NetManage to Release WinPCT -- A Windows Implementation of Private
Communication Technology Protocol Provided by Microsoft and Endorsed by
Major Hardware and Software Developers

WinPCT and Source Code to be Posted on the Internet and Contributed to Both
the WinSock Forum and Stardust WinSock Labs

Atlanta, NetWorld+Interop - September 27, 1995- NetManage, developer of the
popular Chameleon Windows Internet productivity software, announced today
it will be releasing WinPCT -- a publicly available Windows implementation
of the newly proposed Private Communication Technology protocol standard
for Internet security. WinPCT provides forgeneral-purpose secure personal
and business communications on the Internet. WinPCT is interoperable with
existing Internet servers that use the SSL 2.0 protocol, and extends its
capabilities, correcting potential security holes, and allowing for
greater interoperability via support for a wide range of encryption
technologies.

This new protocol has been proposed by Microsoft and endorsed by major
software and hardware developers including NetManage, who participated
inreview of the specification during its development. In a separate
announcement today at the Networld+Interop trade show in Atlanta,
Microsoft announced publication of the Private Communication Technology
protocol specification. The PCT specification can be found on the
Microsoft HomePage (http://www.microsoft.com).

AN OPEN, INTEROPERABLE STANDARD

"We are pleased to see the industry, and particularly leading firms such as
NetManage, expressing such strong and immediate support for PCT," said
Warren Dent, Director of Business Development, Consumer Systems Division
of Microsoft. "Broad adoption of efficient, strongly authenticated
security protocols will help allow individuals and businesses make
effective use ofthe Internet."

"Other security protocols proposed to date as standards include the
potential for security breaches and fail to fully accommodate open and
interoperable secure communications between computers which use different
bulk encryption ciphers. These limitations have slowed the adoption of
Internet security as a widespread interoperable feature of all Internet
software and hardware products -- including end-user applications,
servers, firewalls, and secure routers," said Bob Williams, V.P. Business
Development for NetManage, Inc.

"NetManage's implementation of PCT will allow for 'plug & play'
interoperability for users of Internet security, and endorses the Private
Communication Technology protocol extensions which improve the reliability
of currently proposed Internet security standards. NetManage's open
implementation will not lock software or hardware developers into the use
of encryption technology from any one vendor," Williams noted.

INDUSTRY LEADERS ENDORSE NETMANAGE WINPCT

"At Stardust WinSock Labs, we believe in standards and open systems. We are
pleased to be able to play a pivotal role in accelerating and easing the
development of WinSock-based communications standards. Welook forward to
working with NetManage, Microsoft, and our members to help refine and
promote PCT as an open standard," said Martin Hall Chief Technology
Officer, Stardust Technologies. Martin Hall is also the Chairman of the
Windows Sockets group and a co-author of the WinSock standard. The
Stardust WinSock Labs are an open group of vendors committed to furthering
internetworking standards through collaboration and testing. Members
include WRQ, FTP Software, NetCom, Novell, SunSoft, Compuserve, NetManage,
Persoft, Powersoft, SurfWatch, SST, Mercury Interactive, and MillenNet.

"We are pleased to work with NetManage, the Stardust WinSock test labs, and
other industry leaders to create open standards for security on the
Internet," said Bartel Broussard, V.P. Marketing, FTP Software. "The open
sharing of protocol implementations is in keeping with the true spirit of
the Internet, and will lead to both the improvement and widespread use of
secure communications."

"The implementation of secure transmission across the Internet has been of
significant concern to software vendors as well as users," said Emerick
Woods, V.P. and General Manager, Internet Group, Quarterdeck Corporation.
"Quarterdeck fully supports WinPCT as an interoperable industry standard
and will be implementing its inclusion into our web server products."

"CYLINK cooperated with both NetManage and Microsoft in reviewing the PCT
specification and has been working closely with NetManage on developing
their reference implementation," said Dave Morris, V.P. Marketing, CYLINK
Corporation. "We will be using WinPCT in our Secure Enterprise
Architecture, and strongly endorse effective, open and interoperable
standards for Internet Security."

"As a leading vendor of PC security cards, we welcome the adoption of a
standard that allows plug-and-play cryptography, including not only
software but hardware-based solutions. We look forward to creating an
implementation that uses WinPCT and are pleased to be able to cooperate
inpromoting this standard," said Jan Dolphin, President, SPYRUS, Inc.

