Cget, Cput, and Stage-Safe File Transport Tools for the Internet

Summary by Gordon Galligher

The only reason for the creation of these routines was an immediate need for the "safe" transmission of information between a few hosts (on opposite sides of firewalls), and there was no time to wait for "official crypto" packages such as secure Telnet and IP version 6. Tools such as Kerberos and SSH work well now, but when these routines were created, Kerberos was very cumbersome and required extensive overhead, and SSH was fairly new.

Design goals included having UNIX-style tools (small, a tool for each function) and an untrusting server (i.e., chroot() and setuid() to a normal user before performing the download). There were minimal assumptions made when creating the code that include the server may not trust the client, the server software might have security bugs, there is access to the physical console of the server in order to move the files from the "playground" (the chroot() area where the files are deposited) to the true home, and the "bad guys" control the network and can snoop on the data. There are shared secret keys, but due to the chroot() and setuid() nature, if the key is compromised, then only the "playground" area can be affected. All downloaded files must then be manually moved from the "playground" to the true home.

The first implementations used the Data Encryption Standard (DES) for the encryption, but now it uses HMAC/SHA for authentication. It is faster than DES, and it was determined that the real requirement was simply authenticating that the data were coming from the real owner, not that they had to be encrypted for security.

The code can be obtained from the server ftp.research.bell-labs.com.

Originally published in ;login: Vol. 22, No.2, April 1997.