[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Safety of pre-shared keys? (Re: Reliable delete notifies)

To: Stephen Kent <kent@bbn.com>
Subject: RE: Safety of pre-shared keys? (Re: Reliable delete notifies)
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Tue, 31 Oct 2000 13:36:05 +0200 (IST)
cc: ipsec <ipsec@lists.tislabs.com>
In-Reply-To: <v0422080fb623c08787ab@[171.78.30.107]>
Sender: owner-ipsec@lists.tislabs.com

On Mon, 30 Oct 2000, Stephen Kent wrote:

> Hugo,
> 
> In principle pre-shared keys could be strong, but in practice folks 
> tend to use weak keys, e.g.,  passwords. So, the question before us 
> is whether to remove  support for pre-shared keys as a means of 
> trying to save people from themselves. Of course, many vendors are 
> eager to accommodate perceived user requirements, and so some may 
> elect to offer the facility anyway, despite any standards compliance 
> issues.
> 
> Steve
> 

I understand this point.
However, if you read the messages to this list they seem to imply that
using pre-shared keys is weak by design and not just weak by 
wrong usage. I wanted to clarify that point.

Yet, my personal opinion is that this mode should stay. It has important
functionality ranging from simple debugging and interoperability tests
(and alleviating DoS risks) to usages that provide significant
cryptographic strength. Indeed, when well managed, a strong shared key has
cryptographic advantages over public key modes. Probably very few know but
we designed the pre-shared mode with the property that in order to find
the key material generated by this mode you need break BOTH the
Diffie-Helman algorithm AND the PRF function.

This is in CONTRAST to signature mode where the break of DH is sufficient.
Now if you believe that DH will never be broken then the two are
equivalent. I like to be on the safe side (especially with the latest
winds that call for EC groups with VERY LITTLE safety margin). Another
advantage of shared keys (if well managed) is that they will usually tend
to have a shorter life span than private keys for which there is a
certified public key.

The absolute reason in my view to prefer public-key based systems is
SCALABILITY. Thus, I have no doubt that PK techniques need to be supported
and recommended for general use.  But this does not mean that you have to
kill pre-shared mode in a well-designed standard. After all if people are
so security irresponsible to completely misuse this mode then they can do
many other stupid things (e.g., why not use 32-bit DH exponents -- it
gives you a convenient and fast DH exchange and your peer cannot even 
check that you are doing so!)

And regarding passwords: if the standard will provide a well-defined
well-designed password-based authentication mode I believe people will use
that and not pre-shared mode. As we all know such a password-based mode
can be added to IKE or decoupled via the proposed ipsra mechanisms.
So far it seems to me that people like to talk about these issues
and less to take the steps to really advance such a method in the
standards process.

Hugo

References:

RE: Safety of pre-shared keys? (Re: Reliable delete notifies)

From: Stephen Kent <kent@bbn.com>

Prev by Date: RE: Safety of pre-shared keys? (Re: Reliable delete notifies)
Prev by thread: RE: Safety of pre-shared keys? (Re: Reliable delete notifies)
Next by thread: RE: Safety of pre-shared keys? (Re: Reliable delete notifies)
Index(es):
- Main
- Thread