[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Proposed changes to ESP (andf a little AH too)
Uri,
Just an observation about the encrypt-then-authentication
(outbound) approach. When AH and ESP were initially defined, ESP provided
only encryption. To achieve the combined authentication and encrypt
function that was later added to ESP transforms, one would have to employ
both AH and ESP. The architecture document does not recommend against
applying ESP first and then adding AH, and I have seen many examples based
on this ordering of these transforms. Thus, in reversing the order of the
algorithm processing as I have suggested, one has a function analogous
(though not exactly equivalent) to what has been proposed and advertized as
a reasonable application of AH and ESP in the IPSEC context.
You are right, of course, that the "outer" authentication
computation verifies the ciphertext, not the underlying plaintext.
However, the recipient has negotiated both the key and the encryption
algorithm used to transform the ciphertext into plaintext, and we are
requiring PFS for the key management algorithms. So, a number of tricks
that one might attempt to undermine the binding between the ciphertext and
plaintext should be thwarted. Also, we are talking about authentication
and integrity, not non-repudiation, here, so some other forms of attacks
that might be of concern in the NR context don't apply either.
Given these caveats, do you feel that the proposed re-ordering of
the processing steps (and associated syntax changes) poses a concern? If
so, could you provide an example of the sort of attack that we would be
subject to under this proposed re-ordering?
Thanks,
Steve
Follow-Ups:
References: