Joseph Salowey (jsalowey) <mailto:[EMAIL PROTECTED]> scribbled on Wednesday, April 02, 2008 9:31 AM:
> OK, but do you agree that EAP-GPSK should not be claiming > resistance to dictionary attack if its security depends upon > the selection of secret from a pool that is large enough? Yes. > > Joe > >> -----Original Message----- >> From: Glen Zorn [mailto:[EMAIL PROTECTED] >> Sent: Wednesday, April 02, 2008 2:09 AM >> To: Dan Harkins >> Cc: Joseph Salowey (jsalowey); emu@ietf.org >> Subject: RE: [Emu] comment on draft-ietf-emu-eap-gpsk >> >> Joseph Salowey (jsalowey) <> scribbled on : >> >>> Thanks Dan, I agree with your assessment. I think we should >>> include text similar to what you propose in the document. >>> >>> Joe >>> >>>> -----Original Message----- >>>> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf >>>> Of Dan Harkins Sent: Tuesday, April 01, 2008 3:26 PM >>>> To: emu@ietf.org >>>> Subject: [Emu] comment on draft-ietf-emu-eap-gpsk >>>> >>>> >>>> Hello, >>>> >>>> Section 11.6 of draft-ietf-emu-eap-gpsk says: >>>> >>>> EAP-GPSK relies on a long-term shared secret (PSK) that MUST >>>> be based on at least 16 octets of entropy to guarantee >>>> security against dictionary attacks. >>>> >>>> This is not a generally accepted view of resistance to dictionary >>>> attack. For instance, the excellent paper by Bellare, Pointcheval, >>>> and Rogaway, Authenticated Key Exchange Secure Against Dictionary >>>> Attacks says: >>>> >>>> One sees whether or not one has security against dictionary >>>> attacks by looking to see if maximal adversarial advantage >>>> grows primarily with the ratio of interaction to the size of >>>> the password space. >> >> In other word, if the choice of dictionary elements significantly >> increases the likelihood of success over that of randomly chosen >> strings from the search space. >> >>>> >>>> Open Key Exchange-- How to Defeat Dictionary Attacks Without >>>> Encrypting Public Keys, by Stefan Lucks, says that the probability >>>> of success of the attacker is based on the size of the dictionary >>>> and the number of number of times the attacker has been rejected >>>> (after active attack), and "does not significantly exceed 1/(S-R)" >>>> where S is the size of the dictionary and R is the number or >>>> rejections. >> >> This says essentially the same thing, since 1/(S-R) is just the >> probability of success of a brute force attack. >> >>>> >>>> Even RFC3748 says that for an EAP method to be resistant to >>>> dictionary attacks that: >>>> >>>> ...the method does not allow an offline attack that has a >>>> work factor based on the number of passwords in an >>>> attacker's dictionary. >>>> >>>> The idea here is that merely making the size of the pool from >>>> which the secret is drawn (i.e. "the dictionary") large does not >>>> make a protocol resistant to dictionary attack. What makes it >>>> resistant to dictionary attacks is whether an attacker gets one >>>> guess at the password per active attack-- interaction-- and not an >>>> unlimited number after a single attack-- computation. >> >> No. What makes a protocol resistant to dictionary attack is that the >> use of a dictionary (i.e., a subset of the search space chosen to >> increase the probability of success) doesn't work any better than a >> brute force attack without a dictionary. That's why they are called >> "dictionary attacks" & not "one guess attacks" or some such thing. >> >>>> >>>> This draft implies that since the secret has "16 octets of >>>> entropy"-- 2^128 bits, which is quite a requirement!-- that it is >>>> resistant to a dictionary attack. This is not correct. >>>> >>>> I really think this draft should be corrected to not imply it has >>>> resistance to dictionary attack. I suggest something along the >>>> lines of: >>>> >>>> The success of a dictionary attack against EAP-GPSK depends >>>> on the strength of the long-term shared secret (PSK) it >>>> uses. The PSK used by EAP-GPSK MUST be drawn from a pool of >>>> secrets that is at least 2^128 bits large and whose >>>> distribution is uniformly random. Note that this does not >>>> imply resistance to dictionary attack, only that the >>>> probability of success in >>>> such an attack is acceptably remote. >>>> >>>> regards, >>>> >>>> Dan. >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Emu mailing list >>>> Emu@ietf.org >>>> https://www.ietf.org/mailman/listinfo/emu >>>> >>> _______________________________________________ >>> Emu mailing list >>> Emu@ietf.org >>> https://www.ietf.org/mailman/listinfo/emu _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
