Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Encryption only ?

Reply
Thread Tools

Encryption only ?

 
 
karthikbalaguru
Guest
Posts: n/a
 
      12-20-2009
Hi,
ESP supports both 'encryption only' and 'authentication only'
configurations. Interestingly, the the usage of encryption without
authentication is strongly discouraged. So, why should ESP
provide the support for 'encryption only' configuration ? Any
specific reasons for that configuration ? Any ideas ?

Thx in advans,
Karthik Balaguru
 
Reply With Quote
 
 
 
 
Nico Kadel-Garcia
Guest
Posts: n/a
 
      12-20-2009
On Dec 20, 12:43*am, karthikbalaguru <(E-Mail Removed)>
wrote:
> Hi,
> ESP supports both 'encryption only' and 'authentication only'
> configurations. Interestingly, the the usage of encryption without
> authentication is strongly discouraged. So, why should ESP
> provide the support for 'encryption only' configuration ? Any
> specific reasons for that configuration ? Any ideas ?
>
> Thx in advans,
> Karthik Balaguru


What's the point of encryption if someone else can play man in the
middle, invent what are effectively your credentials, and tap your
session without your knowledge?
 
Reply With Quote
 
 
 
 
David Schwartz
Guest
Posts: n/a
 
      12-20-2009
On Dec 19, 9:43*pm, karthikbalaguru <(E-Mail Removed)>
wrote:

> ESP supports both 'encryption only' and 'authentication only'
> configurations. Interestingly, the the usage of encryption without
> authentication is strongly discouraged. So, why should ESP
> provide the support for 'encryption only' configuration ? Any
> specific reasons for that configuration ? Any ideas ?


The theory is that encryption only is better than nothing at all
because it will prevent all passive attacks. In some cases, if you
offer people the choice of either nothing or encryption without
authentication, they'll choose encryption without authentication
because in some circumstances, authentication is not considered worth
the trouble.

It is also a fairly effective protection against bulk interception.
Right now, your ISP could sniff the vast majority of your traffic if
they had a mind to. They are, however, very unlikely to use active
attacks.

DS
 
Reply With Quote
 
C.
Guest
Posts: n/a
 
      12-22-2009
On Dec 20, 6:52*am, Nico Kadel-Garcia <(E-Mail Removed)> wrote:
> On Dec 20, 12:43*am, karthikbalaguru <(E-Mail Removed)>
> wrote:
>
> > Hi,
> > ESP supports both 'encryption only' and 'authentication only'
> > configurations. Interestingly, the the usage of encryption without
> > authentication is strongly discouraged. So, why should ESP
> > provide the support for 'encryption only' configuration ? Any
> > specific reasons for that configuration ? Any ideas ?

>
> > Thx in advans,
> > Karthik Balaguru

>
> What's the point of encryption if someone else can play man in the
> middle, invent what are effectively your credentials, and tap your
> session without your knowledge?


What's the point of replying when you don't know what you are talking
about.

(The only context in which the original post would seem to make any
sense is with reference to Encapsulated Security Payload - part of the
IPSEC protocol. Assuming that is the case....)

It does not follow that there is no implicit authentication just
because ESP is set to encryption only - this is only the case with
certain modes of key-exchange - and even then end-point authentication
may not be a requirement of the application. And it's the only way to
move data between nodes where there is address translation in between.

C.
 
Reply With Quote
 
♥Ari♥
Guest
Posts: n/a
 
      12-22-2009
On Tue, 22 Dec 2009 04:22:43 -0800 (PST), C. wrote:

> On Dec 20, 6:52*am, Nico Kadel-Garcia <(E-Mail Removed)> wrote:
>> On Dec 20, 12:43*am, karthikbalaguru <(E-Mail Removed)>
>> wrote:
>>
>>> Hi,
>>> ESP supports both 'encryption only' and 'authentication only'
>>> configurations. Interestingly, the the usage of encryption without
>>> authentication is strongly discouraged. So, why should ESP
>>> provide the support for 'encryption only' configuration ? Any
>>> specific reasons for that configuration ? Any ideas ?

>>
>>> Thx in advans,
>>> Karthik Balaguru

>>
>> What's the point of encryption if someone else can play man in the
>> middle, invent what are effectively your credentials, and tap your
>> session without your knowledge?

>
> What's the point of replying when you don't know what you are talking
> about.


She's been lost since she was outed as a biploar lesbian from the
misc.fitness weight days.
--
A fireside chat not with Ari!
http://tr.im/holj
Motto: Live To Spooge It!
 
Reply With Quote
 
Nico Kadel-Garcia
Guest
Posts: n/a
 
      12-22-2009
On Dec 22, 7:22*am, "C." <(E-Mail Removed)> wrote:
> On Dec 20, 6:52*am, Nico Kadel-Garcia <(E-Mail Removed)> wrote:
>
>
>
> > On Dec 20, 12:43*am, karthikbalaguru <(E-Mail Removed)>
> > wrote:

>
> > > Hi,
> > > ESP supports both 'encryption only' and 'authentication only'
> > > configurations. Interestingly, the the usage of encryption without
> > > authentication is strongly discouraged. So, why should ESP
> > > provide the support for 'encryption only' configuration ? Any
> > > specific reasons for that configuration ? Any ideas ?

