[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: pre-shared key v RSA encryption or RSA signature authentication modes

To: Stephen Kent <kent@bbn.com>
Subject: RE: pre-shared key v RSA encryption or RSA signature authentication modes
From: David Jablon <dpj@theworld.com>
Date: Thu, 28 Mar 2002 01:13:51 -0500
Cc: <andrew.krywaniuk@alcatel.com>, <ipsec@lists.tislabs.com>
In-Reply-To: <p05100301b8c81154ceee@[128.33.238.74]>
References: <002201c1d43a$bb9ffaa0$1e72788a@ca.alcatel.com><002201c1d43a$bb9ffaa0$1e72788a@ca.alcatel.com>
Sender: owner-ipsec@lists.tislabs.com

Shared keys and shared passwords are two entirely different
types of authenticators.  These kinds of arguments often go around
in circles because people blur this distinction.

Also, it adds to the confusion when people use ambiguous language
for authenticator and the method for authentication. For example,
I've heard "pre-shared key" used in the following contexts:

        a shared key
        a shared password
        the IPsec pre-shared key mode
        the IPsec pre-shared key mode abused with a password-based key

Shared passwords can work fine as authenticators in some methods,
but they fail miserably when used as keys in the IKE pre-shared key mode.

-- David

At 07:20 PM 3/27/02 -0500, Stephen Kent wrote:
>At 3:22 PM -0500 3/25/02, Andrew Krywaniuk wrote:
>> > I'm glad you mentioned what I consider to be a significant downside
>>> of pre-shared secrets, although we come to very different
>>> conclusions.  It is not too hard to imagine an attack in which the
>>> initiator connects to the wrong address, e.g., via some form of DNS
>>> attack, and the fake responder collects the initiator's secret, then
>>> drops the connection. This seems like such a serious concern that it
>>> argues very strongly against pre-shared secrets vs. public keys. Note
>>> that using public keys. e.g., in self-signed certs, does not suffer
>>> from this problem.
>>
>>Steve,
>>
>>I don't understand your comment. Obviously, I'm only talking about IKE
>>pre-shared secrets, in which the bogus responder only collects an HMAC of
>>the shared secret and some session data. Now, which is harder: cracking an
>>RSA key or reversing an HMAC? Again, it depends on the key lengths involved,
>>but HMAC provides more security per bit. Your attack wouldn't work unless
>>the initiator was using a weak secret that could be cracked by brute force.
>
>Andrew,
>
>I assume that the shared secret does not have nearly as much entropy as an RSA key, which many folks agree is likely in the vast majority of instances. Thus the attack consists of testing guesses against the collected HMAC, since the rest of the HMAC inputs are known to the responder. This allows the attacker to carry out an offline guessing attack, which is less likely to arouse suspicion that online connection attempts with guesses shared secret values.
>
>Steve

References:
- RE: pre-shared key v RSA encryption or RSA signature authentication modes
  - From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>
- RE: pre-shared key v RSA encryption or RSA signatureauthentication modes
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: User interface ciphersuites for IKEv2
Next by Date: RE: Do we actually need dynamic ports?
Prev by thread: RE: pre-shared key v RSA encryption or RSA signatureauthentication modes
Next by thread: 1,342,532,544 combinations of algorithms
Index(es):
- Date
- Thread