[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CERT statement



On Fri, 27 Jan 1995, Perry E. Metzger wrote:

> If things are merely encrypted, an attacker can garble them without
> being caught -- I can "decrypt" random numbers into other random
> numbers if I want.  Think of an attacker trying to sabotage the
> transfer of a binary file and you'll see why you need authentication.

You certainly need some kind of encrypted secure checksum (MAC) to ensure 
message integrity.  I don't think you have to go through the 
entire authentication of the principal.  (Though as V. Gligor keeps 
showing, even if you have a MAC at the end of your data, there are still 
some kinds of integrity attacks which are possible if you are not careful 
about how MACs and encryption is used).

Now if you are talking about simple denial-of-service (detected tampering
or traffic flooding), that is another more difficult story. 

-Thomas