[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: ESP+AH

To: Russell Harrison <RHarrison@zento.com.au>, "'Mike Ruhl'" <mruhl@cips.nokia.com>, ipsec@lists.tislabs.com
Subject: RE: ESP+AH
From: Rick Smith at Secure Computing <rick_smith@securecomputing.com>
Date: Thu, 09 May 2002 11:31:10 -0500
In-Reply-To: <A090D1CFDEDFB446BD493E0A5462AB28DD4A@persephone.zento.com.au>
Sender: owner-ipsec@lists.tislabs.com

At 06:08 PM 5/8/2002, Russell Harrison wrote:

> Irrespective of the ordering of the proposal, the only way it
>makes sense to apply both AH and ESP is [AH][ESP].

In a truly practical sense, I don't think it matters which way you do it. You loose a smidgin of benefit either way. 

Years back in "Internet Cryptography" I suggested that [AH][ESP] makes the most sense since it makes it possible for a gateway to authenticate a packet without knowing how to decrypt it (tho' I don't know of anyone who ever made use of this capability). Implementers also liked this approach since it let you validate the ciphertext integrity before handing it to the crypto modules which, in the early days, were unnecessarily fragile.

On the other hand, a crypto purist would argue that you get weaker authentication with [AH][ESP]. It's only authenticating the ciphertext. In theory, this could allow you to change the plaintext by varying the encryption process and the changed plaintext wouldn't be detected by the AH.

Of course, this is largely a theoretical concern. It's not immediately clear what an attacker has to gain from this, nor is it clear that this is feasible in any real world IPSEC implementations.

Rick.
smith@securecomputing.com            roseville, minnesota
"Authentication" in bookstores http://www.visi.com/crypto/

References:
- RE: ESP+AH
  - From: Russell Harrison <RHarrison@zento.com.au>

Prev by Date: Re: ESP+AH
Next by Date: IKE v1 are multiple ISAKMP SA allowed
Prev by thread: Re: ESP+AH
Next by thread: IKE v1 are multiple ISAKMP SA allowed
Index(es):
- Date
- Thread