There are three methods of guaranteeing secure operation of TELNET by means of authentication and encryption:

• START-TLS option
  The START-TLS option was implemented exclusively for TLS and is supported in BS2000 by the client option -Z tls-required and the client command tls.

• “Telnet Authentication Option” (RFC 2941) for negotiating an authentication method
  In BS2000 only TLS is currently supported. The “Telnet Authentication Option” is selected using the -A option or the client command auth. The “Telnet Authentication Option” will possibly gain in importance in the future because it permits a very wide variety of authentication methods to be supported, including Kerberos. In the following, the “Telnet Authentication Option” will be referred to as AUTHENTICATION option.

• “Telnet Data Encryption Option” (RFC 2946) for negotiating a symmetric encryption method and the associated key
  In BS2000 only DES 64 (RFC 2952, RFC 2953) is currently supported. The “Telnet Data Encryption Option” is selected using the -E option or the client command encrypt. In the following, the “Telnet Data Encryption Option” will be referred to as ENCRYPTION option.

START-TLS option (see "START-TLS option"), AUTHENTICATION option (see "Option -A - Enable/disable AUTHENTICATION option") and ENCRYPTION option (see "Option -H -Enable/disable the ENCRYPTION option") are described in detail in the following sections.