[VOIPSEC] An issue of trust?

Wed Jun 21 07:12:03 CDT 2006

You cannot do data origin authentication based on:
"socket source address checking against a list of approved IP addresses"
as this received information is easily changed without detection.  Data 
Origin authentication requires use of some for of encryption or keyed 
hash.

stu

On Jun 20, 2006, at 11:17 PM, Simon Horne wrote:

> At 12:50 AM 21/06/2006, you wrote:
>> I like Stu's definitions to distinguish between the two fundamental 
>> types
>> of authentication - peer-entity and data origin.  I'd suggest using 
>> those,
>> at least on an informal basis, if one doesn't wish to attempt to put 
>> the
>> industry stamp of approval on them via a (lengthy) standards process.
>
> I think you can define data origin authentication much like the 
> classic CAL
> with a messages socket source address checking against a list of 
> approved
> IP addresses. peer-entity is much more in the line of the remote entity
> supplying something (username, password, PKI) for the purpose of
> authentication.
>
> In OpenH323 I just called peer-entity authentication "Caller
> Authentication" when I wrote the stuff in but having a common agreed 
> term
> does make sense and save a lot of possible confusion.
>
> Simon
>
>
>> dps
>>
>> -----Original Message-----
>> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org]On
>> Behalf Of Geoff Devine
>> Sent: Tuesday, June 20, 2006 8:10 AM
>> To: stuart jacobs
>> Cc: Voipsec at voipsa.org
>> Subject: Re: [VOIPSEC] An issue of trust?
>>
>>
>> Right.  But people use "authentication" to mean both things and it is
>> often difficult to tell by context which one they are talking about.
>> I've seen this happen fairly frequently on this email reflector.
>>
>> We live in an industry where our technical jargon is meant to be very
>> precise.  It would be useful to have two different terms.  Does anyone
>> have any suggestions?
>>
>> Geoff
>>
>> -----Original Message-----
>> From: stuart jacobs [mailto:stu.jacobs at verizon.com]
>> Sent: Tuesday, June 20, 2006 10:34 AM
>> To: Geoff Devine
>> Cc: Voipsec at voipsa.org
>> Subject: Re: [VOIPSEC] An issue of trust?
>>
>> Logging in is user or peer-entity authentication
>>
>> per-packet trust mechanism is data origin authentication
>>
>> On Jun 20, 2006, at 9:34 AM, Geoff Devine wrote:
>>
>>> Andy Zmolek writes:
>>>
>>>> Splitting hairs about authentication vs. encryption
>>>
>>> <snip>
>>>
>>> I struggle with the terminology.  The way I (mis?)use the term
>>> authentication, it can mean both:
>>>
>>> Logging In: IKE, Kerberos, SIP digest...  I guess this is "session
>>> authentication"
>>>
>>> Per-packet trust mechanism: SHA1, MMH...  I guess this is "packet
>>> authentication"
>>>
>>>> From context, it's not always obvious to me which one someone is
>>>> talking
>>> about.  Are there better terms to distinguish between these two very
>>> different chunks of security technology?
>>>
>>> Geoff
>>>
>>> _______________________________________________
>>> Voipsec mailing list
>>> Voipsec at voipsa.org
>>> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>>>
>>>
>> ========================================================
>> Stuart Jacobs, CISM, CISSP
>> PMTS - Sr. Technologist
>> Network Security
>> Verizon Laboratories
>> 40 Sylvan Road
>> Waltham MA 02451-1128
>> (781) 466-3076
>>
>>
>> _______________________________________________
>> Voipsec mailing list
>> Voipsec at voipsa.org
>> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>>
>> _______________________________________________
>> Voipsec mailing list
>> Voipsec at voipsa.org
>> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
========================================================
Stuart Jacobs, CISM, CISSP
PMTS - Sr. Technologist
Network Security
Verizon Laboratories
40 Sylvan Road
Waltham MA 02451-1128
(781) 466-3076