RE: pre-shared key v RSA encryption or RSA signatureauthentication modes

[Stephen Kent <kent@bbn.com>]

At 3:22 PM -0500 3/25/02, Andrew Krywaniuk wrote:
>  > I'm glad you mentioned what I consider to be a significant downside
>>  of pre-shared secrets, although we come to very different
>>  conclusions.  It is not too hard to imagine an attack in which the
>>  initiator connects to the wrong address, e.g., via some form of DNS
>>  attack, and the fake responder collects the initiator's secret, then
>>  drops the connection. This seems like such a serious concern that it
>>  argues very strongly against pre-shared secrets vs. public keys. Note
>>  that using public keys. e.g., in self-signed certs, does not suffer
>>  from this problem.
>
>Steve,
>
>I don't understand your comment. Obviously, I'm only talking about IKE
>pre-shared secrets, in which the bogus responder only collects an HMAC of
>the shared secret and some session data. Now, which is harder: cracking an
>RSA key or reversing an HMAC? Again, it depends on the key lengths involved,
>but HMAC provides more security per bit. Your attack wouldn't work unless
>the initiator was using a weak secret that could be cracked by brute force.

Andrew,

I assume that the shared secret does not have nearly as much entropy 
as an RSA key, which many folks agree is likely in the vast majority 
of instances. Thus the attack consists of testing guesses against the 
collected HMAC, since the rest of the HMAC inputs are known to the 
responder. This allows the attacker to carry out an offline guessing 
attack, which is less likely to arouse suspicion that online 
connection attempts with guesses shared secret values.

Steve