Re: [TLS] I-D ACTION:draft-ietf-tls-psk-null-00.txt

Eric Rescorla <ekr@networkresonance.com> Fri, 21 July 2006 15:17 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1G3wkm-0001Qq-TM; Fri, 21 Jul 2006 11:17:24 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G3wkl-0001Qa-C2 for tls@ietf.org; Fri, 21 Jul 2006 11:17:23 -0400
Received: from raman.networkresonance.com ([198.144.196.3]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1G3whz-0004w0-Ft for tls@ietf.org; Fri, 21 Jul 2006 11:14:32 -0400
Received: by raman.networkresonance.com (Postfix, from userid 1001) id D676B1E8C34; Fri, 21 Jul 2006 08:14:30 -0700 (PDT)
To: Bodo Moeller <bmoeller@acm.org>
Subject: Re: [TLS] I-D ACTION:draft-ietf-tls-psk-null-00.txt
References: <20060721093938.GA21125@iota.site> <000101c6acbb$ab8d64f0$d62915ac@NOE.Nokia.com> <20060721121537.GA30405@iota.site> <86u05b10us.fsf@raman.networkresonance.com> <20060721150054.GA15450@iota.site>
From: Eric Rescorla <ekr@networkresonance.com>
Date: Fri, 21 Jul 2006 08:14:30 -0700
In-Reply-To: <20060721150054.GA15450@iota.site> (Bodo Moeller's message of "Fri, 21 Jul 2006 17:00:54 +0200")
Message-ID: <86psfz0z3d.fsf@raman.networkresonance.com>
User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 9466e0365fc95844abaf7c3f15a05c7d
Cc: Pasi Eronen <pasi.eronen@nokia.com>, tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: EKR <ekr@networkresonance.com>
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

Bodo Moeller <bmoeller@acm.org>; writes:
> On Fri, Jul 21, 2006 at 07:36:27AM -0700, Eric Rescorla wrote:
> With a low-entropy pre-shared key and without DH, there is plenty of
> randomness in the calculations, but most of this is openly
> transmitted.  Only the PSK is hidden, which is why plain PSK
> ciphersuites allow for offline dictionary attacks.
>
> Enter DH.  This allows us to have a lot more randomness in the
> protocol that is not openly transmitted, thus providing protection
> against passive dictionary attacks.
>
> However, if the server can arrange the DH result ZZ to be a specific
> value (such as 1 or p-1) by using small subgroups, that hidden
> randomness in the DH exchange no longer affects the final key exchange
> result.  Only the openly transmitted randomness and the PSK remain
> effective, so the server can try different guesses for the PSK in an
> offline dictionary attack after having received the client's
> "Finished" from this handshake.  So there's the dictionary attack
> again, almost as if DH wasn't even in the protocol.

But in order for the server to do this, it needs to be part
of the protocol, which means that it would have access
to the hidden randomness anyway. The attack you describe
is a single active attack + offline computation, just as
in the ordinary DH case.

-Ekr



_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls