Security Incidents mailing list archives
Re: isakmp before smtp?
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Thu, 14 Sep 2000 09:22:31 -0400
On Wed, 13 Sep 2000 10:48:07 +0200, Steffen Dettmer <steffen () DETT DE> said:
I think encryption without authentication make little sense only, since it sould be possible for an attacker to connect as if it where authorized and so the attacker would get the data she's interessted in, aint? So the attacker could spoof the real target of the encryption tunnel, and nothing would detect this (man-in-the-middle-attack). So I would summarize: For confidentiality, authentication is needed.
Urm. Urp. Yes. ;) I hadn't had enough caffeine at the time, and what I was *thinking* was that it was sufficient to stop a passive listening attack. As several people have pointed out to me, you *do* need to do a double-check with some sort of authentication if there's a possibility of an active man-in-the-middle attack. <as he makes a note *not* to write about crypto before 11AM> ;) -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
Attachment:
_bin
Description:
Current thread:
- isakmp before smtp? Philipp Buehler (Sep 12)
- Re: isakmp before smtp? Mike Fratto (Sep 12)
- Message not available
- Re: isakmp before smtp? Mike Fratto (Sep 12)
- <Possible follow-ups>
- Re: isakmp before smtp? Frank Knobbe (Sep 12)
- Re: isakmp before smtp? Mike Fratto (Sep 12)
- Re: isakmp before smtp? Valdis Kletnieks (Sep 12)
- Re: isakmp before smtp? Steffen Dettmer (Sep 14)
- Re: isakmp before smtp? Valdis Kletnieks (Sep 14)
- Re: isakmp before smtp? Crist Clark (Sep 14)