Is encryption useless without authentication?

by Gene Michael Stover

created Thursday, 2021 December 9
updated Tuesday, 2022 July 19

Someone told me that “Encryption is useless without authentication”.

I disagree.

Think about this simple description of a protocol...

Client connects to server. (Just an octet-by-octet communication channel, such as TCP.)
Client & server use the Diffie-Hellman key exchange method to establish a shared secret. (This does not require or establish authentication.)
With the shared secret, the parties could use encryption for privacy or to detect tampering.

It's not theoretical. This is how Transport Layer Security (TLS) works. It establishes privacy before authenticating either side. So it uses encryption to achieve privacy without authentication. The authentication occurs later in the protocol. So encryption is used without authentication; in fact, it's an assumption before the protocol attempts to authenticate.

Change Log

when	who	what
2021-12-08	gene	play
2022-07-19	gene	update

cybertiggyr.com