[Emu] comment on draft-ietf-emu-eap-gpsk

To: emu at ietf.org
Subject: [Emu] comment on draft-ietf-emu-eap-gpsk
From: "Dan Harkins" <dharkins at lounge.org>
Date: Tue, 1 Apr 2008 15:25:52 -0700 (PDT)
Delivered-to: ietfarch-emu-web-archive at core3.amsl.com
Delivered-to: emu at core3.amsl.com
Importance: Normal
List-archive: <http://www.ietf.org/pipermail/emu>
List-help: <mailto:emu-request@ietf.org?subject=help>
List-id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-post: <mailto:emu@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
Sender: emu-bounces at ietf.org
User-agent: SquirrelMail/1.4.14 [SVN]

  Hello,

  Section 11.6 of draft-ietf-emu-eap-gpsk says:

      EAP-GPSK relies on a long-term shared secret (PSK) that MUST be
      based on at least 16 octets of entropy to guarantee security
      against dictionary attacks.

This is not a generally accepted view of resistance to dictionary
attack. For instance, the excellent paper by Bellare, Pointcheval,
and Rogaway, Authenticated Key Exchange Secure Against Dictionary
Attacks says:

      One sees whether or not one has security against dictionary
      attacks by looking to see if maximal adversarial advantage grows
      primarily with the ratio of interaction to the size of the
      password space.

  Open Key Exchange-- How to Defeat Dictionary Attacks Without Encrypting
Public Keys, by Stefan Lucks, says that the probability of success of
the attacker is based on the size of the dictionary and the number of
number of times the attacker has been rejected (after active attack), and
"does not significantly exceed 1/(S-R)" where S is the size of the
dictionary and R is the number or rejections.

  Even RFC3748 says that for an EAP method to be resistant to dictionary
attacks that:

      ...the method does not allow an offline attack that has a work
      factor based on the number of passwords in an attacker's dictionary.

  The idea here is that merely making the size of the pool from which
the secret is drawn (i.e. "the dictionary") large does not make a protocol
resistant to dictionary attack. What makes it resistant to dictionary
attacks is whether an attacker gets one guess at the password per active
attack-- interaction-- and not an unlimited number after a single attack--
computation.

  This draft implies that since the secret has "16 octets of entropy"--
2^128 bits, which is quite a requirement!-- that it is resistant to a
dictionary attack. This is not correct.

  I really think this draft should be corrected to not imply it has
resistance to dictionary attack. I suggest something along the lines of:

      The success of a dictionary attack against EAP-GPSK depends on
      the strength of the long-term shared secret (PSK) it uses. The
      PSK used by EAP-GPSK MUST be drawn from a pool of secrets that
      is at least 2^128 bits large and whose distribution is uniformly
      random. Note that this does not imply resistance to dictionary
      attack, only that the probability of success in such an attack
      is acceptably remote.

  regards,

  Dan.




_______________________________________________
Emu mailing list
Emu at ietf.org
https://www.ietf.org/mailman/listinfo/emu

Follow-Ups:
- Re: [Emu] comment on draft-ietf-emu-eap-gpsk
  - From: Joseph Salowey (jsalowey)

Prev by Date: [Emu] Draft meeting minutes for IETF 71
Next by Date: Re: [Emu] comment on draft-ietf-emu-eap-gpsk
Previous by thread: [Emu] Draft meeting minutes for IETF 71
Next by thread: Re: [Emu] comment on draft-ietf-emu-eap-gpsk
Index(es):
- Date
- Thread

[Emu] comment on draft-ietf-emu-eap-gpsk

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.