>
> > > Thx in advans,
> > > Karthik Balaguru

>
> > What's the point of encryption if someone else can play man in the
> > middle, invent what are effectively your credentials, and tap your
> > session without your knowledge?

>
> What's the point of replying when you don't know what you are talking
> about.


I was actually asking a question.

> (The only context in which the original post would seem to make any
> sense is with reference to Encapsulated Security Payload - part of the
> IPSEC protocol. Assuming that is the case....)


That's an interesting supposition, and seems quite reasonable.
However, and this is a very important however in security terms, I've
learned the very, very hard way: do not assume that a casual question
without details is actually part of a sensibly built framework.

For example, there are numerous circumstances where end-to-end
encryption existence is enabled but the authentication is basically
ignored. This is a constant issue of SSL keys in the modern world,
where many people never bother to purchase signatures for their keys
and thus, users have come to casually accept whatever key a site
happens to publish as permanently accepted, and ignore warnings about
expired keys. I've been seeing this for many years in the Linux world,
for casually set up websites and especially for Subversion
repositories where the managers cannot be bothered with the task of
registering a key.

The result is that any man-in-the-middle can intercept the traffic:
*ALL* of it, and monitor that traffic on its way to the actual target.
The data is, in fact, encrypted along most of its path. But the
authentication is nonexistent.

Similar issues occur with SSH servers: people are casual about
accepting new public SSH server keys, or even publish the same keys
across every server in an imaged OS deployment configuration, such as
Xen or VMWare snapshots. Voila! You, as a client, cannot verify which
server you are actually speaking to. This is also why it's helpful for
newly installed secure services, such as SSH and HTTPS, to generate
new keys the first time they're run. (This can actually cause boot
problems if your source of randomness is insufficient, though.)

> It does not follow that there is no implicit authentication just
> because ESP is set to encryption only - this is only the case with
> certain modes of key-exchange - and even then end-point authentication
> may not be a requirement of the application. And it's the only way to
> move data between nodes where there is address translation in between.
>
> C.


And this is interesting, thank you. Can you now see that perhaps this
is *not* what the original questioner asked about, and that we should
find out?

And a hint: if you're going to say someone doesn't know what they're
talking about, you might check out their history first. My first
network security work predates the Morris Worm. It doesn't mean I'm
right, but it does mean I've seen some things you might not have
thought of, as in the cases above.
 
Reply With Quote
 
♥Ari♥
Guest
Posts: n/a
 
      12-23-2009
On Tue, 22 Dec 2009 15:18:14 -0800 (PST), Nico Kadel-Garcia wrote:

> And a hint: if you're going to say someone doesn't know what they're
> talking about, you might check out their history first. My first
> network security work predates the Morris Worm


So does your first love affair with Elzi.

*chortle*
--
A fireside chat not with Ari!
http://tr.im/holj
Motto: Live To Spooge It!
 
Reply With Quote
 
Wanna-Be Sys Admin
Guest
Posts: n/a
 
      12-27-2009
♥Ari♥ wrote:

> She's been lost since she was outed as a biploar lesbian from the
> misc.fitness weight days.


Wait... slow down. Let's not fly off the handle. What does she look
like?
--
Not really a wanna-be, but I don't know everything.
 
Reply With Quote
 
♥Ari♥
Guest
Posts: n/a
 
      12-28-2009
On Sun, 27 Dec 2009 03:34:54 -0800, Wanna-Be Sys Admin wrote:

> ♥Ari♥ wrote:
>
>> She's been lost since she was outed as a biploar lesbian from the
>> misc.fitness weight days.

>
> Wait... slow down. Let's not fly off the handle. What does she look
> like?


http://farm3.static.flickr.com/2148/...396addb4_o.jpg
--
A fireside chat not with Ari!
http://tr.im/holj
Motto: Live To Spooge It!
 
Reply With Quote
 
Wanna-Be Sys Admin
Guest
Posts: n/a
 
      12-28-2009
♥Ari♥ wrote:

> On Sun, 27 Dec 2009 03:34:54 -0800, Wanna-Be Sys Admin wrote:
>
>> ♥Ari♥ wrote:
>>
>>> She's been lost since she was outed as a biploar lesbian from the
>>> misc.fitness weight days.

>>
>> Wait... slow down. Let's not fly off the handle. What does she look
>> like?

>
> http://farm3.static.flickr.com/2148/...396addb4_o.jpg


I'm not going to click a random link. After all, once you see something,
you can't un-see it.
--
Not really a wanna-be, but I don't know everything.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Which hard drive encryption program has the strongest tested encryption & security? =?iso-8859-1?Q?-=3D|__=28=BAL=BA=29__|=3D-____o=3D=5B:::::::::::::::=BB?= Computer Security 6 02-20-2008 01:35 PM
winxp sp2 workstation not offering wpa (no encryption or wep only) =?Utf-8?B?ZW5qb3lpdHNvb25lcg==?= Wireless Networking 1 08-23-2006 04:50 PM
loading problems in IE only - clipping only happens onload windandwaves HTML 1 04-10-2006 04:35 AM
My boss so cheap!! Our ASP.NET only have 256MB only! How to release request used memory when Page Unload() event raise? ABC ASP .Net 7 01-13-2006 03:23 PM
Can Ant be made to compile only read only java files? vnssoftware Java 4 12-31-2003 08:20 AM



Advertisments