Security Incidents mailing list archives

Re: isakmp before smtp?

From: Steffen Dettmer <steffen () dett de>
Date: Wed, 13 Sep 2000 10:48:07 +0200

* Valdis Kletnieks wrote on Tue, Sep 12, 2000 at 09:49 -0400:

On Mon, 11 Sep 2000 18:04:29 CDT, Frank Knobbe <FKnobbe () KNOBBEITS COM>  said:
The basic trick here is "Diffie-Hellman key exchange".

[...] If you're only worried about confidentiality
(to prevent evesdropping) you can use Diffie-Hellman to exchange a session
key to use for encrypting the session.  If you're worried about authentication
too, you STILL want to use DH first, to set up a secure connection for
key exchange, [...]

Basic summary:  For confidentiality, *no* pre-arranged keying is needed.
For authentication, you need either a public/private key pair or a shared
secret.


I think encryption without authentication make little sense only,
since it sould be possible for an attacker to connect as if it
where authorized and so the attacker would get the data she's
interessted in, aint? So the attacker could spoof the real target
of the encryption tunnel, and nothing would detect this
(man-in-the-middle-attack).

So I would summarize:
For confidentiality, authentication is needed.

Please correct me if I'm wrong.


oki,

Steffen

-- 
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.

Current thread:

isakmp before smtp? Philipp Buehler (Sep 12)
- Re: isakmp before smtp? Mike Fratto (Sep 12)
- Message not available
  - Re: isakmp before smtp? Mike Fratto (Sep 12)
- <Possible follow-ups>
- Re: isakmp before smtp? Frank Knobbe (Sep 12)
  - Re: isakmp before smtp? Mike Fratto (Sep 12)
  - Re: isakmp before smtp? Valdis Kletnieks (Sep 12)
    - Re: isakmp before smtp? Steffen Dettmer (Sep 14)
    - Re: isakmp before smtp? Valdis Kletnieks (Sep 14)
    - Re: isakmp before smtp? Crist Clark (Sep 14)