[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Design] Re: Wes Hardaker: opportunistic encryption deployment problems
At 9:41 AM -0400 8/16/01, Derek Atkins wrote:
>Stephen Kent <kent@bbn.com> writes:
>
>> We disagree on the merits of opportunistic encryption. For most
>> organizations, the primary threat is one of unauthorized access, not
>> massive passive wiretapping of Internet traffic. Thus encrypting lost
>> of traffic, without providing accompanying access controls, might
>> cause more harm (in the access control dimension) than good, e.g., by
>> making it harder to perform intrusion detection, trace attacks, etc.
>> However, to the extent that FreeS/WAN tries to address a concern to a
>> user community that has a different threat model, one that is more
>> focused on big brother than on hackers, I don't argue with your
>> approach.
>
>This is certainly not MY memory from Cambridge '92, when the concept
>of IPsec was to provide encryption technology at the network layer for
>all connections on the Internet. A side effect of the goal was
>endpoint authentication. Adding access control came even later.
>
Some may have come away with that impression. I certainly didn't. You
may recall that Ran Atkinson, who wrote the initial documents, noted
that he viewed IPsec ad modelled in large part on the SNDS SP3 work.
I participated in that work, and I can assure you that endpoint
authentication was an essential aspect of SP3.
I also recall that Steve Bellovin and I participated in a panel at
the National Computer Security Conference in the mid-90s, chaired by
Dorothy Denning, where the topic was "Will Encryption Thwart
Hackers." The panel was unanimous in agreeing that the answer was no,
for a variety of reasons that are still valid to day. I know of very
few folks in the (larger) Internet community who believe that the
principal threat is passive wiretapping of the Internet, vs.
unauthorized access to computing resources on organizational LANs.
Encryption of lots of Internet traffic, without accompanying
authentication and access control, does not address the latter
concern.
Steve
Follow-Ups:
References: