Confidentiality

Informally, if A and B share a secret key, K , for use with a cipher system, then if A creates a message $E_K(p)= c$where E is the encryption function, on receipt of c , B can decrypt c by computing $D_K(c) = p$. The message p is confidential if only A and B know K and $D_K(c) = D_K(E_K(p))$. We will show under one circumstance integrity is needed over the message c , the source IP address and the SPI to guarantee confidentiality but that there is also a method for using encryption such that encryption can be used to imply integrity over c , the source IP address and the SPI.

Consider showing confidentiality over a group of fields, c , in an IP packet. Since the decryption key is retrieved from the security association table using the source IP address and SPI as an index, then integrity over these fields implies that the correct key, K , is gotten. If the ciphertext that is received has not been modified in transit and the correct key is used for decryption, then $D_K(c) = D_K(E_K(p))$ will be true. Therefore, under the assumption that the secret key is known only to the sender and receiver, if there is integrity over the message c , the source IP address and the SPI, then this guarantees confidentiality for the plaintext p . Indirectly, the plaintext is also authenticated. This is the method by which confidentiality is supplied using the current version of the ESP header including the optional authentication mechanism provided with that header.

  aPrincipal RECEIVED datagram
  INTEGRITY (SRC datagram) security_association_table aPrincipal
  INTEGRITY (SPI datagram) security_association_table aPrincipal
  INTEGRITY message_field security_association_table aPrincipal
  isESPkey datagram k security_association_table
  message_field INDEXED_BY (encrypt-list datagram)
 ---------------------------------------------
  CONFID message_field security_association_table aPrincipal

Another possibility does not require integrity over the received data in order to prove confidentiality of the message but instead uses encryption and verification of correct decryption to imply integrity. Suppose that A and B share a secret key, K , and that A creates a message $E_K(px)= c$where x is an additional piece of information that the receiver knows or can calculate to verify that the message was correctly decrypted. On receipt of c , B can decrypt c by computing $D_K(c) = px$ and then check that x is correct. The message px is confidential if only A and B know K, B either knows or can compute x , and $D_K(c) = D_K(E_K(px))$. Two possibilities for the extra information x are: a second secret key K' shared only by A and B or an unkeyed hash of a part of p (a group of fields from an IP packet, before encryption is applied). In the case that x is a hash, the ability to recognize, by verifying the value of x , that the ciphertext was decrypted correctly implies that the correct key was used for decryption, hence for an IP packet the SPI and IP source address were not modified during transmission. Therefore, the plaintext is also authenticated.