[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Safety of pre-shared keys? (Re: Reliable delete notifies)

To: William Dixon <wdixon@Exchange.Microsoft.com>
Subject: Re: Safety of pre-shared keys? (Re: Reliable delete notifies)
From: Ari Huttunen <Ari.Huttunen@F-Secure.com>
Date: Tue, 24 Oct 2000 11:57:45 +0300
CC: Henry Spencer <henry@spsystems.net>, Jan Vilhuber <vilhuber@cisco.com>, ipsec <ipsec@lists.tislabs.com>
Organization: F-Secure Corporation
References: <6A05D00595BE644E9F435BE5947423F2038CB9B8@fifi.platinum.corp.microsoft.com>
Sender: owner-ipsec@lists.tislabs.com

Thanks, I think it helps. I really didn't have sufficient time to read it,
but here's how I understood it:

Aggressive mode is vulnerable to off-line attacks against the pre-shared
key because HASH_I contains enough information about it, and it's transmitted
unencrypted. Main mode has no such vulnerability because HASH_I is transmitted
encrypted.

So, informed GUESSING would produce the additional results:
- Aggressive mode with 3rd msg. encrypted is still vulnerable since the same
  information can probably be obtained from HASH_R.
- Base mode has a similar vulnerability.

Ari

William Dixon wrote:
> 
> Ari, does John Pliam's paper answer your question on "what would it take
> to fool authentication based on pre-shared keys" ?
> 
> http://www.ima.umn.edu/~pliam/xauth/
> 
> -----Original Message-----
> From: Ari Huttunen [mailto:Ari.Huttunen@F-Secure.com]
> Sent: Saturday, October 21, 2000 5:02 PM
> To: Henry Spencer
> Cc: Jan Vilhuber; ipsec
> Subject: Safety of pre-shared keys? (Re: Reliable delete notifies)
> 
> Henry Spencer wrote:
> >
> > On Mon, 9 Oct 2000, Jan Vilhuber wrote:
> > > With pure public keys, you need TWO of them. Granted, I can
> provision every
> > > box with the same private key, which would make it equivalent to the
> above
> > > group-pre-shared key scenarion. But in reality you need two public
> keys,
> > > where before you had a single pre-shared key.
> >
> > Consider them two halves of the same shared secret.  There's no
> fundamental
> > difference...
> 
> Incorrect. With a pre-shared key you have one key that is secret. With
> public
> keys, you have two keys, one of which is public, one is secret. I'm
> quite
> sure everyone on this list knows this much..
> 
> Now, if you have that public key, you CAN give it to some mechanical
> calculator
> for cracking. Eventually that machine will produce a result, and if it's
> based
> on quantum computing you might actually get a result before the Big
> Crash (if any).
> 
> Out of curiosity, what would one need to fool authentication based on
> pre-shared keys, assuming only knowledge of things-on-the-wire? Would
> the
> method learn the value of the pre-shared key or something else? (Would
> it
> be safe against quantum computers?)
> 
> Ari
> 
> --
> Ari Huttunen                   phone: +358 9 859 900
> Senior Software Engineer       fax  : +358 9 8599 0452
> 
> F-Secure Corporation       http://www.F-Secure.com
> 
> F-Secure products: Integrated Solutions for Enterprise Security

-- 
Ari Huttunen                   phone: +358 9 859 900
Senior Software Engineer       fax  : +358 9 8599 0452

F-Secure Corporation       http://www.F-Secure.com 

F-Secure products: Integrated Solutions for Enterprise Security

Follow-Ups:

Re: Safety of pre-shared keys? (Re: Reliable delete notifies)

From: Hugo Krawczyk <hugo@ee.technion.ac.il>

References:

RE: Safety of pre-shared keys? (Re: Reliable delete notifies)

From: "William Dixon" <wdixon@Exchange.Microsoft.com>

Prev by Date: RE: NAT and IPsec
Next by Date: Re: speed of HMAC vs. Rijndael-CBCMAC?
Prev by thread: RE: Safety of pre-shared keys? (Re: Reliable delete notifies)
Next by thread: Re: Safety of pre-shared keys? (Re: Reliable delete notifies)
Index(es):
- Main
- Thread