[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: pre-shared key v RSA encryption or RSA signature authentication modes

To: <cdemar@ebsdr.com>
Subject: RE: pre-shared key v RSA encryption or RSA signature authentication modes
From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>
Date: Sun, 24 Mar 2002 12:00:57 -0500
Cc: <ipsec@lists.tislabs.com>
Importance: Normal
In-reply-to: <TFSGHZMB@ebsdr.com>
Reply-To: <andrew.krywaniuk@alcatel.com>
Sender: owner-ipsec@lists.tislabs.com

Ask a politically incorrect question like that on a list like this and you
are bound to get a lot of FUD-type replies. Of course PK crypto has the
advantage of scalability, but that's not the question you asked. Some people
replied already, but here's a more presise response.

The fact is, you can get any arbitrary strength you want with either asymm
or symm algorithms by increasing the keylength. If you want a basis for
comparing their strengths, you could compare the speed of the algorithms for
equivalent crypto strength (which is not as silly as it seems, since you are
always trading off crypto strength for speed). In that case, you could say
that pre-shared secrets are stronger than public keys. (I don't know of any
fundamental difference between the strength of PK encryption and PK
signatures for authentication. )

Also, pre-shared secrets have an additional advantage for authentication,
which is that you cannot mount a pure offline attack against them. In order
to get some data for a brute force attack, you must first impersonate the
responder in an active attack against the initiator. With public keys, you
can conduct a purely offline attack. Of course, the strength of the
authentication will still be limited by the amount of entropy in the secret.

Andrew
-------------------------------------------
There are no rules, only regulations. Luckily,
history has shown that with time, hard work,
and lots of love, anyone can be a technocrat.



> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
> [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of cdemar@ebsdr.com
> Sent: Thursday, March 21, 2002 12:19 PM
> To: uri@lucent.com
> Cc: ipsec@lists.tislabs.com
> Subject: RE: pre-shared key v RSA encryption or RSA signature
> authentication modes
>
>
> All,
>
> Thanks for the answers ... Uri is actually right that I'm
> searching for a
> comparison between RSa-enc and pre-shared key in the scope of IKE
> authentication. I'm not trying to compare asymm v symm algorithms.
> The fact is that IKE-phase1 exchanges compile different
> material whether we
> are doing pre-shared-key or RSA-enc. The first exchanges of
> IKE main mode are
> also different whether we use preshared-key or RSA-enc. This
> generated
> material (SKEY_ID), SKEYID_d, SKEYID_e,SKEYID_a are different
> and used
> differently whether we use RSA-enc or preshared-key. The
> question is: Is the
> authentication in IKE MainMode stronger when using RSA-enc
> than when using
> preshared-key ???
> And I don't this has anything to do with the strength of
> RSA-enc v symmetric
> algo  ...
> Any pointers are welcome,
> Many thanks,
>
> Claudine
>
>  -----Original Message-----
> From: 	uri@lucent.com [mailto:uri@lucent.com]
> Sent:	Thursday, March 21, 2002 5:09 PM
> To:	warlord@mit.edu
> Cc:	alaadas@kaau.edu.sa; Demar, Claudine; ipsec@lists.tislabs.com
> Subject:	Re: pre-shared key v RSA encryption or RSA
> signature authentication
>  modes
>
> Derek Atkins wrote:
> > The fact that most users wont have a shared secret
> > with 256 bits of entropy? A good point. However:
>
> > I suspect that most shared secrets are probably in the 64-80
> > bits of entropy at the highest, and probably much lower than
> > that.
>
> A good point, certainly. But I don't see all that much in
> common between, say, Unix passwords and IPsec pre-shared
> keys.
>
> IPsec implementations I'm aware of, don't take an ASCII
> password, but require a reasonably long key.
>
> Plus, a few years ago I saw a strength comparison table,
> that listed relative strength of PK and symmetric key length.
> Can you help me finding that one? It compares symmetric,
> RSA, EC, and [if memory serves me] DSA-El-Gamal.
>  For example, my shared secrets are 128-bit long. Granted,
> not 256 bits, but still stronger than a typical RSA sig
> of 1024 bits (assording to that table as I remember)...
>
> > Based on the lack of entropy in shared secrets, I believe RSA sigs
> > to be much stronger due to the better entropy in the key.
>
> Again, this sounds misleading. It's not "shared secrets" that lack
> entropy. It's a certain type of shared secrets - derived from
> [more or less
> short] passwords, that lacks entropy. Not enough
> justification to "condemn"
> the whole symmetric
> key approach, especially since the original question
> was about IPsec authentication (as I read it).
> --
> Regards,
> Uri
> -=-=-=<>=-=-
> <Disclaimer>
>
>

Follow-Ups:
- RE: pre-shared key v RSA encryption or RSA signatureauthentication modes
  - From: Stephen Kent <kent@bbn.com>

References:
- RE: pre-shared key v RSA encryption or RSA signature authentication modes
  - From: cdemar@ebsdr.com

Prev by Date: SKEYSEED in IKEv2
Next by Date: RE: Policy requirements in Son-Of-IKE
Prev by thread: Re: pre-shared key v RSA encryption or RSA signature authentication modes
Next by thread: RE: pre-shared key v RSA encryption or RSA signatureauthentication modes
Index(es):
- Date
- Thread