[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: data origin authentication
Hello All,
> -----Original Message-----
> From: Christina Helbig [mailto:cbh@zyfer.com]
> Sent: dinsdag 7 mei 2002 21:02
> To: 'Joern Sierwald'; ipsec@lists.tislabs.com
> Subject: RE: data origin authentication
>
>
> Hello, Joern
> if you are a bad guy and you own a in-bound SA you can
> produced a faked ESP
> packet that looks like its come from the other party of your
> in-bound SA.
> Then you can claim that you got this packet from the other
> party. So the
> data origin authentication of ESP (two parties know the same
> authentication
> key) don't deliver non-repudiation of data origin. But a
> receiver can be
> sure that the sender of an incoming ESP packet is only the
> other party of
> the related in-bound SA or the receiver itself.
Non-repudiation.
Hmm.
Checking the rfc's, it is nowhere claimed that ESP and/or AH
offers non-repudiation as a security service.
(But perhaps non-repudiation is a must and then solutions have
to be developed.)
Greetings,
Stefan.