Re: [TLS] I-D ACTION:draft-ietf-tls-psk-null-00.txt

[Bodo Moeller <bmoeller@acm.org>]

On Fri, Jul 21, 2006 at 08:14:30AM -0700, Eric Rescorla wrote:
> Bodo Moeller <bmoeller@acm.org> writes:

>> With a low-entropy pre-shared key and without DH, there is plenty of
>> randomness in the calculations, but most of this is openly
>> transmitted.  Only the PSK is hidden, which is why plain PSK
>> ciphersuites allow for offline dictionary attacks.
>>
>> Enter DH.  This allows us to have a lot more randomness in the
>> protocol that is not openly transmitted, thus providing protection
>> against passive dictionary attacks.
>>
>> However, if the server can arrange the DH result ZZ to be a specific
>> value (such as 1 or p-1) by using small subgroups, that hidden
>> randomness in the DH exchange no longer affects the final key exchange
>> result.  Only the openly transmitted randomness and the PSK remain
>> effective, so the server can try different guesses for the PSK in an
>> offline dictionary attack after having received the client's
>> "Finished" from this handshake.  So there's the dictionary attack
>> again, almost as if DH wasn't even in the protocol.

> But in order for the server to do this, it needs to be part
> of the protocol, which means that it would have access
> to the hidden randomness anyway. The attack you describe
> is a single active attack + offline computation, just as
> in the ordinary DH case.

Oops, yes, you are right.  DHE_PSK can only provide protection against
dictionary attacks if no client ever uses the pre-shared key in a
connection to an adversarial server.  With an active attacker, all
bets are off anyway.



_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls