Encryption only ?

Discussion in 'Computer Security' started by karthikbalaguru, Dec 20, 2009.

  1. Hi,
    ESP supports both 'encryption only' and 'authentication only'
    configurations. Interestingly, the the usage of encryption without
    authentication is strongly discouraged. So, why should ESP
    provide the support for 'encryption only' configuration ? Any
    specific reasons for that configuration ? Any ideas ?

    Thx in advans,
    Karthik Balaguru
    karthikbalaguru, Dec 20, 2009
    #1
    1. Advertising

  2. On Dec 20, 12:43 am, karthikbalaguru <>
    wrote:
    > Hi,
    > ESP supports both 'encryption only' and 'authentication only'
    > configurations. Interestingly, the the usage of encryption without
    > authentication is strongly discouraged. So, why should ESP
    > provide the support for 'encryption only' configuration ? Any
    > specific reasons for that configuration ? Any ideas ?
    >
    > Thx in advans,
    > Karthik Balaguru


    What's the point of encryption if someone else can play man in the
    middle, invent what are effectively your credentials, and tap your
    session without your knowledge?
    Nico Kadel-Garcia, Dec 20, 2009
    #2
    1. Advertising

  3. On Dec 19, 9:43 pm, karthikbalaguru <>
    wrote:

    > ESP supports both 'encryption only' and 'authentication only'
    > configurations. Interestingly, the the usage of encryption without
    > authentication is strongly discouraged. So, why should ESP
    > provide the support for 'encryption only' configuration ? Any
    > specific reasons for that configuration ? Any ideas ?


    The theory is that encryption only is better than nothing at all
    because it will prevent all passive attacks. In some cases, if you
    offer people the choice of either nothing or encryption without
    authentication, they'll choose encryption without authentication
    because in some circumstances, authentication is not considered worth
    the trouble.

    It is also a fairly effective protection against bulk interception.
    Right now, your ISP could sniff the vast majority of your traffic if
    they had a mind to. They are, however, very unlikely to use active
    attacks.

    DS
    David Schwartz, Dec 20, 2009
    #3
  4. karthikbalaguru

    C. Guest

    On Dec 20, 6:52 am, Nico Kadel-Garcia <> wrote:
    > On Dec 20, 12:43 am, karthikbalaguru <>
    > wrote:
    >
    > > Hi,
    > > ESP supports both 'encryption only' and 'authentication only'
    > > configurations. Interestingly, the the usage of encryption without
    > > authentication is strongly discouraged. So, why should ESP
    > > provide the support for 'encryption only' configuration ? Any
    > > specific reasons for that configuration ? Any ideas ?

    >
    > > Thx in advans,
    > > Karthik Balaguru

    >
    > What's the point of encryption if someone else can play man in the
    > middle, invent what are effectively your credentials, and tap your
    > session without your knowledge?


    What's the point of replying when you don't know what you are talking
    about.

    (The only context in which the original post would seem to make any
    sense is with reference to Encapsulated Security Payload - part of the
    IPSEC protocol. Assuming that is the case....)

    It does not follow that there is no implicit authentication just
    because ESP is set to encryption only - this is only the case with
    certain modes of key-exchange - and even then end-point authentication
    may not be a requirement of the application. And it's the only way to
    move data between nodes where there is address translation in between.

    C.
    C., Dec 22, 2009
    #4
  5. On Tue, 22 Dec 2009 04:22:43 -0800 (PST), C. wrote:

    > On Dec 20, 6:52 am, Nico Kadel-Garcia <> wrote:
    >> On Dec 20, 12:43 am, karthikbalaguru <>
    >> wrote:
    >>
    >>> Hi,
    >>> ESP supports both 'encryption only' and 'authentication only'
    >>> configurations. Interestingly, the the usage of encryption without
    >>> authentication is strongly discouraged. So, why should ESP
    >>> provide the support for 'encryption only' configuration ? Any
    >>> specific reasons for that configuration ? Any ideas ?

    >>
    >>> Thx in advans,
    >>> Karthik Balaguru

    >>
    >> What's the point of encryption if someone else can play man in the
    >> middle, invent what are effectively your credentials, and tap your
    >> session without your knowledge?

    >
    > What's the point of replying when you don't know what you are talking
    > about.


    She's been lost since she was outed as a biploar lesbian from the
    misc.fitness weight days.
    --
    A fireside chat not with Ari!
    http://tr.im/holj
    Motto: Live To Spooge It!
    ♥Ari♥, Dec 22, 2009
    #5
  6. On Dec 22, 7:22 am, "C." <> wrote:
    > On Dec 20, 6:52 am, Nico Kadel-Garcia <> wrote:
    >
    >
    >
    > > On Dec 20, 12:43 am, karthikbalaguru <>
    > > wrote:

    >
    > > > Hi,
    > > > ESP supports both 'encryption only' and 'authentication only'
    > > > configurations. Interestingly, the the usage of encryption without
    > > > authentication is strongly discouraged. So, why should ESP
    > > > provide the support for 'encryption only' configuration ? Any
    > > > specific reasons for that configuration ? Any ideas ?

