Re: [TLS] I-D ACTION:draft-ietf-tls-psk-null-00.txt
Bodo Moeller <bmoeller@acm.org> Fri, 21 July 2006 15:43 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1G3x9y-00061T-H8; Fri, 21 Jul 2006 11:43:26 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G3x9w-0005zY-If for tls@ietf.org; Fri, 21 Jul 2006 11:43:24 -0400
Received: from moutng.kundenserver.de ([212.227.126.177]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1G3ww9-0006fg-Ai for tls@ietf.org; Fri, 21 Jul 2006 11:29:10 -0400
Received: from [134.147.40.251] (helo=tau.invalid) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis), id 0ML29c-1G3ww62j7d-0005Zi; Fri, 21 Jul 2006 17:29:07 +0200
Received: by tau.invalid (Postfix, from userid 1000) id 9B1D410DC1; Fri, 21 Jul 2006 17:29:05 +0200 (CEST)
Date: Fri, 21 Jul 2006 17:29:05 +0200
From: Bodo Moeller <bmoeller@acm.org>
To: Eric Rescorla <ekr@networkresonance.com>
Subject: Re: [TLS] I-D ACTION:draft-ietf-tls-psk-null-00.txt
Message-ID: <20060721152905.GA18386@iota.site>
References: <20060721093938.GA21125@iota.site> <000101c6acbb$ab8d64f0$d62915ac@NOE.Nokia.com> <20060721121537.GA30405@iota.site> <86u05b10us.fsf@raman.networkresonance.com> <20060721150054.GA15450@iota.site> <86psfz0z3d.fsf@raman.networkresonance.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <86psfz0z3d.fsf@raman.networkresonance.com>
User-Agent: Mutt/1.5.9i
X-Provags-ID: kundenserver.de abuse@kundenserver.de login:2100a517a32aea841b51dac1f7c5a318
X-Spam-Score: 0.0 (/)
X-Scan-Signature: b19722fc8d3865b147c75ae2495625f2
Cc: Pasi Eronen <pasi.eronen@nokia.com>, tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
On Fri, Jul 21, 2006 at 08:14:30AM -0700, Eric Rescorla wrote: > Bodo Moeller <bmoeller@acm.org> writes: >> With a low-entropy pre-shared key and without DH, there is plenty of >> randomness in the calculations, but most of this is openly >> transmitted. Only the PSK is hidden, which is why plain PSK >> ciphersuites allow for offline dictionary attacks. >> >> Enter DH. This allows us to have a lot more randomness in the >> protocol that is not openly transmitted, thus providing protection >> against passive dictionary attacks. >> >> However, if the server can arrange the DH result ZZ to be a specific >> value (such as 1 or p-1) by using small subgroups, that hidden >> randomness in the DH exchange no longer affects the final key exchange >> result. Only the openly transmitted randomness and the PSK remain >> effective, so the server can try different guesses for the PSK in an >> offline dictionary attack after having received the client's >> "Finished" from this handshake. So there's the dictionary attack >> again, almost as if DH wasn't even in the protocol. > But in order for the server to do this, it needs to be part > of the protocol, which means that it would have access > to the hidden randomness anyway. The attack you describe > is a single active attack + offline computation, just as > in the ordinary DH case. Oops, yes, you are right. DHE_PSK can only provide protection against dictionary attacks if no client ever uses the pre-shared key in a connection to an adversarial server. With an active attacker, all bets are off anyway. _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- Re: [TLS] I-D ACTION:draft-ietf-tls-psk-null-00.t… Bodo Moeller
- RE: [TLS] I-D ACTION:draft-ietf-tls-psk-null-00.t… Pasi Eronen
- Re: [TLS] I-D ACTION:draft-ietf-tls-psk-null-00.t… Bodo Moeller
- Re: [TLS] I-D ACTION:draft-ietf-tls-psk-null-00.t… Bodo Moeller
- Re: [TLS] I-D ACTION:draft-ietf-tls-psk-null-00.t… Eric Rescorla
- Re: [TLS] I-D ACTION:draft-ietf-tls-psk-null-00.t… Bodo Moeller
- [TLS] Suggestion for TLS Developer List Ron Teitelbaum