[dtn-security] Re(4): Ciphersuite

Peter Lovell <plovell@mac.com> Thu, 16 July 2009 19:06 UTC

Received: from asmtpout015.mac.com (asmtpout015.mac.com []) by maillists.intel-research.net (8.13.8/8.13.8) with ESMTP id n6GJ6Gad020248 for <dtn-security@maillists.intel-research.net>; Thu, 16 Jul 2009 12:06:16 -0700
MIME-version: 1.0
Content-transfer-encoding: 7BIT
Content-type: text/plain; charset=ISO-8859-1
Received: from [] (dsl092-149-198.wdc2.dsl.speakeasy.net []) by asmtp015.mac.com (Sun Java(tm) System Messaging Server 6.3-8.01 (built Dec 16 2008; 32bit)) with ESMTPSA id <0KMW00LVT2BDGE00@asmtp015.mac.com> for dtn-security@maillists.intel-research.net; Thu, 16 Jul 2009 12:04:28 -0700 (PDT)
From: Peter Lovell <plovell@mac.com>
To: Sushil Chaudhari <schaudhari@mzeal.com>, dtn-security@maillists.intel-research.net
Date: Thu, 16 Jul 2009 15:04:23 -0400
Message-id: <20090716190423.1267272697@smtp.mac.com>
In-reply-to: <20090716180755.89960.qmail@mzeal.com>
References: <20090716180755.89960.qmail@mzeal.com>
X-Mailer: CTM PowerMail version 6.0.2 build 4601 English (intel) <http://www.ctmdev.com>
Subject: [dtn-security] Re(4): Ciphersuite
X-BeenThere: dtn-security@maillists.intel-research.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DTN Security Discussion <dtn-security.maillists.intel-research.net>
List-Unsubscribe: <http://maillists.intel-research.net/mailman/listinfo/dtn-security>, <mailto:dtn-security-request@maillists.intel-research.net?subject=unsubscribe>
List-Archive: <http://maillists.intel-research.net/pipermail/dtn-security>
List-Post: <mailto:dtn-security@maillists.intel-research.net>
List-Help: <mailto:dtn-security-request@maillists.intel-research.net?subject=help>
List-Subscribe: <http://maillists.intel-research.net/mailman/listinfo/dtn-security>, <mailto:dtn-security-request@maillists.intel-research.net?subject=subscribe>
X-List-Received-Date: Thu, 16 Jul 2009 19:06:16 -0000

On Thu, Jul 16, 2009, Sushil Chaudhari <schaudhari@mzeal.com> wrote:

>It looks as PC3 ciphersuite actually implemented for AES GCM mode. If I
>read RFC4106 correctly, it does provide confidentiality, data origin and
>data integrity authentication...
>Apparently, it does fulfill the purpose of all 3 security blocks.
>Am I read something incorrectly?

Your analysis is a bit to simplistic. PC3 does guarantee that the
payload data (and only the payload data) has not been changed in
transit. But there's no "certificate of authenticity". You do not know
who originated the data.

You know it is unmodified but you don't know if it's genuine.

With PIB you get a signature from the sender so you know, within the
constraints of your keying mechanism, who actually sent the data.