    >
    > > > Thx in advans,
    > > > Karthik Balaguru

    >
    > > What's the point of encryption if someone else can play man in the
    > > middle, invent what are effectively your credentials, and tap your
    > > session without your knowledge?

    >
    > What's the point of replying when you don't know what you are talking
    > about.


    I was actually asking a question.

    > (The only context in which the original post would seem to make any
    > sense is with reference to Encapsulated Security Payload - part of the
    > IPSEC protocol. Assuming that is the case....)


    That's an interesting supposition, and seems quite reasonable.
    However, and this is a very important however in security terms, I've
    learned the very, very hard way: do not assume that a casual question
    without details is actually part of a sensibly built framework.

    For example, there are numerous circumstances where end-to-end
    encryption existence is enabled but the authentication is basically
    ignored. This is a constant issue of SSL keys in the modern world,
    where many people never bother to purchase signatures for their keys
    and thus, users have come to casually accept whatever key a site
    happens to publish as permanently accepted, and ignore warnings about
    expired keys. I've been seeing this for many years in the Linux world,
    for casually set up websites and especially for Subversion
    repositories where the managers cannot be bothered with the task of
    registering a key.

    The result is that any man-in-the-middle can intercept the traffic:
    *ALL* of it, and monitor that traffic on its way to the actual target.
    The data is, in fact, encrypted along most of its path. But the
    authentication is nonexistent.

    Similar issues occur with SSH servers: people are casual about
    accepting new public SSH server keys, or even publish the same keys
    across every server in an imaged OS deployment configuration, such as
    Xen or VMWare snapshots. Voila! You, as a client, cannot verify which
    server you are actually speaking to. This is also why it's helpful for
    newly installed secure services, such as SSH and HTTPS, to generate
    new keys the first time they're run. (This can actually cause boot
    problems if your source of randomness is insufficient, though.)

    > It does not follow that there is no implicit authentication just
    > because ESP is set to encryption only - this is only the case with
    > certain modes of key-exchange - and even then end-point authentication
    > may not be a requirement of the application. And it's the only way to
    > move data between nodes where there is address translation in between.
    >
    > C.


    And this is interesting, thank you. Can you now see that perhaps this
    is *not* what the original questioner asked about, and that we should
    find out?

    And a hint: if you're going to say someone doesn't know what they're
    talking about, you might check out their history first. My first
    network security work predates the Morris Worm. It doesn't mean I'm
    right, but it does mean I've seen some things you might not have
    thought of, as in the cases above.
    Nico Kadel-Garcia, Dec 22, 2009
    #6
  7. On Tue, 22 Dec 2009 15:18:14 -0800 (PST), Nico Kadel-Garcia wrote:

    > And a hint: if you're going to say someone doesn't know what they're
    > talking about, you might check out their history first. My first
    > network security work predates the Morris Worm


    So does your first love affair with Elzi.

    *chortle*
    --
    A fireside chat not with Ari!
    http://tr.im/holj
    Motto: Live To Spooge It!
    ♥Ari♥, Dec 23, 2009
    #7
  8. ♥Ari♥ wrote:

    > She's been lost since she was outed as a biploar lesbian from the
    > misc.fitness weight days.


    Wait... slow down. Let's not fly off the handle. What does she look
    like?
    --
    Not really a wanna-be, but I don't know everything.
    Wanna-Be Sys Admin, Dec 27, 2009
    #8
  9. On Sun, 27 Dec 2009 03:34:54 -0800, Wanna-Be Sys Admin wrote:

    > ♥Ari♥ wrote:
    >
    >> She's been lost since she was outed as a biploar lesbian from the
    >> misc.fitness weight days.

    >
    > Wait... slow down. Let's not fly off the handle. What does she look
    > like?


    http://farm3.static.flickr.com/2148/1936658580_d8396addb4_o.jpg
    --
    A fireside chat not with Ari!
    http://tr.im/holj
    Motto: Live To Spooge It!
    ♥Ari♥, Dec 28, 2009
    #9
  10. ♥Ari♥ wrote:

    > On Sun, 27 Dec 2009 03:34:54 -0800, Wanna-Be Sys Admin wrote:
    >
    >> ♥Ari♥ wrote:
    >>
    >>> She's been lost since she was outed as a biploar lesbian from the
    >>> misc.fitness weight days.

    >>
    >> Wait... slow down. Let's not fly off the handle. What does she look
    >> like?

    >
    > http://farm3.static.flickr.com/2148/1936658580_d8396addb4_o.jpg


    I'm not going to click a random link. After all, once you see something,
    you can't un-see it. :)
    --
    Not really a wanna-be, but I don't know everything.
    Wanna-Be Sys Admin, Dec 28, 2009
    #10
  11. On Mon, 28 Dec 2009 13:14:12 -0800, Wanna-Be Sys Admin wrote:

    > ♥Ari♥ wrote:
    >
    >> On Sun, 27 Dec 2009 03:34:54 -0800, Wanna-Be Sys Admin wrote:
    >>
    >>> ♥Ari♥ wrote:
    >>>
    >>>> She's been lost since she was outed as a biploar lesbian from the
    >>>> misc.fitness weight days.
    >>>
    >>> Wait... slow down. Let's not fly off the handle. What does she look
    >>> like?

