Re: notes from developer's portion of IETF meeting

[Hugo Krawczyk <hugo@ee.technion.ac.il>]

I am worried about this (revived) integrity-less encryption mood.
It does not make sense to justify this approach under the
argument that in some circumstances some particular attack
(e.g. Bellovin's) will not work.

Even if not said explicitly most of the arguments are based on
the never-to-disappear illusions on the (pseudo) integrity
properties inherent to CBC mode (would anyone suggest integrity-less 
encryption using a stream cipher?).
It is time to abandon such illusions.

The only people that can use integrity-less security are those that
DO NOT CARE about their traffic being changed in route and do  not care
about chosen ciphertext attacks. 

If there are applications that consciously decide to take all these risks
I suggest they negotiate the EMPTY-MAC as their authentication 
algorithm (no processing penalty) rather than having ipsec explictly allowing
integrity-less IP security.

As for computation time we keep seeing MAC algorithms getting much faster
than encryption algorithms (although the effeect on ipsec processing speed
of these faster algorithms is not entirely clear).

Hugo

---

Follow-Ups:

• Re: notes from developer's portion of IETF meeting
• From: Dan.McDonald@Eng.sun.com (Dan McDonald)
• Re: notes from developer's portion of IETF meeting
• From: Stephen Kent <kent@bbn.com>

---

• Prev by Date: Re: notes from developer's portion of IETF meeting
• Next by Date: Re: notes from developer's portion of IETF meeting
• Prev by thread: Re: notes from developer's portion of IETF meeting
• Next by thread: Re: notes from developer's portion of IETF meeting
• Index(es):
  • Main
  • Thread