[13686] in cryptography@c2.net mail archive
Re: authentication and ESP
daemon@ATHENA.MIT.EDU (John S. Denker)
Sun Jun 22 18:42:00 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sun, 22 Jun 2003 17:15:47 -0400
From: "John S. Denker" <jsd@monmouth.com>
To: martin f krafft <madduck@madduck.net>
Cc: crypto list <cryptography@metzdowd.com>
In-Reply-To: <20030619174940.GA18220@diamond.madduck.net>
On 06/19/2003 01:49 PM, martin f krafft wrote:
> As far as I can tell, IPsec's ESP has the functionality of
> authentication and integrity built in:
It depends on what you mean by "built in".
1) The RFC provides for ESP+authentication but
does not require ESP to use authentication.
2) Although the RFC allows ESP without
authentication, typical implementations are
less flexible. In FreeS/WAN for instance, if
you ask for ESP will get ESP+AH.
ESP without authentication may be vulnerable to
replay attacks and/or active attacks that tamper
with the bits in transit. The degree of vulnerability
depends on details (type of chaining, higher-level
properties of payload, ...).
Remember that encryption and authentication perform
complimentary roles: Suppose Alice is sending to
Bob. They are being attacked by Eve. Encryption
limits the amount of information _Eve_ receives.
Authentication prevents tampering, so _Bob_ can
trust what he receives.
It is possible to construct situations where you
could omit the AH from ESP+AH without losing
anything, but you would need to analyze the
situation pretty carefully. If you have a good
reason for using something other than ESP+AH,
please clarify what you want to do and why.
Otherwise just go with the normal ESP+AH.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
