[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: data origin authentication



Hello All,

> -----Original Message-----
> From: Christina Helbig [mailto:cbh@zyfer.com]
> Sent: dinsdag 7 mei 2002 21:02
> To: 'Joern Sierwald'; ipsec@lists.tislabs.com
> Subject: RE: data origin authentication
> 
> 
> Hello, Joern
> if you are a bad guy and you own a in-bound SA you can 
> produced a faked ESP
> packet that looks like its come from the other party of your 
> in-bound SA.
> Then you can claim that you got this packet from the other 
> party. So the
> data origin authentication of ESP (two parties know the same 
> authentication
> key) don't deliver non-repudiation of data origin.  But a 
> receiver can be
> sure that the sender of an incoming ESP packet is only the 
> other party of
> the related in-bound SA or the receiver itself. 

Non-repudiation. 
Hmm.
Checking the rfc's, it is nowhere claimed that ESP and/or AH
offers non-repudiation as a security service.

(But perhaps non-repudiation is a must and then solutions have
to be developed.)


Greetings,

Stefan.