Re: [IPsec] [Cfrg] Beginning discussion on secure password-only authentication for IKEv2

["Steven M. Bellovin" <smb@cs.columbia.edu>]

On Tue, 2 Mar 2010 16:48:07 -0800 (PST)
"Dan Harkins" <dharkins@lounge.org> wrote:

> 
>   Hi David,
> 
> 
> On Tue, March 2, 2010 3:49 pm, Black_David@emc.com wrote:
> [snip]
> >
> > OTOH, I think you've oversimplified here ...
> >
> >>   The candidate exchanges all rely on the "hard problem" of doing a
> >> discrete logarithm in one of the defined groups. It's the same
> >> "hard problem" that makes the Diffie-Hellman portion of IKE
> >> secure. If the group negotiated or demanded in IKE allows for an
> >> "easier attack" then it shouldn't be used in the IKE exchange to
> >> do the Diffie-Hellman.
> >
> > If I follow your logic, I think you're arguing that because the
> > existing groups allow easier attacks on password authentication
> > (e.g., based on checks on what a guessed password decrypts to) then
> > they allow easier attacks on IKE with existing authentication,
> > *hence* those groups are unacceptable to use with IKE.  I think the
> > *hence* is off the mark due to the much larger candidate search
> > space when other techniques (e.g., certificate-based) are used to
> > authenticate.
> 
>   That wasn't what I was arguing. I think all the candidate exchanges
> are based on the computational Diffie-Hellman assumption. And the
> work factor to attack them on that front should be the same as the
> work factor to attack a standard Diffie-Hellman key exchange. Or am
> I missing something?
> 
>   I don't think any of the currently-defined groups are unacceptable
> to use with IKE. But hypothetically, if there was some group defined
> that allowed an easy attack (the order was unacceptably small, for
> instance) then it would be unsuitable for IKE just like it would be
> unsuitable for any of the candidate password authentication schemes.
> 
>   For these password authentication schemes to be secure, the only
> method of attack is repeated active guessing attacks of the password
> (the advantage an attacker gains is through interaction, not
> computation). An "easier attack" is an off-line dictionary attack to
> learn the password (the advantage gained is through computation) and
> using any of the groups in IKE(v2)'s IANA registry with EKE would
> enable a dictionary attack. But the attacker doesn't learn the
> ephemeral secret that results from EKE, the CDH assumption still
> applies. The issue isn't with the group, per se, it's with the
> (mis)use of the group.
> 
Right.  In the original EKE paper, we called this a "partition
attack".  There are others possible; it's important to take care to
avoid them.  For example, suppose that we wanted a ~2048-bit -- 256 byte
-- modulus.  Choosing a modulus of 2040 bits, though about the same
difficulty when it comes to solving discrete log, is unacceptable for
EKE, because in a correct guess the high-order byte would be all zeros;
an incorrect guess would, with probability 255/256, let you rule out a
candidate password.  A good EKE modulus would be close enough to 2^2048
to have a negligible probability of a decryption with a bad guess being
in the range [p, 2^2048-1].  In other words, good moduli for EKE have
specialized properties.