INTERNET SECURITY

Establishing a secure Internet connection requires any computer to perform
two functions: authentication of the user, and bulk encryption of data.

The authentication phase allows two computers to verify that each party is
who they claim to be, and that they are authorized to enter into a secure
communications session. This is done via "public key" technology, which
was developed and patented by Stanford University and licensed by CYLINK
Corporation.

During the authentication phase the two computers also agree upon the
encryption method to be used for bulk data transfer during the time the
two computers are communicating data between one another. These ciphers
canbe implemented in either software or hardware, including PCMCIA cards.
Popular encryption ciphers include DES, Triple-DES, SAFER, IDEA, Skipjack,
RC-2 and RC-4, and are available from a variety of software and hardware
vendors.

ABOUT PRIVATE COMMUNICATION TECHNOLOGY

The PCT Protocol is application protocol independent. A "higher level"
application protocol (e.g. HTTP, FTP, TELNET, etc.) can layer on top of
the PCT Protocol transparently. The PCT Protocol begins with a handshake
phase that negotiates an encryption algorithm and (symmetric) session key
as well as authenticating a server to the client (and, optionally, vice
versa), based on certified asymmetric public keys. Once transmission of
application protocol data begins, all data is encrypted using the session
key negotiated during the handshake.

The PCT protocol's record format is compatible with that of SSL 2.0.
Servers implementing both protocols can recognize the first two handshake
phase messages (which are always the first messages in a session, in both
SSL and PCT) by the top bit being set to 1 in the most significant byte of
the field that contains the version number in both protocols. The PCT
version number appears in the remaining 15 bits of the two-byte PCT
version number.

The PCT protocol differs from SSL chiefly in the design of its handshake
phase, which varies from SSL's in a number of respects, most notably in
the correction of a security hole in SSL's client authentication.

WINPCT CORRECTS SECURITY HOLE IN SSL

A security hole in SSL's client authentication has been repaired, by making
the WinPCT client's authentication challenge response dependent on the
type of cipher negotiated for the session. SSL's client authentication is
independent of the cipher strength used in the session, and also of
whether the authentication is being performed for a restarted session or a
new one.

As a result, a "man-in-the-middle" attacker, assuming it can obtain the
session key for a session using weak cryptography, can use this broken
session to authenticate as the client in a session using strong
cryptography. If, for example, the server normally restricts certain
sensitive functions to high-security sessions, then this security hole
allows intruders to circumvent the restriction.

AVAILABILITY

WinPCT will be posted as a reference implementation at the end of this
month on NetManage's public Internet server. This implementation will
include both object code and source. The software is also being
contributed to the WinSock forum and to the Stardust Technologies WinSock
testing laboratories. Upon release, NetManage will welcome comment and
modifications to this reference implementation prior to broader adoption
as a widespread standard.

ABOUT NETMANAGE

NetManage Inc., the fastest growing software company in the United States,
develops, markets and supports an integrated set of applications, servers
and development tools for Microsoft Windows, Windows 95 and Windows NT.
NetManage software allows corporations to facilitate communication,
collaboration and sharing of information between workgroups using Internet
technology. The company's award winning products include Chameleon,
Internet Chameleon and ECCO. NetManage is a public company, whose shares
are traded on the NASDAQ under the ticker symbol NETM. Its products are
sold world-wide by NetManage's direct sales force and authorized channel
partners. The company is a member of Stardust WinSock Labs and been
influential in the development of Internet standards. NetManage
contributed the original specification which became WinSock, and was a
principal contributor and co-author of the WinSNMP and WinISDN Internet
standards. NetManage is based in Cupertino, CA, and can be reached at
1-408-973-7171 or on the world wide web at www.netmanage.com.
 
 =========================================================
 From the 'New Product News' Electronic News Service on...
 AOL (Keyword = New Products) and Delphi (GO COMP PROD)
 =========================================================
 This information was processed from data provided by the
 company/author mentioned. For additional details, please
 contact them directly at the address/phone# indicated.
 Trademarks are the property of their respective owners.
 =========================================================
 All submissions for this service should be addressed to:
 BAKER ENTERPRISES,  20 Ferro Dr,  Sewell, NJ  08080  USA
 Email: rbakerpc@delphi.com  -or- RBakerPC (on AOL/Delphi)
 =========================================================
