[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Proposed changes to ESP (andf a little AH too)
Stephen Kent says:
> You are right, of course, that the "outer" authentication
> computation verifies the ciphertext, not the underlying plaintext.
Of course. (:-)
> However, the recipient has negotiated both the key and the encryption
> algorithm used to transform the ciphertext into plaintext, and we are
> requiring PFS for the key management algorithms....Also, we are talking
> about authentication and integrity, not non-repudiation, here.......
Yes, I understand that.
> Given these caveats, do you feel that the proposed re-ordering of
> the processing steps (and associated syntax changes) poses a concern? If
> so, could you provide an example of the sort of attack that we would be
> subject to under this proposed re-ordering?
1. I'm not sure. As you might have noticed, that same approach is adopted
by SNMP Security (encrypt the body first, then authenticate the whole
package), and similar arguments were made (wrt. who cares about non-
repudiation etc.). Of course it's a reasonable assumption, that if
both sides have the same encryption algorithm/key and the ciphertext
is authentic, then the plaintext will also match. And *if* you can
guarantee that the keys are indeed intact on both ends, *probably*
the approach will work OK.
2. I don't have [at this moment] an example of how to break this
encrypt-first-auth-second scheme. But I haven't really thought
about it, and there are others more clever than me wrt. crypto
attacks on the algorithms and protocols.
3. I basically tried to simply answer the question posted: what's the
difference wrt. the order of the operations.
Crypto people, am I the only one who is not 100% comfortable with
this order of the operations? Can *you* think of an attack? What
would be the assumptions for such an attack to succeed?
--
Regards,
Uri uri@watson.ibm.com
-=-=-=-=-=-=-
<Disclaimer>
Follow-Ups:
References: