Re: [TLS] I-D ACTION:draft-ietf-tls-psk-null-00.txt

Bodo Moeller <bmoeller@acm.org> Fri, 21 July 2006 15:43 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1G3x9y-00061T-H8; Fri, 21 Jul 2006 11:43:26 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G3x9w-0005zY-If for tls@ietf.org; Fri, 21 Jul 2006 11:43:24 -0400
Received: from moutng.kundenserver.de ([212.227.126.177]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1G3ww9-0006fg-Ai for tls@ietf.org; Fri, 21 Jul 2006 11:29:10 -0400
Received: from [134.147.40.251] (helo=tau.invalid) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis), id 0ML29c-1G3ww62j7d-0005Zi; Fri, 21 Jul 2006 17:29:07 +0200
Received: by tau.invalid (Postfix, from userid 1000) id 9B1D410DC1; Fri, 21 Jul 2006 17:29:05 +0200 (CEST)
Date: Fri, 21 Jul 2006 17:29:05 +0200
From: Bodo Moeller <bmoeller@acm.org>
To: Eric Rescorla <ekr@networkresonance.com>
Subject: Re: [TLS] I-D ACTION:draft-ietf-tls-psk-null-00.txt
Message-ID: <20060721152905.GA18386@iota.site>
References: <20060721093938.GA21125@iota.site> <000101c6acbb$ab8d64f0$d62915ac@NOE.Nokia.com> <20060721121537.GA30405@iota.site> <86u05b10us.fsf@raman.networkresonance.com> <20060721150054.GA15450@iota.site> <86psfz0z3d.fsf@raman.networkresonance.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <86psfz0z3d.fsf@raman.networkresonance.com>
User-Agent: Mutt/1.5.9i
X-Provags-ID: kundenserver.de abuse@kundenserver.de login:2100a517a32aea841b51dac1f7c5a318
X-Spam-Score: 0.0 (/)
X-Scan-Signature: b19722fc8d3865b147c75ae2495625f2
Cc: Pasi Eronen <pasi.eronen@nokia.com>, tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

On Fri, Jul 21, 2006 at 08:14:30AM -0700, Eric Rescorla wrote:
> Bodo Moeller <bmoeller@acm.org>; writes:

>> With a low-entropy pre-shared key and without DH, there is plenty of
>> randomness in the calculations, but most of this is openly
>> transmitted.  Only the PSK is hidden, which is why plain PSK
>> ciphersuites allow for offline dictionary attacks.
>>
>> Enter DH.  This allows us to have a lot more randomness in the
>> protocol that is not openly transmitted, thus providing protection
>> against passive dictionary attacks.
>>
>> However, if the server can arrange the DH result ZZ to be a specific
>> value (such as 1 or p-1) by using small subgroups, that hidden
>> randomness in the DH exchange no longer affects the final key exchange
>> result.  Only the openly transmitted randomness and the PSK remain
>> effective, so the server can try different guesses for the PSK in an
>> offline dictionary attack after having received the client's
>> "Finished" from this handshake.  So there's the dictionary attack
>> again, almost as if DH wasn't even in the protocol.

> But in order for the server to do this, it needs to be part
> of the protocol, which means that it would have access
> to the hidden randomness anyway. The attack you describe
> is a single active attack + offline computation, just as
> in the ordinary DH case.

Oops, yes, you are right.  DHE_PSK can only provide protection against
dictionary attacks if no client ever uses the pre-shared key in a
connection to an adversarial server.  With an active attacker, all
bets are off anyway.



_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls