[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: A problem with public key encrption in IKE

To: "'Stephen Kent'" <kent@bbn.com>, francisco_corella@hp.com
Subject: RE: A problem with public key encrption in IKE
From: "Mason, Shane" <smason@blockade.com>
Date: Tue, 21 Dec 1999 12:12:43 -0500
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

Please help me understand.  How is positive identification (authentication)
not the same as nonrepudiability?  If I positively identify someone (DNA?)
how can they refute that they are that person?

AFAIK, when someone says "You did it!", repudiation is the response "No I
didn't."  Non-repudiation is the state where the accuser has the ability to
follow with "I have irrefutable proof."

In IKE, there is non-repudiation.  If anonymous party A uses IKE to set up
an IPSEC session with party B, and all packets A sends are signed by A using
the authentication key agreed upon in process of setting up the IPSEC
session (using DH), then all of those packets had to come from A.  B could
impersonate A, but only to herself, so that doesn't count.  We're not
talking about legal authentication by an univolved third party, merely a way
for B to KNOW that all packets for this session came from A.  That is
non-repudiation.  It does not involve the identity of A other than A is the
person with whom B initiated a session, and therefore these subsequest
packets MUST be from A.  A cannot deny that he sent the subsequent packets
because, unless he shared the key with a third party.

Similarly, if the crypto is strong,and the private key is safely locked
away, if some-{one,thing} signs something, it is irrefutable that the owner
of the signing key (whoever they are) signed it.

Or are we asserting that non-repudiation is defined such that an uninvolved
third party must be able to verify that A applied a signature?  Or are we
asserting that non-repudiation can only exist in cases of proving identity?

ICMan

-----Original Message-----
From: Stephen Kent [mailto:kent@bbn.com]
Sent: Friday, December 17, 1999 3:17 PM
To: francisco_corella@hp.com
Cc: ipsec@lists.tislabs.com
Subject: Re: A problem with public key encrption in IKE


Francisco,
>     Steve,
>
>     If one is allowed to argue that one has been persuaded to sign 
>random     data, then the whole concept of a digital signature 
>collapses.      Remember that when a document is signed, the digital 
>signature is     applied to a cryptographic hash of the document and 
>the hash is     indistinguishable from random data if you don't know 
>how it was     generated.

Well, not all signatures are intended to be non-repudiable! 
Sometimes we sign things purely for authentication.  As we have 
discussed extensively on the PKIX list, one should exercise care in 
setting the key usage bits, to distinguish the intent of signing as 
repudiable or non-repudiable. So, IF one wished to use 
signature-based authentication with IKE, and wished to avoid any 
connotation of non-repudiation, it is feasible to do that.

Steve

Prev by Date: RE: tell me something about the frees/wan
Next by Date: RE: signture mode and non-repudiation
Prev by thread: Re: A problem with public key encrption in IKE
Next by thread: Security
Index(es):
- Main
- Thread