I need to deploy the UltraVNC server/viewer package to a number of omputers in disparate physical locations. Now, perhaps I'm simply misunderstanding how the AES encryption scheme works, but is it possible to install UltraVNC with AES without having to manually generate (and deploy, more importantly) a key beforehand? In other words, can I negotiate AES encryption (or any of the three encryption plugins, for that matter) "on the fly", without having to manually place a key on every machine I want to work with? I'm going to use strong login passwords and so forth, but if traffic between the viewer and the server can't be conveniently encrypted, it appears I'm leaving myself exposed to man-in-the-middle attacks...not the end of the world, but a weakness nevertheless.
Thanks for your help!
Alex
Update: UltraVNC 1.4.3.6 and UltraVNC SC 1.4.3.6: viewtopic.php?t=37885
Important: Please update to latest version before to create a reply, a topic or an issue: viewtopic.php?t=37864
Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://twitter.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc
Important: Please update to latest version before to create a reply, a topic or an issue: viewtopic.php?t=37864
Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://twitter.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc
AES Plugin: Mass deployment
Re: AES Plugin: Mass deployment
If you want a mass deployment via a domain then take a look at
the wix project
we have some ruff documention under the following subforum Doc Writers
[topic=5317][/topic]
This maybe the a solution to your problem. You can install it via a GPO
the wix project
we have some ruff documention under the following subforum Doc Writers
[topic=5317][/topic]
This maybe the a solution to your problem. You can install it via a GPO
Bevtech
Windows XP Home, Pro SP2, Windows 2003 SBS server SP2(EN), Windows Media Center Editon 2005,Windows Vista Home Prem.,Fedora Core 6,Win9X, PChelpware Rel 1.0,
UVNC V 1.0.8.2
User not developer..
Windows XP Home, Pro SP2, Windows 2003 SBS server SP2(EN), Windows Media Center Editon 2005,Windows Vista Home Prem.,Fedora Core 6,Win9X, PChelpware Rel 1.0,
UVNC V 1.0.8.2
User not developer..
Re: AES Plugin: Mass deployment
You can safely deploy the plugins KEYLESS if you are using strong passwords. Here's how that would work:
Deploy the plugin to the ends of the earth...
User starts viewer. The viewer queries the plugin, "you need a password?" The plugin says "Yes" The viewer passes the plugin the pasword. The viewer attempts to send the first packet over the wire, the packet FIRST goes to the plugin. The plugin sees its the first packet, generates some randomness for IV and SALT, uses MD5 to turn the (8 character) password into a 128Bit hash. The Password hash and the IV are used to start the AES encryption engine, the packet is encrypted. The packet is sent over the wire.
The server gets the first packet. It asks the plugin, "You need a password?" The plugin says "Yes". The server passes the packet to the plugin. The plugin creates an MD5 hash of the password. The plugin pulls the IV off the packet, then uses the password hash and the IV to start the decryption engine, and decrypts the packet.
NOW, the server wants to respond to the viewer... The server passes its first response packet to the plugin. The plugin uses the hashed password and a NEW IV to start the encryption engine, then encrypts the packet and sends it over the wire....
Meanwhile back at the viewer, its gets its first response packet from the server. It pulls the IV off the packet, and with the password hash starts the decryption engine, and decrypts the packet.
Underneath all this mess, VNC does its usual protocol negotiation and password exchange stuff, only over a completely encrypted connection.
Communication continues this way, except for the IV stuff, untill the connection ends.
As you can see, the password on the server side is retrieved from the registry and used to encrypt and decrypt the packets. The password on the viewer side is requested from the user, and is used to encrypt/decrypt the packets. If they don't match, you get the beloved "Protocol negotiation failed" error, since text decrypted with the wrong password is garbage, not RFB protocol communication.
If I can answer any questions, let me know!
P.S. The only difference with a Key file is that the plugin uses the key stored in the file instead of the password to generate the MD5 hash.
Deploy the plugin to the ends of the earth...
User starts viewer. The viewer queries the plugin, "you need a password?" The plugin says "Yes" The viewer passes the plugin the pasword. The viewer attempts to send the first packet over the wire, the packet FIRST goes to the plugin. The plugin sees its the first packet, generates some randomness for IV and SALT, uses MD5 to turn the (8 character) password into a 128Bit hash. The Password hash and the IV are used to start the AES encryption engine, the packet is encrypted. The packet is sent over the wire.
The server gets the first packet. It asks the plugin, "You need a password?" The plugin says "Yes". The server passes the packet to the plugin. The plugin creates an MD5 hash of the password. The plugin pulls the IV off the packet, then uses the password hash and the IV to start the decryption engine, and decrypts the packet.
NOW, the server wants to respond to the viewer... The server passes its first response packet to the plugin. The plugin uses the hashed password and a NEW IV to start the encryption engine, then encrypts the packet and sends it over the wire....
Meanwhile back at the viewer, its gets its first response packet from the server. It pulls the IV off the packet, and with the password hash starts the decryption engine, and decrypts the packet.
Underneath all this mess, VNC does its usual protocol negotiation and password exchange stuff, only over a completely encrypted connection.
Communication continues this way, except for the IV stuff, untill the connection ends.
As you can see, the password on the server side is retrieved from the registry and used to encrypt and decrypt the packets. The password on the viewer side is requested from the user, and is used to encrypt/decrypt the packets. If they don't match, you get the beloved "Protocol negotiation failed" error, since text decrypted with the wrong password is garbage, not RFB protocol communication.
If I can answer any questions, let me know!
P.S. The only difference with a Key file is that the plugin uses the key stored in the file instead of the password to generate the MD5 hash.