[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: beginner's questions

To: Kun-Yu Li <lky@telstar.netrd.iii.org.tw>
Subject: Re: beginner's questions
From: Stephen Kent <kent@bbn.com>
Date: Mon, 28 Jul 1997 14:37:59 -0400
Cc: ipsec@tis.com
In-Reply-To: <199707280918.RAA02978@telstar.netrd.iii.org.tw>
Sender: owner-ipsec@ex.tis.com

DES-CBC mode provides confidentiality, but it does not provide integrity
per se. Still, it can support an integrity service when used in conjunction
with the right integrity algorithm.  However, it's better to think of the
encryption algorithm as providing just confidentiality.

The answer to your second question is a bit more subtle.  In a narrow
sense, use of a keyed hash function (e.g., HMAC) provides integrity for the
data on which the function is computed.  Specifically, it provides
assurance that the packet has not been modified after the hash was computed
and before the hash was verified.  However, we need to know who holds the
key used to compute the hash, otherwise the integrity guarantee is rather
meaningless. So, to the extent that we know who holds that key, we have
some level of authentication as well, i.e., we know who sent the packet AND
that the packet was not modified after it was sent.  Depending on the
granularity of the key menagement employed, we may have very fine grained
authentication, or rather course authentication.  For example, we may know
that a specific user on a specific computer sent the packet, or we may know
only that some host (among a set) at a site sent the packet.

Steve

References:

beginner's questions

From: Kun-Yu Li <lky@telstar.netrd.iii.org.tw>

Prev by Date: Re: Sequence Number field for manually configured SAs
Next by Date: Munich preparations
Prev by thread: beginner's questions
Next by thread: Sequence Number field for manually configured SAs
Index(es):
- Main
- Thread