Re: On shared keys

[Sami Vaarala <sami.vaarala@netseal.com>]

Derek,

> Derek Atkins:
>
> First, the term is "cryptographer"....  Second, please be explicit
> when you use the term PSK (Pre-Shared Key), are you talking about a
> Pre-Shared Secret Key or a Pre-Shared Public Key?  Please be explicit,
> as many of us are arguing that Pre-Shared Public Keys are sufficient.

Yes, I'm talking about pre-shared secret keys (a passphrase).
Pre-shared RSA keys are sufficient, I agree.  Still, some people
feel that pre-shared secrets are needed.

> This implies that there is a lot of redundant, non-random information
> in the public key which can make breaking the key much easier.
> Considering the key-generation mechanism must be well-known, it means
> that you have an easier time determining which bits are the random
> ones, which ones are not, and how they relate to each other.

Okay, so what you are saying is that the RSA keypair is easier
to break than the corresponding shared secret?  I.e. if the shared
secret is 50 bits, the keypair is easier to break than 2^50
trials on the shared secret?  (I am not suggesting that a 1024-bit
RSA keypair generated from a 50-bit secret is as strong as a
real 1024-bit RSA keypair -- of course not.  But is it worse
than a 50-bit shared secret?)

Remember that the attacker would only see the RSA signature of
the authenticator hash, and would *not* have access to the RSA
public key (since it is generated locally at each end).

> What you are suggesting is almost (but not quite) as disastrous as
> this completely broken pseudo-code.
> 
> I hope this helps explain it.

I guess it's down to the details, and I'll have to look into it
in more detail.

-Sami

---

References:

• Re: On shared keys
• From: Derek Atkins <warlord@mit.edu>

---

• Prev by Date: RE: IP Storage and IPsec encapsulation
• Next by Date: Re: [saag] RE: IP Storage and IPsec encapsulation
• Prev by thread: Re: On shared keys
• Next by thread: Re: On shared keys
• Index(es):
  • Main
  • Thread