 for Tru64 UNIX Installation Guide. These are the file names: dsna300_iguide.pdf - display with Adobe Acrobat dsna300_iguide.txt - a text file dsna300_iguide.ps - a PostScript file 3. Before you begin the installation, be sure to deinstall any previous DSNlink subsets on your system. The subsets you must remove are listed in the Deinstalling DSNlink Kits section of the DSNlink Version 3.0 for Tru64 UNIX Installation Guide. 4. Install DSNlink using setld. Refer to the instructions in the installation guide. 5. Complete the appropriate postinstallation tasks as described in the installation guide. Thank you for using DSNlink! For further assistance, please contact your Customer Support Center. DSNlink Program Office Compaq Customer Support Center _________ Copyright 1989, 2000, 2001 Compaq Computer Corporation. Compaq and the Compaq logo Registered in U.S. Patent and Trade- mark Office. Tru64 is a trademark of Compaq Information Tech- nologies Group, L.P. in the United States and other countries. Motif and UNIX are trademarks of The Open Group. All other prod- uct names mentioned herein may be trademarks of their respective companies. Compaq shall not be liable for technical or editorial errors or omissions contained herein. The information in this document is provided "as is" without warranty of any kind and is subject to change without notice. The warranties for Compaq products are set forth in the express limited warranty statement accom- panying such products. Nothing herein should be construed as constituting an additional warranty.