Re: [perpass] Fwd: Re: perens-perpass-appropriate-response-01

[Stephen Kent <kent@bbn.com>]

Nicholas,
> On Dec 7, 2013, at 4:09 PM, Bruce Perens <bruce@perens.com> wrote:
>> Well, we do have some HTTP uses where encryption that hides the content won't be allowed, and thus authentication is important.
>>
>> We can't have encryption when we use HTTP over Amateur Radio in the US and many other countries. There is self-policing on ham frequencies that requires that people be able to copy other people's transmissions, and encryption defeats that. Obviously we don't put confidential data on those frequencies, that belongs on your cell phone. So, an authentication-only WiFi protocol is needed for Amateur Radio, and possibly an authentication-only version of TLS.
> NO!!!!
>
> The reason is downgrade attacks.  A huge problem with the IPSec standard is that NULL encryption was allowed in there, and also known weak modes (single DES, 720b D/H etc).  Its one of the primary reasons why John Gilmore and therefore others feel the IPSec process was sabotaged by the NSA.
John's assertions in this context are not informed by participation in
the IPsec WG process at that time, to the best of my recollection.
> To explicitly support downgraded, athuentication w/o encryption is STUPID!  it is DANGEROUS!
Not at all. We already had AH;  we offered ESP with NULL encryption as a 
more
efficient way to achieve the same security goals.
>   About the only thing that is not a horrid idea is to have the key exchange generate a separate MAC and encryption key, using an encrypt then MAC structure.   Yet that loses out on the benefit of authenticated encryption modes that build the MAC into the communication.
The use of distinct algs for the distinct security services was 
consistent with the standard alg options of the original time frame. 
Note that combined mode algs, that offer confidentiality and integrity, 
are explciitly accommodated in later versions of the specs, e.g., 4303.

Steve