IETF Logo Mail Archive

RE: data origin authentication

Goeman Stefan <Stefan.Goeman@siemens.atea.be> Wed, 08 May 2002 08:42 UTC

Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g488ghL27891; Wed, 8 May 2002 01:42:43 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id EAA13348 Wed, 8 May 2002 04:04:03 -0400 (EDT)
Message-ID: <E76F715C0429D5118F2100508BB9EDEE036FE96D@hrtades7.atea.be>
From: Goeman Stefan <Stefan.Goeman@siemens.atea.be>
To: "'ipsec@lists.tislabs.com'" <ipsec@lists.tislabs.com>
Subject: RE: data origin authentication
Date: Wed, 08 May 2002 10:11:47 +0200
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain; charset="iso-8859-1"
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk

Hello All,

> -----Original Message-----
> From: Christina Helbig [mailto:cbh@zyfer.com]
> Sent: dinsdag 7 mei 2002 21:02
> To: 'Joern Sierwald'; ipsec@lists.tislabs.com
> Subject: RE: data origin authentication
> 
> 
> Hello, Joern
> if you are a bad guy and you own a in-bound SA you can 
> produced a faked ESP
> packet that looks like its come from the other party of your 
> in-bound SA.
> Then you can claim that you got this packet from the other 
> party. So the
> data origin authentication of ESP (two parties know the same 
> authentication
> key) don't deliver non-repudiation of data origin.  But a 
> receiver can be
> sure that the sender of an incoming ESP packet is only the 
> other party of
> the related in-bound SA or the receiver itself. 

Non-repudiation. 
Hmm.
Checking the rfc's, it is nowhere claimed that ESP and/or AH
offers non-repudiation as a security service.

(But perhaps non-repudiation is a must and then solutions have
to be developed.)


Greetings,

Stefan.

v2.39.1 | Report a Bug | By Email | System Status