[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: pre-shared key v RSA encryption or RSA signature authentication modes



> I'm glad you mentioned what I consider to be a significant downside
> of pre-shared secrets, although we come to very different
> conclusions.  It is not too hard to imagine an attack in which the
> initiator connects to the wrong address, e.g., via some form of DNS
> attack, and the fake responder collects the initiator's secret, then
> drops the connection. This seems like such a serious concern that it
> argues very strongly against pre-shared secrets vs. public keys. Note
> that using public keys. e.g., in self-signed certs, does not suffer
> from this problem.

Steve,

I don't understand your comment. Obviously, I'm only talking about IKE
pre-shared secrets, in which the bogus responder only collects an HMAC of
the shared secret and some session data. Now, which is harder: cracking an
RSA key or reversing an HMAC? Again, it depends on the key lengths involved,
but HMAC provides more security per bit. Your attack wouldn't work unless
the initiator was using a weak secret that could be cracked by brute force.

Andrew
-------------------------------------------
There are no rules, only regulations. Luckily,
history has shown that with time, hard work,
and lots of love, anyone can be a technocrat.



> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
> [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Stephen Kent
> Sent: Monday, March 25, 2002 11:08 AM
> To: andrew.krywaniuk@alcatel.com
> Cc: ipsec@lists.tislabs.com
> Subject: RE: pre-shared key v RSA encryption or RSA signature
> authentication modes
>
>
> At 12:00 PM -0500 3/24/02, Andrew Krywaniuk wrote:
> >Ask a politically incorrect question like that on a list
> like this and you
> >are bound to get a lot of FUD-type replies. Of course PK
> crypto has the
> >advantage of scalability, but that's not the question you
> asked. Some people
> >replied already, but here's a more presise response.
> >
> >The fact is, you can get any arbitrary strength you want
> with either asymm
> >or symm algorithms by increasing the keylength. If you want
> a basis for
> >comparing their strengths, you could compare the speed of
> the algorithms for
> >equivalent crypto strength (which is not as silly as it
> seems, since you are
> >always trading off crypto strength for speed). In that case,
> you could say
> >that pre-shared secrets are stronger than public keys. (I
> don't know of any
> >fundamental difference between the strength of PK encryption and PK
> >signatures for authentication. )
> >
> >Also, pre-shared secrets have an additional advantage for
> authentication,
> >which is that you cannot mount a pure offline attack against
> them. In order
> >to get some data for a brute force attack, you must first
> impersonate the
> >responder in an active attack against the initiator. With
> public keys, you
> >can conduct a purely offline attack. Of course, the strength of the
> >authentication will still be limited by the amount of
> entropy in the secret.
> >
> >Andrew
>