My view:
It is very hard to say that PSK is stronger or weaker than Certificate in authentcation. It depends on the key distribution adopted. Certificate is suitable for one to many communication, in whcih case single direction authentication is enough. Key distriution is cheap as there are a lot of mechanisms to maintain the authenticity of the certificate, including trust store in browser, audit of the WebTrust on RootCA, certifcate transparency, and DANE etc. All these measures can help in eliminating the phishing website. PSK is more suitable for one to one authentication. It is good in mutual authenication. However, the key distribution is expensive and sometimes is impossible. If the PSK is dervie from previous authentication based on certificate, I think PSK is weaker, at leaster not stronger. Haiguang Wang ________________________________ From: TLS <tls-boun...@ietf.org> on behalf of Peter Gutmann <pgut...@cs.auckland.ac.nz> Sent: Thursday, 21 July 2022 8:52:55 PM To: tls@ietf.org; resea...@bensmyth.com Subject: Re: [TLS] Authentication weaker in PSK-mode? Ben Smyth <resea...@bensmyth.com> writes: >should we consider PSK-mode authentication weaker than certificate-based >authentication? No, it's much stronger. With cert-based server auth, a client will connect to anything that has a certificate from any CA anywhere, in other words pretty much anything at all, and declare the connection secure. It's slightly better than anon-DH, but it offers almost no protection against phishing, the most common attack on the web today. The best form of this mixes in cert-based client auth as well, so the client connects to a phishing site that authenticates itself with a CA-issued cert, the client then authenticates with a CA-issued cert, and the result as far as the client is aware is a fully CA-certified cryptographically secured connection to a site that's actually run by the MageCart Syndicate. With PSK a client can only connect to a server that proves knowledge of the shared secret, which immediately kills phishing because the attacker would need to prove knowledge of the credentials they're trying to phish before they can phish them. (Note that this is for web use, for non-web use like SCADA the software typically hardcodes in certificates and keys and will only trust those, which in a sense makes it more PSK than cert-based auth). Peter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
