[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re; (bypass channels)?

To: amir@watson.ibm.com
Subject: Re; (bypass channels)?
From: ashar@osmosys.incog.com (Ashar Aziz)
Date: Wed, 11 Jan 1995 12:47:26 -0800
Cc: ipsec@ans.net

Sorry for not properly making the distinction between unencrypted and 
unauthenticated traffic. All other public key proposals require unencrypted 
key-management traffic. SKIP has no key-management traffic so it naturally 
doesn't require unencrypted key-management traffic. (And if session oriented
key-management traffic is layered on SKIP, it too can be encrypted).

Wrt hardware tests on every packet into the system, then conceivably
this can be signature based tests as well, and so key-management
schemes that only exchange authenticated messages would probably
be okay (although they risk exposing identification information etc.
because this would be in the clear).

The advantage of a SKIP like scheme is that every packet is encrypted
so e.g user indentification information (and public keys etc.) are
never revealed.

So I take back my assertion that all non-SKIP key-management schemes
require unauthenticated traffic (although some of the proposals on
the table, e.g those that do a DH exchange first and then authenticate
do).

Ashar.

Prev by Date: Re: (bypass channel?)
Next by Date: Re: Perfect forward SECURITY (uni- vs bi-directional impersonation)'
Prev by thread: Re: (bypass channel?)
Next by thread: Where is IPSP?
Index(es):
- Main
- Thread