Re: [Emu] comment on draft-ietf-emu-eap-gpsk

To: "Dan Harkins" <dharkins at lounge.org>, <emu at ietf.org>
Subject: Re: [Emu] comment on draft-ietf-emu-eap-gpsk
From: "Joseph Salowey (jsalowey)" <jsalowey at cisco.com>
Date: Tue, 1 Apr 2008 21:39:25 -0700
Authentication-results: sj-dkim-4; header.From=jsalowey at cisco.com; dkim=pass ( sig from cisco.com/sjdkim4002 verified; );
Delivered-to: ietfarch-emu-web-archive at core3.amsl.com
Delivered-to: emu at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=3286; t=1207111115; x=1207975115; c=relaxed/simple; s=sjdkim4002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=jsalowey at cisco.com; z=From:=20=22Joseph=20Salowey=20(jsalowey)=22=20<jsalowey at ci sco.com> |Subject:=20RE=3A=20[Emu]=20comment=20on=20draft-ietf-emu-e ap-gpsk |Sender:=20; bh=B3dpDNQToxDNAg2FuTTZGa3d9gYIqfsUWgZQ62PwOZY=; b=RliMCSNZ1jrjtoJlNcFFTvonOrSRGKkJ+nLMYzOtDPQUbb4WcbrhCDIgJQ 1nV0m8ixw9OydOgUSlI3Nmf5Y8UUswFQEcHFg+nEqIUfIgGXJaSR1jQzz3eN 9QSTXVaMIg;
In-reply-to: <4cbf045715e41c38b4f2f1e04a19d763.squirrel at www.trepanning.net>
List-archive: <http://www.ietf.org/pipermail/emu>
List-help: <mailto:emu-request@ietf.org?subject=help>
List-id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-post: <mailto:emu@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
Sender: emu-bounces at ietf.org
Thread-index: AciUR5IDqUX4rjvFRSKAOGlSfX0yDQAM7nNA
Thread-topic: [Emu] comment on draft-ietf-emu-eap-gpsk

Thanks Dan,  I agree with your assessment.  I think we should include
text similar to what you propose in the document. 

Joe 

> -----Original Message-----
> From: emu-bounces at ietf.org [mailto:emu-bounces at ietf.org] On 
> Behalf Of Dan Harkins
> Sent: Tuesday, April 01, 2008 3:26 PM
> To: emu at ietf.org
> Subject: [Emu] comment on draft-ietf-emu-eap-gpsk
> 
> 
>   Hello,
> 
>   Section 11.6 of draft-ietf-emu-eap-gpsk says:
> 
>       EAP-GPSK relies on a long-term shared secret (PSK) that MUST be
>       based on at least 16 octets of entropy to guarantee security
>       against dictionary attacks.
> 
> This is not a generally accepted view of resistance to 
> dictionary attack. For instance, the excellent paper by 
> Bellare, Pointcheval, and Rogaway, Authenticated Key Exchange 
> Secure Against Dictionary Attacks says:
> 
>       One sees whether or not one has security against dictionary
>       attacks by looking to see if maximal adversarial advantage grows
>       primarily with the ratio of interaction to the size of the
>       password space.
> 
>   Open Key Exchange-- How to Defeat Dictionary Attacks 
> Without Encrypting Public Keys, by Stefan Lucks, says that 
> the probability of success of the attacker is based on the 
> size of the dictionary and the number of number of times the 
> attacker has been rejected (after active attack), and "does 
> not significantly exceed 1/(S-R)" where S is the size of the 
> dictionary and R is the number or rejections.
> 
>   Even RFC3748 says that for an EAP method to be resistant to 
> dictionary attacks that:
> 
>       ...the method does not allow an offline attack that has a work
>       factor based on the number of passwords in an 
> attacker's dictionary.
> 
>   The idea here is that merely making the size of the pool 
> from which the secret is drawn (i.e. "the dictionary") large 
> does not make a protocol resistant to dictionary attack. What 
> makes it resistant to dictionary attacks is whether an 
> attacker gets one guess at the password per active
> attack-- interaction-- and not an unlimited number after a 
> single attack-- computation.
> 
>   This draft implies that since the secret has "16 octets of 
> entropy"--
> 2^128 bits, which is quite a requirement!-- that it is 
> resistant to a dictionary attack. This is not correct.
> 
>   I really think this draft should be corrected to not imply 
> it has resistance to dictionary attack. I suggest something 
> along the lines of:
> 
>       The success of a dictionary attack against EAP-GPSK depends on
>       the strength of the long-term shared secret (PSK) it uses. The
>       PSK used by EAP-GPSK MUST be drawn from a pool of secrets that
>       is at least 2^128 bits large and whose distribution is uniformly
>       random. Note that this does not imply resistance to dictionary
>       attack, only that the probability of success in such an attack
>       is acceptably remote.
> 
>   regards,
> 
>   Dan.
> 
> 
> 
> 
> _______________________________________________
> Emu mailing list
> Emu at ietf.org
> https://www.ietf.org/mailman/listinfo/emu
> 
_______________________________________________
Emu mailing list
Emu at ietf.org
https://www.ietf.org/mailman/listinfo/emu

Follow-Ups:
- Re: [Emu] comment on draft-ietf-emu-eap-gpsk
  - From: Glen Zorn

References:
- [Emu] comment on draft-ietf-emu-eap-gpsk
  - From: Dan Harkins

Prev by Date: [Emu] comment on draft-ietf-emu-eap-gpsk
Next by Date: Re: [Emu] comment on draft-ietf-emu-eap-gpsk
Previous by thread: [Emu] comment on draft-ietf-emu-eap-gpsk
Next by thread: Re: [Emu] comment on draft-ietf-emu-eap-gpsk
Index(es):
- Date
- Thread

Re: [Emu] comment on draft-ietf-emu-eap-gpsk

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.