Informally, if A and B share a secret key, K , for use with a
cipher system, then if A creates a message where E is the encryption function,
on receipt of c , B can decrypt c by computing
.
The message p is confidential if only A and B know K and
. We will show under one circumstance
integrity is needed over the message c , the source IP address
and the SPI to guarantee confidentiality but that there is
also a method for using encryption such that encryption can be
used to imply integrity over c , the source IP address and the SPI.
Consider showing confidentiality over a group of fields, c , in an IP packet.
Since the decryption key is retrieved from the security
association table using the source IP address and SPI as an index,
then integrity over these fields implies that the correct key, K , is gotten.
If the ciphertext that is received has not been modified in transit
and the correct key is used for decryption, then
will be true. Therefore, under the assumption that
the secret key is known only to the sender and receiver,
if there is integrity over the message c , the source IP address
and the SPI, then this guarantees confidentiality for the plaintext p .
Indirectly, the plaintext is also authenticated.
This is the method by which confidentiality is supplied using the
current version of the ESP header including the optional authentication
mechanism provided with that header.
aPrincipal RECEIVED datagram INTEGRITY (SRC datagram) security_association_table aPrincipal INTEGRITY (SPI datagram) security_association_table aPrincipal INTEGRITY message_field security_association_table aPrincipal isESPkey datagram k security_association_table message_field INDEXED_BY (encrypt-list datagram) --------------------------------------------- CONFID message_field security_association_table aPrincipal
Another possibility does not
require integrity over the received data in order to prove confidentiality
of the message but instead uses encryption and verification of
correct decryption to imply integrity.
Suppose that A and B share a secret key, K ,
and that A creates a message where x is an additional piece of information that the receiver
knows or can calculate
to verify that the message was correctly decrypted.
On receipt of c , B can decrypt c by computing
and then check that x is correct.
The message px is confidential if only A and B know K,
B either knows or can compute x , and
.
Two possibilities for the extra information x are:
a second secret key K' shared only by A and B or an unkeyed hash of
a part of p (a group of fields from an IP packet, before encryption
is applied).
In the case that x is a hash,
the ability to recognize, by verifying the value of x ,
that the ciphertext was decrypted correctly
implies that the correct key was used for decryption,
hence for an IP packet the SPI and IP source address were not modified during
transmission. Therefore, the plaintext is also authenticated.