Security Incidents mailing list archives
Re: isakmp before smtp?
From: Crist Clark <crist.clark () GLOBALSTAR COM>
Date: Thu, 14 Sep 2000 10:48:35 -0700
Steffen Dettmer wrote:
* Valdis Kletnieks wrote on Tue, Sep 12, 2000 at 09:49 -0400:On Mon, 11 Sep 2000 18:04:29 CDT, Frank Knobbe <FKnobbe () KNOBBEITS COM> said: The basic trick here is "Diffie-Hellman key exchange".[...] If you're only worried about confidentiality (to prevent evesdropping) you can use Diffie-Hellman to exchange a session key to use for encrypting the session. If you're worried about authentication too, you STILL want to use DH first, to set up a secure connection for key exchange, [...] Basic summary: For confidentiality, *no* pre-arranged keying is needed. For authentication, you need either a public/private key pair or a shared secret.I think encryption without authentication make little sense only, since it sould be possible for an attacker to connect as if it where authorized and so the attacker would get the data she's interessted in, aint? So the attacker could spoof the real target of the encryption tunnel, and nothing would detect this (man-in-the-middle-attack). So I would summarize: For confidentiality, authentication is needed. Please correct me if I'm wrong.
You are wrong. By _definition_ confidentiality and authentication are different things. Confidentiality just means that a third party cannot overhear what two parties are discussing[0]. Authentication is making sure that each of the two parties knows who the other is. It is quite possible to have either one without the other. Sticking to the original subject, you can run IPsec with AH, with ESP, or with both. However you'd like[1]. As for how _useful_ one without the other is, well that is another matter. Using the original subject of the thread as an example, say that you want to send email and would rather not have it sniffed. In our example, the mail sender does not trust his LAN (maybe he's at a university or something), but is not too worried about the identity of the destination (i.e. domain or IP address hijak is not likely). For him, just ensuring the connection is confidential would step up his security significantly. Yes, authentication would be even better, but it is less important to him and there may be no mechanism available to do it (you need a trusted communication channel or a mutually trusted third party for authentication). [0] Yes, there is no implication that the two parties talking are actually who the other think believes it is. A man in the middle can intercept the connection before confidentiality is established, but the connection between the first party and the man in the middle will still be confidential. [1] You can't always get what you want. The risks of running with confidentiallity and no authentication (via AH anyway) is something something I've had to think about quite a bit recently. There is a situation where I want to use IPsec, but one end of the connection is NAT'ed. One cannot do AH, but ESP works fine. -- Crist J. Clark Network Security Engineer crist.clark () globalstar com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster () globalstar com
Current thread:
- isakmp before smtp? Philipp Buehler (Sep 12)
- Re: isakmp before smtp? Mike Fratto (Sep 12)
- Message not available
- Re: isakmp before smtp? Mike Fratto (Sep 12)
- <Possible follow-ups>
- Re: isakmp before smtp? Frank Knobbe (Sep 12)
- Re: isakmp before smtp? Mike Fratto (Sep 12)
- Re: isakmp before smtp? Valdis Kletnieks (Sep 12)
- Re: isakmp before smtp? Steffen Dettmer (Sep 14)
- Re: isakmp before smtp? Valdis Kletnieks (Sep 14)
- Re: isakmp before smtp? Crist Clark (Sep 14)