[Cryptography] Secure VNC implementation

Albert Lunde atlunde at panix.com
Sat Aug 27 05:25:01 EDT 2016


On 8/26/2016 8:21 PM, John Levine wrote:
>> I did a bit of research on this field and nothing look too pleasing.
>> The best solution so far seem to be enterprise RealVNC.  Would be
>> grateful to hear what people think about this solution
>
> Depends what you mean by secure.  VNC is a pretty simple design that
> sends a stream of keyboard and mouse events from the client to the
> host, and a stream of frame buffer updates from the host to the
> client.  It's described in RFC 6143.
>
> It has no meaningful security built in, but it can run over anything
> that looks like a virtual circuit.  People usually run it over ssh, so
> whatever you think of ssh's security, that is VNC's security.

RealVNC uses protocol extensions to do AES encryption and use OS 
passwords, not the trivial passwords of the original VNC protocol, so 
it's a substantially different protocol than all the free VNC 
implementations out there, that doesn't rely on SSH Tunneling.

It seems to be a solid, supported commercial product with clients and 
servers for several platforms.  One licenses a server, their VNC client 
for Windows is free.

I'm using the Windows version, I've had some practical difficulties with 
getting the server to restart after MS patching and with something else 
capturing the terminal session on occasion, but those don't appear to be 
protocol weaknesses.

-- 
       Albert Lunde  albert-lunde at northwestern.edu
                     atlunde at panix.com  (address for personal mail)


More information about the cryptography mailing list