Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Encryption only ?

0 views
Skip to first unread message

karthikbalaguru

unread,
Dec 20, 2009, 12:43:26 AM12/20/09
to
Hi,
ESP supports both 'encryption only' and 'authentication only'
configurations. Interestingly, the the usage of encryption without
authentication is strongly discouraged. So, why should ESP
provide the support for 'encryption only' configuration ? Any
specific reasons for that configuration ? Any ideas ?

Thx in advans,
Karthik Balaguru

Nico Kadel-Garcia

unread,
Dec 20, 2009, 1:52:03 AM12/20/09
to
On Dec 20, 12:43 am, karthikbalaguru <karthikbalagur...@gmail.com>
wrote:

What's the point of encryption if someone else can play man in the
middle, invent what are effectively your credentials, and tap your
session without your knowledge?

David Schwartz

unread,
Dec 20, 2009, 3:12:59 PM12/20/09
to
On Dec 19, 9:43 pm, karthikbalaguru <karthikbalagur...@gmail.com>
wrote:

The theory is that encryption only is better than nothing at all
because it will prevent all passive attacks. In some cases, if you
offer people the choice of either nothing or encryption without
authentication, they'll choose encryption without authentication
because in some circumstances, authentication is not considered worth
the trouble.

It is also a fairly effective protection against bulk interception.
Right now, your ISP could sniff the vast majority of your traffic if
they had a mind to. They are, however, very unlikely to use active
attacks.

DS

C.

unread,
Dec 22, 2009, 7:22:43 AM12/22/09
to

What's the point of replying when you don't know what you are talking
about.

(The only context in which the original post would seem to make any
sense is with reference to Encapsulated Security Payload - part of the
IPSEC protocol. Assuming that is the case....)

It does not follow that there is no implicit authentication just
because ESP is set to encryption only - this is only the case with
certain modes of key-exchange - and even then end-point authentication
may not be a requirement of the application. And it's the only way to
move data between nodes where there is address translation in between.

C.

♥Ari♥

unread,
Dec 22, 2009, 11:23:40 AM12/22/09
to
On Tue, 22 Dec 2009 04:22:43 -0800 (PST), C. wrote:

> On Dec 20, 6:52�am, Nico Kadel-Garcia <nka...@gmail.com> wrote:
>> On Dec 20, 12:43�am, karthikbalaguru <karthikbalagur...@gmail.com>
>> wrote:
>>
>>> Hi,
>>> ESP supports both 'encryption only' and 'authentication only'
>>> configurations. Interestingly, the the usage of encryption without
>>> authentication is strongly discouraged. So, why should ESP
>>> provide the support for 'encryption only' configuration ? Any
>>> specific reasons for that configuration ? Any ideas ?
>>
>>> Thx in advans,
>>> Karthik Balaguru
>>
>> What's the point of encryption if someone else can play man in the
>> middle, invent what are effectively your credentials, and tap your
>> session without your knowledge?
>
> What's the point of replying when you don't know what you are talking
> about.

She's been lost since she was outed as a biploar lesbian from the
misc.fitness weight days.
--
A fireside chat not with Ari!
http://tr.im/holj
Motto: Live To Spooge It!

Nico Kadel-Garcia

unread,
Dec 22, 2009, 6:18:14 PM12/22/09
to
On Dec 22, 7:22 am, "C." <colin.mckin...@gmail.com> wrote:
> On Dec 20, 6:52 am, Nico Kadel-Garcia <nka...@gmail.com> wrote:
>
>
>
> > On Dec 20, 12:43 am, karthikbalaguru <karthikbalagur...@gmail.com>
> > wrote:
>
> > > Hi,
> > > ESP supports both 'encryption only' and 'authentication only'
> > > configurations. Interestingly, the the usage of encryption without
> > > authentication is strongly discouraged. So, why should ESP
> > > provide the support for 'encryption only' configuration ? Any
> > > specific reasons for that configuration ? Any ideas ?
>
> > > Thx in advans,
> > > Karthik Balaguru
>
> > What's the point of encryption if someone else can play man in the
> > middle, invent what are effectively your credentials, and tap your
> > session without your knowledge?
>
> What's the point of replying when you don't know what you are talking
> about.

I was actually asking a question.

> (The only context in which the original post would seem to make any
> sense is with reference to Encapsulated Security Payload - part of the
> IPSEC protocol. Assuming that is the case....)

That's an interesting supposition, and seems quite reasonable.
However, and this is a very important however in security terms, I've
learned the very, very hard way: do not assume that a casual question
without details is actually part of a sensibly built framework.

For example, there are numerous circumstances where end-to-end
encryption existence is enabled but the authentication is basically
ignored. This is a constant issue of SSL keys in the modern world,
where many people never bother to purchase signatures for their keys
and thus, users have come to casually accept whatever key a site
happens to publish as permanently accepted, and ignore warnings about
expired keys. I've been seeing this for many years in the Linux world,
for casually set up websites and especially for Subversion
repositories where the managers cannot be bothered with the task of
registering a key.

The result is that any man-in-the-middle can intercept the traffic:
*ALL* of it, and monitor that traffic on its way to the actual target.
The data is, in fact, encrypted along most of its path. But the
authentication is nonexistent.

Similar issues occur with SSH servers: people are casual about
accepting new public SSH server keys, or even publish the same keys
across every server in an imaged OS deployment configuration, such as
Xen or VMWare snapshots. Voila! You, as a client, cannot verify which
server you are actually speaking to. This is also why it's helpful for
newly installed secure services, such as SSH and HTTPS, to generate
new keys the first time they're run. (This can actually cause boot
problems if your source of randomness is insufficient, though.)

> It does not follow that there is no implicit authentication just
> because ESP is set to encryption only - this is only the case with
> certain modes of key-exchange - and even then end-point authentication
> may not be a requirement of the application. And it's the only way to
> move data between nodes where there is address translation in between.
>
> C.

And this is interesting, thank you. Can you now see that perhaps this
is *not* what the original questioner asked about, and that we should
find out?

And a hint: if you're going to say someone doesn't know what they're
talking about, you might check out their history first. My first
network security work predates the Morris Worm. It doesn't mean I'm
right, but it does mean I've seen some things you might not have
thought of, as in the cases above.

♥Ari♥

unread,
Dec 23, 2009, 12:48:06 PM12/23/09
to
On Tue, 22 Dec 2009 15:18:14 -0800 (PST), Nico Kadel-Garcia wrote:

> And a hint: if you're going to say someone doesn't know what they're
> talking about, you might check out their history first. My first
> network security work predates the Morris Worm

So does your first love affair with Elzi.

*chortle*

Wanna-Be Sys Admin

unread,
Dec 27, 2009, 6:34:54 AM12/27/09
to
♥Ari♥ wrote:

> She's been lost since she was outed as a biploar lesbian from the
> misc.fitness weight days.

Wait... slow down. Let's not fly off the handle. What does she look
like?
--
Not really a wanna-be, but I don't know everything.

♥Ari♥

unread,
Dec 28, 2009, 3:22:45 PM12/28/09
to
On Sun, 27 Dec 2009 03:34:54 -0800, Wanna-Be Sys Admin wrote:

> ♥Ari♥ wrote:
>
>> She's been lost since she was outed as a biploar lesbian from the
>> misc.fitness weight days.
>
> Wait... slow down. Let's not fly off the handle. What does she look
> like?

http://farm3.static.flickr.com/2148/1936658580_d8396addb4_o.jpg

Wanna-Be Sys Admin

unread,
Dec 28, 2009, 4:14:12 PM12/28/09
to
♥Ari♥ wrote:

> On Sun, 27 Dec 2009 03:34:54 -0800, Wanna-Be Sys Admin wrote:
>
>> ♥Ari♥ wrote:
>>
>>> She's been lost since she was outed as a biploar lesbian from the
>>> misc.fitness weight days.
>>
>> Wait... slow down. Let's not fly off the handle. What does she look
>> like?
>
> http://farm3.static.flickr.com/2148/1936658580_d8396addb4_o.jpg

I'm not going to click a random link. After all, once you see something,
you can't un-see it. :-)

♥Ari♥

unread,
Dec 29, 2009, 3:55:56 PM12/29/09
to
On Mon, 28 Dec 2009 13:14:12 -0800, Wanna-Be Sys Admin wrote:

> ♥Ari♥ wrote:
>
>> On Sun, 27 Dec 2009 03:34:54 -0800, Wanna-Be Sys Admin wrote:
>>
>>> ♥Ari♥ wrote:
>>>
>>>> She's been lost since she was outed as a biploar lesbian from the
>>>> misc.fitness weight days.
>>>
>>> Wait... slow down. Let's not fly off the handle. What does she look
>>> like?
>>
>> http://farm3.static.flickr.com/2148/1936658580_d8396addb4_o.jpg
>
> I'm not going to click a random link. After all, once you see something,
> you can't un-see it. :-)

Point taken.

goarilla

unread,
Dec 29, 2009, 9:17:44 PM12/29/09
to
On Tue, 29 Dec 2009 15:55:56 -0500, ♥Ari♥ wrote:

> On Mon, 28 Dec 2009 13:14:12 -0800, Wanna-Be Sys Admin wrote:
>
>> ♥Ari♥ wrote:
>>
>>> On Sun, 27 Dec 2009 03:34:54 -0800, Wanna-Be Sys Admin wrote:
>>>
>>>> ♥Ari♥ wrote:
>>>>
>>>>> She's been lost since she was outed as a biploar lesbian from the
>>>>> misc.fitness weight days.
>>>>
>>>> Wait... slow down. Let's not fly off the handle. What does she look
>>>> like?
>>>
>>> http://farm3.static.flickr.com/2148/1936658580_d8396addb4_o.jpg
>>
>> I'm not going to click a random link. After all, once you see
>> something, you can't un-see it. :-)
>
> Point taken.


you can it's called alcohol
and lots of IT !

Nico Kadel-Garcia

unread,
Dec 30, 2009, 6:35:54 AM12/30/09
to
> A fireside chat not with Ari!http://tr.im/holj

> Motto: Live To Spooge It!

Oh, dear. That was Christmas morning, after moving an entire household
from overseas. A very Stallmanesque photo: I've bathed and combed my
hairs since then.

♥Ari♥

unread,
Dec 30, 2009, 1:39:50 PM12/30/09
to

Butt it was Elzi's fav photo of you.

Smooch!

0 new messages