Nicholas,
On Dec 7, 2013, at 4:09 PM, Bruce Perens <[email protected]> wrote:
Well, we do have some HTTP uses where encryption that hides the content won't
be allowed, and thus authentication is important.
We can't have encryption when we use HTTP over Amateur Radio in the US and many
other countries. There is self-policing on ham frequencies that requires that
people be able to copy other people's transmissions, and encryption defeats
that. Obviously we don't put confidential data on those frequencies, that
belongs on your cell phone. So, an authentication-only WiFi protocol is needed
for Amateur Radio, and possibly an authentication-only version of TLS.
NO!!!!
The reason is downgrade attacks. A huge problem with the IPSec standard is
that NULL encryption was allowed in there, and also known weak modes (single
DES, 720b D/H etc). Its one of the primary reasons why John Gilmore and
therefore others feel the IPSec process was sabotaged by the NSA.
John's assertions in this context are not informed by participation in
the IPsec WG process at that time, to the best of my recollection.
To explicitly support downgraded, athuentication w/o encryption is STUPID! it
is DANGEROUS!
Not at all. We already had AH; we offered ESP with NULL encryption as a
more
efficient way to achieve the same security goals.
About the only thing that is not a horrid idea is to have the key exchange
generate a separate MAC and encryption key, using an encrypt then MAC
structure. Yet that loses out on the benefit of authenticated encryption
modes that build the MAC into the communication.
The use of distinct algs for the distinct security services was
consistent with the standard alg options of the original time frame.
Note that combined mode algs, that offer confidentiality and integrity,
are explciitly accommodated in later versions of the specs, e.g., 4303.
Steve
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
