[p2p-hackers] amicima's MFP - preannouncement
Lauri Pesonen
lauri.pesonen at gmail.com
Tue Jul 19 09:15:32 UTC 2005
On 7/19/05, Matthew Kaufman <matthew at matthew.at> wrote:
>
> It actually looks quite like IPSEC ESP without AH... Consider the session ID
> as the security association identifier and go from there.
I'm sure you are aware that encryption only without authentication is
considered a bad idea in crypto circles (even the IPSec RFCs warn
against it), and I assume you have decided to go against the grain
here for performance reasons. That does not change the fact that it's
a bad idea. Recently there was an attack published on IPSec with ESP
and without AH:
http://www.uniras.gov.uk/niscc/docs/al-20050509-00386.html?lang=en
And some discussion on sci.crypt:
http://groups-beta.google.com/group/sci.crypt/browse_frm/thread/33dd95c9697f46c4?hl=en&
Now the attack is a very special case and from a practical point of
view and does not give the attacker a huge advantage. This might be
even more true for MFP. But it does show that encryption without
authentication is a bad idea and does give the attacker _an_
advantage. And as history shows, any advantage in crypto tends to grow
bigger as attacks evolve in time.
I think you should look again at your performance requirements and
re-evaluate whether adding authentication incurs an unacceptable
performance hit. Basically at the moment you are going against
time-proven crypto thinking.
> Matthew
--
! Lauri
More information about the P2p-hackers
mailing list