Re: [TLS] I-D ACTION:draft-ietf-tls-psk-null-00.txt

Bodo Moeller <> Fri, 21 July 2006 15:00 UTC

Received: from [] ( by with esmtp (Exim 4.43) id 1G3wUt-0006H8-TD; Fri, 21 Jul 2006 11:00:59 -0400
Received: from [] ( by with esmtp (Exim 4.43) id 1G3wUt-0006H3-8s for; Fri, 21 Jul 2006 11:00:59 -0400
Received: from ([]) by with esmtp (Exim 4.43) id 1G3wUr-0003CP-Kq for; Fri, 21 Jul 2006 11:00:59 -0400
Received: from [] (helo=tau.invalid) by (node=mrelayeu5) with ESMTP (Nemesis), id 0ML25U-1G3wUp3zs8-0000sG; Fri, 21 Jul 2006 17:00:56 +0200
Received: by tau.invalid (Postfix, from userid 1000) id 122D81895D; Fri, 21 Jul 2006 17:00:54 +0200 (CEST)
Date: Fri, 21 Jul 2006 17:00:54 +0200
From: Bodo Moeller <>
To: Eric Rescorla <>
Subject: Re: [TLS] I-D ACTION:draft-ietf-tls-psk-null-00.txt
Message-ID: <>
References: <> <000101c6acbb$ab8d64f0$> <> <>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.9i
X-Provags-ID: login:2100a517a32aea841b51dac1f7c5a318
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 9ed51c9d1356100bce94f1ae4ec616a9
Cc: Pasi Eronen <>,
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>

On Fri, Jul 21, 2006 at 07:36:27AM -0700, Eric Rescorla wrote:
> Bodo Moeller <> writes:

>>   RFC 4346 mentions small-subgroup attacks, but only says that the
>>   need to be prevented when "the same DH keypair is to be used to
>>   prevent small subgroup attacks".  This makes sense for DH as used in
>>   the usual TLS ciphersuites, but the DHE ciphersuites from RFC 4279
>>   have stronger requirements if they are to be used as a dictionary
>>   attack countermeasure.  If the client does not check for small
>>   subgroups, then a single connection attempt to a rogue server can
>>   provide the server with the data needed for a dictionary attack,
>>   essentially like in plain PSK ciphersuites.  

> I just woke up so I may be kind of slow, but I'm not sure I 
> understand why small subgroups make this problem any worse.
> If the client connects to a rogue server, the server uses
> a DH pair of his choice and so gets the client to give
> him a value that's a function of ZZ (known) and the 
> PSK. Why is this any easier with a small subgroup?
> It's true that with a small subgroup the server can force
> ZZ to a specific value, but since the PSK calculation
> gets salted with the randoms, I'm not sure why that
> matters.

With a low-entropy pre-shared key and without DH, there is plenty of
randomness in the calculations, but most of this is openly
transmitted.  Only the PSK is hidden, which is why plain PSK
ciphersuites allow for offline dictionary attacks.

Enter DH.  This allows us to have a lot more randomness in the
protocol that is not openly transmitted, thus providing protection
against passive dictionary attacks.

However, if the server can arrange the DH result ZZ to be a specific
value (such as 1 or p-1) by using small subgroups, that hidden
randomness in the DH exchange no longer affects the final key exchange
result.  Only the openly transmitted randomness and the PSK remain
effective, so the server can try different guesses for the PSK in an
offline dictionary attack after having received the client's
"Finished" from this handshake.  So there's the dictionary attack
again, almost as if DH wasn't even in the protocol.

TLS mailing list