    >>
    >> http://farm3.static.flickr.com/2148/1936658580_d8396addb4_o.jpg

    >
    > I'm not going to click a random link. After all, once you see something,
    > you can't un-see it. :)


    Point taken.
    --
    A fireside chat not with Ari!
    http://tr.im/holj
    Motto: Live To Spooge It!
    ♥Ari♥, Dec 29, 2009
    #11
  12. karthikbalaguru

    goarilla Guest

    On Tue, 29 Dec 2009 15:55:56 -0500, ♥Ari♥ wrote:

    > On Mon, 28 Dec 2009 13:14:12 -0800, Wanna-Be Sys Admin wrote:
    >
    >> ♥Ari♥ wrote:
    >>
    >>> On Sun, 27 Dec 2009 03:34:54 -0800, Wanna-Be Sys Admin wrote:
    >>>
    >>>> ♥Ari♥ wrote:
    >>>>
    >>>>> She's been lost since she was outed as a biploar lesbian from the
    >>>>> misc.fitness weight days.
    >>>>
    >>>> Wait... slow down. Let's not fly off the handle. What does she look
    >>>> like?
    >>>
    >>> http://farm3.static.flickr.com/2148/1936658580_d8396addb4_o.jpg

    >>
    >> I'm not going to click a random link. After all, once you see
    >> something, you can't un-see it. :)

    >
    > Point taken.



    you can it's called alcohol
    and lots of IT !
    goarilla, Dec 30, 2009
    #12
  13. On Dec 28, 3:22 pm, ♥Ari♥ <> wrote:
    > On Sun, 27 Dec 2009 03:34:54 -0800, Wanna-Be Sys Admin wrote:
    > > ♥Ari♥ wrote:

    >
    > >> She's been lost since she was outed as a biploar lesbian from the
    > >> misc.fitness weight days.

    >
    > > Wait... slow down.  Let's not fly off the handle.  What does she look
    > > like?

    >
    > http://farm3.static.flickr.com/2148/1936658580_d8396addb4_o.jpg
    > --
    > A fireside chat not with Ari!http://tr.im/holj
    > Motto: Live To Spooge It!


    Oh, dear. That was Christmas morning, after moving an entire household
    from overseas. A very Stallmanesque photo: I've bathed and combed my
    hairs since then.
    Nico Kadel-Garcia, Dec 30, 2009
    #13
  14. On Wed, 30 Dec 2009 03:35:54 -0800 (PST), Nico Kadel-Garcia wrote:

    > On Dec 28, 3:22 pm, ♥Ari♥ <> wrote:
    >> On Sun, 27 Dec 2009 03:34:54 -0800, Wanna-Be Sys Admin wrote:
    >>> ♥Ari♥ wrote:

    >>
    >>>> She's been lost since she was outed as a biploar lesbian from the
    >>>> misc.fitness weight days.

    >>
    >>> Wait... slow down.  Let's not fly off the handle.  What does she look
    >>> like?

    >>
    >> http://farm3.static.flickr.com/2148/1936658580_d8396addb4_o.jpg
    >> --
    >> A fireside chat not with Ari!http://tr.im/holj
    >> Motto: Live To Spooge It!

    >
    > Oh, dear. That was Christmas morning, after moving an entire household
    > from overseas. A very Stallmanesque photo: I've bathed and combed my
    > hairs since then.


    Butt it was Elzi's fav photo of you.

    Smooch!
    --
    A fireside chat not with Ari!
    http://tr.im/holj
    Motto: Live To Spooge It!
    ♥Ari♥, Dec 30, 2009
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?iso-8859-1?Q?-=3D|__=28=BAL=BA=29__|=3D-____o=3D

    Which hard drive encryption program has the strongest tested encryption & security?

    =?iso-8859-1?Q?-=3D|__=28=BAL=BA=29__|=3D-____o=3D, Sep 24, 2004, in forum: Computer Security
    Replies:
    6
    Views:
    3,772
    Kornholio
    Feb 20, 2008
  2. =?Utf-8?B?ZW5qb3lpdHNvb25lcg==?=

    winxp sp2 workstation not offering wpa (no encryption or wep only)

    =?Utf-8?B?ZW5qb3lpdHNvb25lcg==?=, Aug 23, 2006, in forum: Wireless Networking
    Replies:
    1
    Views:
    2,738
  3. realone
    Replies:
    0
    Views:
    429
    realone
    Mar 12, 2007
  4. realone
    Replies:
    0
    Views:
    353
    realone
    Mar 12, 2007
  5. realone
    Replies:
    0
    Views:
    523
    realone
    Mar 12, 2007
Loading...

Share This Page