Re: [TLS] I-D ACTION:draft-ietf-tls-psk-null-00.txt
Eric Rescorla <ekr@networkresonance.com> Fri, 21 July 2006 15:17 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1G3wkm-0001Qq-TM; Fri, 21 Jul 2006 11:17:24 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G3wkl-0001Qa-C2 for tls@ietf.org; Fri, 21 Jul 2006 11:17:23 -0400
Received: from raman.networkresonance.com ([198.144.196.3]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1G3whz-0004w0-Ft for tls@ietf.org; Fri, 21 Jul 2006 11:14:32 -0400
Received: by raman.networkresonance.com (Postfix, from userid 1001) id D676B1E8C34; Fri, 21 Jul 2006 08:14:30 -0700 (PDT)
To: Bodo Moeller <bmoeller@acm.org>
Subject: Re: [TLS] I-D ACTION:draft-ietf-tls-psk-null-00.txt
References: <20060721093938.GA21125@iota.site> <000101c6acbb$ab8d64f0$d62915ac@NOE.Nokia.com> <20060721121537.GA30405@iota.site> <86u05b10us.fsf@raman.networkresonance.com> <20060721150054.GA15450@iota.site>
From: Eric Rescorla <ekr@networkresonance.com>
Date: Fri, 21 Jul 2006 08:14:30 -0700
In-Reply-To: <20060721150054.GA15450@iota.site> (Bodo Moeller's message of "Fri, 21 Jul 2006 17:00:54 +0200")
Message-ID: <86psfz0z3d.fsf@raman.networkresonance.com>
User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 9466e0365fc95844abaf7c3f15a05c7d
Cc: Pasi Eronen <pasi.eronen@nokia.com>, tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: EKR <ekr@networkresonance.com>
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
Bodo Moeller <bmoeller@acm.org> writes: > On Fri, Jul 21, 2006 at 07:36:27AM -0700, Eric Rescorla wrote: > With a low-entropy pre-shared key and without DH, there is plenty of > randomness in the calculations, but most of this is openly > transmitted. Only the PSK is hidden, which is why plain PSK > ciphersuites allow for offline dictionary attacks. > > Enter DH. This allows us to have a lot more randomness in the > protocol that is not openly transmitted, thus providing protection > against passive dictionary attacks. > > However, if the server can arrange the DH result ZZ to be a specific > value (such as 1 or p-1) by using small subgroups, that hidden > randomness in the DH exchange no longer affects the final key exchange > result. Only the openly transmitted randomness and the PSK remain > effective, so the server can try different guesses for the PSK in an > offline dictionary attack after having received the client's > "Finished" from this handshake. So there's the dictionary attack > again, almost as if DH wasn't even in the protocol. But in order for the server to do this, it needs to be part of the protocol, which means that it would have access to the hidden randomness anyway. The attack you describe is a single active attack + offline computation, just as in the ordinary DH case. -Ekr _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- Re: [TLS] I-D ACTION:draft-ietf-tls-psk-null-00.t… Bodo Moeller
- RE: [TLS] I-D ACTION:draft-ietf-tls-psk-null-00.t… Pasi Eronen
- Re: [TLS] I-D ACTION:draft-ietf-tls-psk-null-00.t… Bodo Moeller
- Re: [TLS] I-D ACTION:draft-ietf-tls-psk-null-00.t… Bodo Moeller
- Re: [TLS] I-D ACTION:draft-ietf-tls-psk-null-00.t… Eric Rescorla
- Re: [TLS] I-D ACTION:draft-ietf-tls-psk-null-00.t… Bodo Moeller
- [TLS] Suggestion for TLS Developer List Ron Teitelbaum