[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: data origin authentication
Hi, Stefan
I haven't claim that ESP offers non-repudiation. ESP offers data origin
authentication without non-repudiation. This was only a remark about a
possible misunderstanding of the term "data origin authentication" in the
sense that there is only one possible origin.
Greetings
Christina
> -----Original Message-----
> From: Goeman Stefan [mailto:Stefan.Goeman@siemens.atea.be]
> Sent: Wednesday, May 08, 2002 1:12 AM
> To: 'ipsec@lists.tislabs.com'
> Subject: RE: data origin authentication
>
>
> Hello All,
>
> > -----Original Message-----
> > From: Christina Helbig [mailto:cbh@zyfer.com]
> > Sent: dinsdag 7 mei 2002 21:02
> > To: 'Joern Sierwald'; ipsec@lists.tislabs.com
> > Subject: RE: data origin authentication
> >
> >
> > Hello, Joern
> > if you are a bad guy and you own a in-bound SA you can
> > produced a faked ESP
> > packet that looks like its come from the other party of your
> > in-bound SA.
> > Then you can claim that you got this packet from the other
> > party. So the
> > data origin authentication of ESP (two parties know the same
> > authentication
> > key) don't deliver non-repudiation of data origin. But a
> > receiver can be
> > sure that the sender of an incoming ESP packet is only the
> > other party of
> > the related in-bound SA or the receiver itself.
>
> Non-repudiation.
> Hmm.
> Checking the rfc's, it is nowhere claimed that ESP and/or AH
> offers non-repudiation as a security service.
>
> (But perhaps non-repudiation is a must and then solutions have
> to be developed.)
>
>
> Greetings,
>
> Stefan.
>