Security Incidents mailing list archives

Re: isakmp before smtp?

From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Thu, 14 Sep 2000 09:22:31 -0400

On Wed, 13 Sep 2000 10:48:07 +0200, Steffen Dettmer <steffen () DETT DE>  said:

I think encryption without authentication make little sense only,
since it sould be possible for an attacker to connect as if it
where authorized and so the attacker would get the data she's
interessted in, aint? So the attacker could spoof the real target
of the encryption tunnel, and nothing would detect this
(man-in-the-middle-attack).

So I would summarize:
For confidentiality, authentication is needed.


Urm. Urp. Yes. ;)

I hadn't had enough caffeine at the time, and what I was *thinking* was
that it was sufficient to stop a passive listening attack.  As several
people have pointed out to me, you *do* need to do a double-check with
some sort of authentication if there's a possibility of an active
man-in-the-middle attack.

<as he makes a note *not* to write about crypto before 11AM> ;)


-- 
                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech

Attachment: _bin
Description:

Current thread:

isakmp before smtp? Philipp Buehler (Sep 12)
- Re: isakmp before smtp? Mike Fratto (Sep 12)
- Message not available
  - Re: isakmp before smtp? Mike Fratto (Sep 12)
- <Possible follow-ups>
- Re: isakmp before smtp? Frank Knobbe (Sep 12)
  - Re: isakmp before smtp? Mike Fratto (Sep 12)
  - Re: isakmp before smtp? Valdis Kletnieks (Sep 12)
    - Re: isakmp before smtp? Steffen Dettmer (Sep 14)
    - Re: isakmp before smtp? Valdis Kletnieks (Sep 14)
    - Re: isakmp before smtp? Crist Clark (Sep 14)