diff options
Diffstat (limited to 'doc/manual/en_US/dita/topics/vrde-crypt.dita')
-rw-r--r-- | doc/manual/en_US/dita/topics/vrde-crypt.dita | 128 |
1 files changed, 128 insertions, 0 deletions
diff --git a/doc/manual/en_US/dita/topics/vrde-crypt.dita b/doc/manual/en_US/dita/topics/vrde-crypt.dita new file mode 100644 index 00000000000..013e3262686 --- /dev/null +++ b/doc/manual/en_US/dita/topics/vrde-crypt.dita @@ -0,0 +1,128 @@ +<?xml version='1.0' encoding='UTF-8'?> +<!DOCTYPE topic PUBLIC "-//OASIS//DTD DITA Topic//EN" "topic.dtd"> +<topic xml:lang="en-us" id="vrde-crypt"> + <title>RDP Encryption</title> + + <body> + <p> + RDP features data stream encryption, which is based on the RC4 + symmetric cipher, with keys up to 128-bit. The RC4 keys are + replaced at regular intervals, every 4096 packets. + </p> + <p> + RDP provides the following different authentication methods: + </p> + <ul> + <li> + <p><b outputclass="bold">RDP 4</b> authentication was + used historically. With RDP 4, the RDP client does not + perform any checks in order to verify the identity of the + server it connects to. Since user credentials can be + obtained using a man in the middle (MITM) attack, RDP4 + authentication is insecure and should generally not be used. + </p> + </li> + <li> + <p><b outputclass="bold">RDP 5.1</b> authentication + employs a server certificate for which the client possesses + the public key. This way it is guaranteed that the server + possess the corresponding private key. However, as this + hard-coded private key became public some years ago, RDP 5.1 + authentication is also insecure. + </p> + </li> + <li> + <p><b outputclass="bold">RDP 5.2 or later</b> + authentication uses Enhanced RDP Security, which means that + an external security protocol is used to secure the + connection. RDP 4 and RDP 5.1 use Standard RDP Security. The + VRDP server supports Enhanced RDP Security with TLS protocol + and, as a part of the TLS handshake, sends the server + certificate to the client. + </p> + <p> + The <codeph>Security/Method</codeph> VRDE property sets + the desired security method, which is used for a connection. + Valid values are as follows: + </p> + <ul> + <li> + <p><b outputclass="bold">Negotiate.</b> Both + Enhanced (TLS) and Standard RDP Security connections are + allowed. The security method is negotiated with the + client. This is the default setting. + </p> + </li> + <li> + <p><b outputclass="bold">RDP.</b> Only Standard RDP + Security is accepted. + </p> + </li> + <li> + <p><b outputclass="bold">TLS.</b> Only Enhanced RDP + Security is accepted. The client must support TLS. + </p> + <p> + The version of OpenSSL used by Oracle VM VirtualBox supports + TLS versions 1.0, 1.1, 1.2, and 1.3. + </p> + </li> + </ul> + <p> + For example, the following command enables a client to use + either Standard or Enhanced RDP Security connection: + </p> + <pre xml:space="preserve">vboxmanage modifyvm <varname>VM-name</varname> --vrde-property "Security/Method=negotiate"</pre> + <p> + If the <codeph>Security/Method</codeph> property is set to + either Negotiate or TLS, the TLS protocol will be + automatically used by the server, if the client supports + TLS. However, in order to use TLS the server must possess + the Server Certificate, the Server Private Key and the + Certificate Authority (CA) Certificate. The following + example shows how to generate a server certificate. + </p> + <ol> + <li> + <p> + Create a CA self signed certificate. + </p> + <pre xml:space="preserve">openssl req -new -x509 -days 365 -extensions v3_ca \ + -keyout ca_key_private.pem -out ca_cert.pem</pre> + </li> + <li> + <p> + Generate a server private key and a request for signing. + </p> + <pre xml:space="preserve">openssl genrsa -out server_key_private.pem +openssl req -new -key server_key_private.pem -out server_req.pem</pre> + </li> + <li> + <p> + Generate the server certificate. + </p> + <pre xml:space="preserve">openssl x509 -req -days 365 -in server_req.pem \ + -CA ca_cert.pem -CAkey ca_key_private.pem -set_serial 01 -out server_cert.pem</pre> + </li> + </ol> + <p> + The server must be configured to access the required files. + For example: + </p> + <pre xml:space="preserve">vboxmanage modifyvm <varname>VM-name</varname> \ + --vrde-property "Security/CACertificate=path/ca_cert.pem"</pre> + <pre xml:space="preserve">vboxmanage modifyvm <varname>VM-name</varname> \ + --vrde-property "Security/ServerCertificate=path/server_cert.pem"</pre> + <pre xml:space="preserve">vboxmanage modifyvm <varname>VM-name</varname> \ + --vrde-property "Security/ServerPrivateKey=path/server_key_private.pem"</pre> + </li> + </ul> + <p> + As the client that connects to the server determines what type + of encryption will be used, with <userinput>rdesktop</userinput>, + the Linux RDP viewer, use the <codeph>-4</codeph> or + <codeph>-5</codeph> options. + </p> + </body> + +</topic> |