[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pre-shared key v RSA encryption or RSA signature authentication modes



Derek Atkins wrote:
> The fact that most users wont have a shared secret
> with 256 bits of entropy? 

A good point. However:

> I suspect that most shared secrets are probably in the 64-80
> bits of entropy at the highest, and probably much lower than
> that.

A good point, certainly. But I don't see all that much in
common between, say, Unix passwords and IPsec pre-shared
keys.

IPsec implementations I'm aware of, don't take an ASCII
password, but require a reasonably long key.

Plus, a few years ago I saw a strength comparison table,
that listed relative strength of PK and symmetric key length.
Can you help me finding that one? It compares symmetric,
RSA, EC, and [if memory serves me] DSA-El-Gamal.
 
For example, my shared secrets are 128-bit long. Granted,
not 256 bits, but still stronger than a typical RSA sig
of 1024 bits (assording to that table as I remember)...

> Based on the lack of entropy in shared secrets, I believe RSA sigs
> to be much stronger due to the better entropy in the key.

Again, this sounds misleading. It's not "shared secrets" that lack
entropy. It's a certain type of shared secrets - derived from 
[more or less short] passwords, that lacks entropy. Not 
enough justification to "condemn" the whole symmetric
key approach, especially since the original question
was about IPsec authentication (as I read it).
--
Regards,
Uri
-=-=-=<>=-=-
<Disclaimer>