[VOIPSEC] splitting hairs over "authentication" (or not)

Zmolek, Andrew (Andy) zmolek at avaya.com
Wed Jun 21 12:44:38 CDT 2006 

OK, since it's my phrase that's being quoted out of context here, let me
clarify and then I will add my $0.02 about the differences. My original
point was that a specific mechanism like a global PKI supported aspects
of both authentication and encryption then it was splitting hairs to
attribute the benefit to just authentication. 

What I'm NOT saying is that the packet authentication that happens with
SRTP is somehow equivalent to SIP user authentication (registration,
outbound proxy, inbound proxy, etc.) or any authentication between
intermediate proxies (rarely seen). These are all distinct forms of
authentication in the SIP world, and I'm sure I could come up with a few
more authentication examples within the protocol for other specific
purposes.


/\\//\Y/\   Andy Zmolek  |  zmolek at avaya.com  |  303-538-6040 
            Senior Manager, Security Planning and Strategy
            GCS Security Technology Development  |  Avaya, Inc. 


-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Bill Flanagan
Sent: Tuesday, June 20, 2006 6:45 PM
To: Voipsec at voipsa.org
Subject: Re: [VOIPSEC] splitting hairs over "authentication" (or not)

Not splitting hairs at all.  There are two distinct functions here,
--authentication = assurance that the user/correspondent is as
identified  (user/password and up) --encryption = preventing other
parties from reading the message (DES, AES)

and we might at a couple of other related concepts that need to be
distinguished as well:
--non-repudiation = proof that the indicated party actually participated
in the transaction.  (digital signature) --verification = protection
against change of message content (I'm NOT calling this is
authentication)  (signed hash, etc.)

If we don't have a lexicon for our concepts, we can never discuss them
fruitfully because we'll never be certain of what any one else is
saying.

Bill
(who learned that in Physics, not English classes)


Voipsec-request at voipsa.org wrote:

>
>----------------------------------------------------------------------
>
>Message: 1
>Date: Tue, 20 Jun 2006 09:34:30 -0400
>From: "Geoff Devine" <gdevine at cedarpointcom.com>
>Subject: Re: [VOIPSEC] An issue of trust?
>To: <Voipsec at voipsa.org>
>Message-ID:
>
<9CDE330E7358724EA30D93598D24DE4A01F2FA29 at exchange.cedarpointcom.com>
>Content-Type: text/plain;	charset="us-ascii"
>
>Andy Zmolek writes:
>	
>  
>
>>Splitting hairs about authentication vs. encryption
>>    
>>
>
><snip>
>
>I struggle with the terminology.  The way I (mis?)use the term 
>authentication, it can mean both:
>
>Logging In: IKE, Kerberos, SIP digest...  I guess this is "session 
>authentication"
>
>Per-packet trust mechanism: SHA1, MMH...  I guess this is "packet 
>authentication"
>
>>From context, it's not always obvious to me which one someone is 
>>talking
>about.  Are there better terms to distinguish between these two very 
>different chunks of security technology?
>
>Geoff
>
>  
>
--
____________________________________________
William Flanagan        Ph:  +1.703.242.8381
Flanagan Consulting     Fx:  +1.703.242.8391
45472 Holiday Dr. #3, Sterling, VA 20166 USA www.flanagan-consulting.com

"Beware of false knowledge; it is more dangerous than ignorance."
                                        --George Bernard Shaw



_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list