There are three methods of guaranteeing secure operation of TELNET by means of authentication and encryption:

• START-TLS option

  The START-TLS option was implemented exclusively for TLS. In BS2000 it is supported by the server option -Z tls-required.

• “Telnet Authentication Option” (RFC 2941) for negotiating an authentication method

  In BS2000 only TLS is currently supported. The “Telnet Authentication Option” is selected using the option -B. The “Telnet Authentication Option” will possibly gain in importance in the future because it permits a very wide variety of authentication methods to be supported, including Kerberos. In the following, the “Telnet Authentication Option” will be referred to as AUTHENTICATION option.

• “Telnet Data Encryption Option” (RFC 2946) for negotiating a symmetric encryption method and the associated key.

  In BS2000 only DES 64 (RFC 2952, RFC 2953) is currently supported. The “Telnet Data Encryption Option” is selected using the server option -H. In the following, the “Telnet Data Encryption Option” will be referred to as ENCRYPTION option.

START-TLS option (see "-Z option - Support of the START-TLS option"), AUTHENTICATION option (see "-B option - Enable/disable the AUTHENTICATION option") and ENCRYPTION option (see "-H option - Enable/disable the ENCRYPTION option") are described in detail in the following sections.

In the case of the options below, the equals sign must immediately follow the option name without a space and the option value must immediately follow the equals sign, also without a space.