[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: On shared keys

To: Sami Vaarala <sami.vaarala@netseal.com>
Subject: Re: On shared keys
From: Derek Atkins <warlord@mit.edu>
Date: 30 Nov 2001 09:22:40 -0500
Cc: Henry Spencer <henry@spsystems.net>, IPsec WG <ipsec@lists.tislabs.com>
In-Reply-To: Sami Vaarala's message of "Fri, 30 Nov 2001 00:42:54 +0200 (EET)"
References: <Pine.LNX.4.10.10111300039060.2707-100000@localhost.localdomain>
Sender: owner-ipsec@lists.tislabs.com

Sami Vaarala <sami.vaarala@netseal.com> writes:

> On 29 Nov 2001, Derek Atkins wrote:
> > Henry Spencer <henry@spsystems.net> writes:
> > > In what way is it worse than old-style shared secrets?  *That* is the
> > > crucial question.
> > 
> > It may be easier to break the RSA key if it's generated with a
> > 'weakly-seeded' PRNG than if the 'weak seed' is used directly.
> 
> I'm not a cryptographist -- can you explain to me why?
> I would expect the RSA keypair to be weaker if the
> pre-shared key had more entropy than the resulting
> RSA key.  But is this the case with the average PSK?

First, the term is "cryptographer"....  Second, please be explicit
when you use the term PSK (Pre-Shared Key), are you talking about a
Pre-Shared Secret Key or a Pre-Shared Public Key?  Please be explicit,
as many of us are arguing that Pre-Shared Public Keys are sufficient.

Third, I can try to explain it.  An average RSA key is 1024-2048 bits
long.  This implies you really need about 1024-2048 bits of entropy
(note that you actually have less that that, because you always know
that the first and last bits are 1, and you know the number has a
particular form, but for brevity of this explanation let's call it the
full length even though it may be a few bits less).

An average shared secret maybe has 50 bits of entropy, if you're
lucky.  The problem is that if you generate an RSA key (requiring
1024-2048 bits of entropy) from a source that only has 50 bits of
entropy, your RSA key effectively has only 50 bits of entropy in it.
This implies that on average only one in every 20-40 bits is truly
random (the others wind up depending on the values of the random
bits).

This implies that there is a lot of redundant, non-random information
in the public key which can make breaking the key much easier.
Considering the key-generation mechanism must be well-known, it means
that you have an easier time determining which bits are the random
ones, which ones are not, and how they relate to each other.

To give a real-world example, a long time ago in a galaxy not
so far away, a Public-Key generator had this code:

	char c = get_random_byte();
	for (i = 0; i < key_length; i++)
		key_buf[i] = c;
	key_pair = generate_key_from_key_buf(key_buf);

What you are suggesting is almost (but not quite) as disastrous as
this completely broken pseudo-code.

I hope this helps explain it.

> -Sami

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available

Follow-Ups:

Re: On shared keys

From: Sami Vaarala <sami.vaarala@netseal.com>

References:

Re: On shared keys

From: Sami Vaarala <sami.vaarala@netseal.com>

Prev by Date: RE: CBC makes Implementations too Slow.
Next by Date: Re: CBC makes Implementations too Slow.
Prev by thread: Re: On shared keys
Next by thread: Re: On shared keys
Index(es):
- Main
- Thread