When using the Remote Desktop application to connect to an Apple Remote Desktop (ARD) client, some of the communication is encrypted.
When adding client computers in the Remote Desktop application, the authentication is encrypted using a random number exchange. When Remote Desktop establishes communication with client computers, the Remote Desktop application re-authenticates with the client. (This is seamless to you, as the client already belongs to a list in the Remote Desktop application). This re-authentication is also encrypted using a random number exchange.
When you administer a remote computer, the Remote Desktop application sends a request to the remote ARD client. The remote ARD client responds with a random number. The Remote Desktop application combines the password that you typed with the random number received from the client and performs a one-way hash. This result is sent to the client, and the client makes the same calculation with the local password for that user. If the result matches what the Remote Desktop application sent, then you are granted access to administer the computer.
Since the password is combined with a different random number each time, the login packet is always different.
This authentication is similar to the authentication done with a Mac OS 9 client in that it also is a random number exchange with a one-way hash of the password. It is different in that this authentication is done with both a user name and a password. With ARD 1.0 and 1.1, the user name has to be sent in the clear, but the password is hashed with a better hash algorithm (SHA1).
In Remote Desktop 1.2 and 2.x, authentication is based on a Diffie-Hellman Key agreement protocol that creates a shared 128-bit key. This shared key is used to encrypt both the name and password using the Advanced Encryption Standard (AES). The Diffie-Hellman Key agreement protocol used in ARD 1.2 and 2.x is very similar to the Diffie-Hellman Key agreement protocol used in personal file sharing, with both of them using a 512-bit prime for the shared key calculation.
When administering with Remote Desktop 1.2 and 2.x, keystrokes and mouse events are encrypted when controlling Mac OS X client computers. This information is encrypted using the Advanced Encryption Standard (AES) with the 128-bit shared key that was derived during authentication.
Note: The VNC protocol does not encrypt keystrokes sent over the network, so sensitive information can be intercepted over the network when using a non-Apple VNC viewer.
There is no encryption for controlling Mac OS 9 client computers. Also, there is no encryption of any of the other communication between the administrator computer and the Mac OS X or Mac OS 9 client computers.
Warning: If you are using ARD to manage computers over public networks, consider using a virtual private network (VPN) solution to protect your information.