Re: [TLS] I-D ACTION:draft-ietf-tls-psk-null-00.txt

Bodo Moeller <> Fri, 21 July 2006 15:43 UTC

Received: from [] ( by with esmtp (Exim 4.43) id 1G3x9y-00061T-H8; Fri, 21 Jul 2006 11:43:26 -0400
Received: from [] ( by with esmtp (Exim 4.43) id 1G3x9w-0005zY-If for; Fri, 21 Jul 2006 11:43:24 -0400
Received: from ([]) by with esmtp (Exim 4.43) id 1G3ww9-0006fg-Ai for; Fri, 21 Jul 2006 11:29:10 -0400
Received: from [] (helo=tau.invalid) by (node=mrelayeu6) with ESMTP (Nemesis), id 0ML29c-1G3ww62j7d-0005Zi; Fri, 21 Jul 2006 17:29:07 +0200
Received: by tau.invalid (Postfix, from userid 1000) id 9B1D410DC1; Fri, 21 Jul 2006 17:29:05 +0200 (CEST)
Date: Fri, 21 Jul 2006 17:29:05 +0200
From: Bodo Moeller <>
To: Eric Rescorla <>
Subject: Re: [TLS] I-D ACTION:draft-ietf-tls-psk-null-00.txt
Message-ID: <>
References: <> <000101c6acbb$ab8d64f0$> <> <> <> <>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.9i
X-Provags-ID: login:2100a517a32aea841b51dac1f7c5a318
X-Spam-Score: 0.0 (/)
X-Scan-Signature: b19722fc8d3865b147c75ae2495625f2
Cc: Pasi Eronen <>,
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>

On Fri, Jul 21, 2006 at 08:14:30AM -0700, Eric Rescorla wrote:
> Bodo Moeller <> writes:

>> With a low-entropy pre-shared key and without DH, there is plenty of
>> randomness in the calculations, but most of this is openly
>> transmitted.  Only the PSK is hidden, which is why plain PSK
>> ciphersuites allow for offline dictionary attacks.
>> Enter DH.  This allows us to have a lot more randomness in the
>> protocol that is not openly transmitted, thus providing protection
>> against passive dictionary attacks.
>> However, if the server can arrange the DH result ZZ to be a specific
>> value (such as 1 or p-1) by using small subgroups, that hidden
>> randomness in the DH exchange no longer affects the final key exchange
>> result.  Only the openly transmitted randomness and the PSK remain
>> effective, so the server can try different guesses for the PSK in an
>> offline dictionary attack after having received the client's
>> "Finished" from this handshake.  So there's the dictionary attack
>> again, almost as if DH wasn't even in the protocol.

> But in order for the server to do this, it needs to be part
> of the protocol, which means that it would have access
> to the hidden randomness anyway. The attack you describe
> is a single active attack + offline computation, just as
> in the ordinary DH case.

Oops, yes, you are right.  DHE_PSK can only provide protection against
dictionary attacks if no client ever uses the pre-shared key in a
connection to an adversarial server.  With an active attacker, all
bets are off anyway.

TLS mailing list