[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pre-shared key v RSA encryption or RSA signature authentication modes
Derek Atkins wrote:
> The fact that most users wont have a shared secret
> with 256 bits of entropy?
A good point. However:
> I suspect that most shared secrets are probably in the 64-80
> bits of entropy at the highest, and probably much lower than
> that.
A good point, certainly. But I don't see all that much in
common between, say, Unix passwords and IPsec pre-shared
keys.
IPsec implementations I'm aware of, don't take an ASCII
password, but require a reasonably long key.
Plus, a few years ago I saw a strength comparison table,
that listed relative strength of PK and symmetric key length.
Can you help me finding that one? It compares symmetric,
RSA, EC, and [if memory serves me] DSA-El-Gamal.
For example, my shared secrets are 128-bit long. Granted,
not 256 bits, but still stronger than a typical RSA sig
of 1024 bits (assording to that table as I remember)...
> Based on the lack of entropy in shared secrets, I believe RSA sigs
> to be much stronger due to the better entropy in the key.
Again, this sounds misleading. It's not "shared secrets" that lack
entropy. It's a certain type of shared secrets - derived from
[more or less short] passwords, that lacks entropy. Not
enough justification to "condemn" the whole symmetric
key approach, especially since the original question
was about IPsec authentication (as I read it).
--
Regards,
Uri
-=-=-=<>=-=-
<Disclaimer>