source: vbox/trunk/doc/manual/en_US/dita/topics/vrde-crypt.dita

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE topic PUBLIC "-//OASIS//DTD DITA Topic//EN" "topic.dtd">
<topic xml:lang="en-us" id="vrde-crypt">
  <title>RDP Encryption</title>
  
  <body>
    <p>RDP features data stream encryption, which is based on the RC4 symmetric cipher, with keys up to 128-bit. The RC4
      keys are replaced at regular intervals, every 4096 packets. </p>
    <p>RDP provides the following different server authentication methods: </p>
    <ul>
      <li>
        <p><b outputclass="bold">RDP 4</b> authentication was used historically. With RDP 4, the RDP client does not perform any checks in order to verify the identity of the server it connects to. Since user credentials can be obtained using a man in the middle (MITM) attack, RDP4 authentication is insecure and should not be used. </p>
      </li>
      <li>
        <p><b outputclass="bold">RDP 5.1</b> authentication
            employs a server certificate for which the client possesses
            the public key. This way it is guaranteed that the server
            possess the corresponding private key. However, as this
            hard-coded private key became public some years ago, RDP 5.1
            authentication is also insecure.
          </p>
      </li>
      <li>
        <p><b outputclass="bold">RDP 5.2 or later</b>
            authentication uses Enhanced RDP Security, which means that
            an external security protocol is used to secure the
            connection. RDP 4 and RDP 5.1 use Standard RDP Security. The
            VRDP server supports Enhanced RDP Security with TLS protocol
            and, as a part of the TLS handshake, sends the server
            certificate to the client.
          </p>
        <p>The <codeph>Security/Method</codeph> VRDE property sets the required security method that is used for a connection. You can also change this in the VM Settings, Remote Display tab. Valid values are as follows: </p>
        <ul>
          <li>
            <p><b outputclass="bold">Negotiate.</b> Both Enhanced (TLS) and Standard RDP Security connections are allowed. The security method is negotiated with the client. </p>
          </li>
          <li>
            <p><b outputclass="bold">RDP.</b> Only Standard RDP
                Security is accepted.
              </p>
          </li>
          <li>
            <p><b outputclass="bold">TLS.</b> Only Enhanced RDP Security is accepted. The client must support TLS. This is the default setting. </p>
            <p>
                The version of OpenSSL used by <ph conkeyref="vbox-conkeyref-phrases/product-name"/> supports
                TLS versions 1.0, 1.1, 1.2, and 1.3.
              </p>
          </li>
        </ul>
        <p>For example, the following command configures a client to use either Standard or Enhanced RDP Security connection: </p>
        <pre xml:space="preserve">VBoxManage modifyvm <varname>VM-name</varname> --vrde-property "Security/Method=negotiate"</pre>
        <p>If the <codeph>Security/Method</codeph> property is set to either Negotiate or TLS, the server uses TLS if the client supports it. However, to use TLS the server must have the Server Certificate and the Server Private Key. A Certificate Authority (CA) Certificate is optional. </p>
        <p>If you choose TLS as the security method, <ph conkeyref="vbox-conkeyref-phrases/product-name"/> generates a server key and certificate pair called VRDEAutoGeneratedPrivateKey.pem and VRDEAutoGeneratedCert.pem) for the VM. <ph conkeyref="vbox-conkeyref-phrases/product-name"/> also recreates the auto-generated certificate and key if they are about to expire, or if one or both are deleted or corrupted. </p>
        <p>To generate a custom server key and certificate pair, with a CA certificate, follow these steps. </p>
        <ol>
          <li>
            <p>Create a CA self signed certificate. </p>
            <pre xml:space="preserve">openssl req -new -x509 -days 365 -extensions v3_ca \
  -keyout ca_key_private.pem -out ca_cert.pem</pre>
          </li>
          <li>
            <p>Generate a server private key and a request for signing. </p>
            <pre xml:space="preserve">openssl genrsa -out server_key_private.pem
openssl req -new -key server_key_private.pem -out server_req.pem</pre>
          </li>
          <li>
            <p>Generate the server certificate. </p>
            <pre xml:space="preserve">openssl x509 -req -days 365 -in server_req.pem \
  -CA ca_cert.pem -CAkey ca_key_private.pem -set_serial 01 -out server_cert.pem</pre>
          </li>
        </ol>
        <p>Configure the server to access the required files. For example: </p>
        <pre xml:space="preserve">VBoxManage modifyvm <varname>VM-name</varname> \
  --vrde-property "Security/CACertificate=path/ca_cert.pem"</pre>
        <pre xml:space="preserve">VBoxManage modifyvm <varname>VM-name</varname> \
  --vrde-property "Security/ServerCertificate=path/server_cert.pem"</pre>
        <pre xml:space="preserve">VBoxManage modifyvm <varname>VM-name</varname> \
  --vrde-property "Security/ServerPrivateKey=path/server_key_private.pem"</pre>
        <p>Note that <ph conkeyref="vbox-conkeyref-phrases/product-name"/> does not maintain custom certificates. You are responsible for keeping these updated.</p>
      </li>
    </ul>
    <p>As the client that connects to the server determines what type of encryption will be used, with
        <userinput>rdesktop</userinput>, the Linux RDP viewer, use the <codeph>-4</codeph> or <codeph>-5</codeph>
      options. </p>
  </body>
  
</topic>