[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: notes from developer's portion of IETF meeting



Hugo + Hilarie,

	You made some good points why CBC mode, w/o cryptographic-based
authentication, is not generally adequate to protect traffic from
disclosure given the ability to launch more subtle attacks at the IP or
higher layers.

	However, ESP is intended to be an algorithm and mode independent
protocol,  What about other modes?  I recall a plaintext/ciphertext block
chaining mode developed by IBM in the early 80s (late 70s?) that would seem
to be more resistant to any form of packet modification.  Would use of this
mode with ESP still require separate, cryptographic-based authentication,
in your opinion?  Might there be other modes that would provide adequate
protection?  if so, then we ought not preclude use of ESP with encryption
but without cryptographic-based authentication.

	Also, let me suggest another application example of where I think
this would be approrpriate, perhaps even with CBC mode.  The directory
access protocol for X.500, DAP, has built-in signature autehntication and
integrity mechansims, and even a weak form of timestamp-based anti-replay.
However, because of the use of chaining in X.500, no confidentiality is
provide at the application layer.  Instead, the spec calls for use of lower
layer encrytion for that purpose, e.g., at the network layer.  So, this
would seem to be a reasonable context in which to use ESP w/o
authentication.

Steve




Follow-Ups: References: