Reputation:
Why the integrity of the ESP extension header is integrity protected but not encrypted?
As you see in the picture, part of ESP header is only authenticated but not encrypted. Why is that?
Upvotes: 0
Views: 179
Answers (1)
Reputation: 963
- Authentication = I am sure of the identity of the person who sent the message.
- Encryption = I can only understand the message if I have the decryption key
Here encryption is not done because that unencrypted ESP portion is used by the other terminal to construct the key with which to decrypt the rest of the message. If a message (regardless of technology) is used to distribute or construct a key then I cannot encrypt it using the same key simply because the other device would never know how to translate it. Remote key exchanges work this way, you don't encrypt your portion of the key but focus on authentication. The algorithms generally used for these purposes (and i think for example of Diffie–Hellman are designed to be robust to brute force attacks but are vulnerable to man in the middle: this is why strong authentication is required.
Upvotes: 1
Related Questions
- Why is extnValue in X.509 Extensions always encapsulated in an OCTET_STRING?
- why TLS symmetric encryption for same data is different in consecutive packets?
- Does .Net TDES do enc-dec-enc or end-enc-enc?
- C AES-GCM Decryption of ESP packet not working
- xmlsec fails to verify signature
- Does encryption guarantee integrity?
- Offline encryption of IP packets using ESP
- difference between IP security issue in authentication, data encryption, and message integration?
- Why is ESP filled with null bytes after following EIP address?
- OPENSSL vs IPSEC