Re: [Emu] comment on draft-ietf-emu-eap-gpsk

To: "Dan Harkins" <dharkins at lounge.org>
Subject: Re: [Emu] comment on draft-ietf-emu-eap-gpsk
From: "Glen Zorn" <gzorn at arubanetworks.com>
Date: Wed, 2 Apr 2008 02:08:53 -0700
Cc: emu at ietf.org
Delivered-to: ietfarch-emu-web-archive at core3.amsl.com
Delivered-to: emu at core3.amsl.com
In-reply-to: <AC1CFD94F59A264488DC2BEC3E890DE50589A9C9 at xmb-sjc-225.amer.cisco.com>
List-archive: <http://www.ietf.org/pipermail/emu>
List-help: <mailto:emu-request@ietf.org?subject=help>
List-id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-post: <mailto:emu@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
References: <4cbf045715e41c38b4f2f1e04a19d763.squirrel at www.trepanning.net> <AC1CFD94F59A264488DC2BEC3E890DE50589A9C9 at xmb-sjc-225.amer.cisco.com>
Sender: emu-bounces at ietf.org
Thread-index: AciUR5IDqUX4rjvFRSKAOGlSfX0yDQAM7nNAAAjzQpA=
Thread-topic: [Emu] comment on draft-ietf-emu-eap-gpsk

Joseph Salowey (jsalowey) <> scribbled on :

> Thanks Dan,  I agree with your assessment.  I think we should
> include text similar to what you propose in the document.
> 
> Joe
> 
>> -----Original Message-----
>> From: emu-bounces at ietf.org [mailto:emu-bounces at ietf.org] On Behalf
>> Of Dan Harkins Sent: Tuesday, April 01, 2008 3:26 PM
>> To: emu at ietf.org
>> Subject: [Emu] comment on draft-ietf-emu-eap-gpsk
>> 
>> 
>>   Hello,
>> 
>>   Section 11.6 of draft-ietf-emu-eap-gpsk says:
>> 
>>       EAP-GPSK relies on a long-term shared secret (PSK) that MUST be
>>       based on at least 16 octets of entropy to guarantee security
>>       against dictionary attacks.
>> 
>> This is not a generally accepted view of resistance to dictionary
>> attack. For instance, the excellent paper by Bellare, Pointcheval,
>> and Rogaway, Authenticated Key Exchange Secure Against Dictionary
>> Attacks says: 
>> 
>>       One sees whether or not one has security against dictionary
>>       attacks by looking to see if maximal adversarial advantage
>>       grows primarily with the ratio of interaction to the size of
>> the       password space. 

In other word, if the choice of dictionary elements significantly
increases the likelihood of success over that of randomly chosen strings
from the search space.  
 
>> 
>>   Open Key Exchange-- How to Defeat Dictionary Attacks Without
>> Encrypting Public Keys, by Stefan Lucks, says that the probability of
>> success of the attacker is based on the size of the dictionary and
>> the number of number of times the attacker has been rejected (after
>> active attack), and "does not significantly exceed 1/(S-R)" where S
>> is the size of the dictionary and R is the number or rejections.

This says essentially the same thing, since 1/(S-R) is just the
probability of success of a brute force attack.

>> 
>>   Even RFC3748 says that for an EAP method to be resistant to
>> dictionary attacks that: 
>> 
>>       ...the method does not allow an offline attack that has a work
>>       factor based on the number of passwords in an attacker's
>> dictionary. 
>> 
>>   The idea here is that merely making the size of the pool from which
>> the secret is drawn (i.e. "the dictionary") large does not make a
>> protocol resistant to dictionary attack. What makes it resistant to
>> dictionary attacks is whether an attacker gets one guess at the
>> password per active attack-- interaction-- and not an unlimited
>> number after a single attack-- computation. 

No.  What makes a protocol resistant to dictionary attack is that the
use of a dictionary (i.e., a subset of the search space chosen to
increase the probability of success) doesn't work any better than a
brute force attack without a dictionary.  That's why they are called
"dictionary attacks" & not "one guess attacks" or some such thing.

>> 
>>   This draft implies that since the secret has "16 octets of
>> entropy"-- 2^128 bits, which is quite a requirement!-- that it is
>> resistant to a dictionary attack. This is not correct.
>> 
>>   I really think this draft should be corrected to not imply it has
>> resistance to dictionary attack. I suggest something along the lines
>> of: 
>> 
>>       The success of a dictionary attack against EAP-GPSK depends on
>>       the strength of the long-term shared secret (PSK) it uses. The
>>       PSK used by EAP-GPSK MUST be drawn from a pool of secrets that
>>       is at least 2^128 bits large and whose distribution is
>>       uniformly random. Note that this does not imply resistance to
>>       dictionary attack, only that the probability of success in
>> such an attack       is acceptably remote. 
>> 
>>   regards,
>> 
>>   Dan.
>> 
>> 
>> 
>> 
>> _______________________________________________
>> Emu mailing list
>> Emu at ietf.org
>> https://www.ietf.org/mailman/listinfo/emu
>> 
> _______________________________________________
> Emu mailing list
> Emu at ietf.org
> https://www.ietf.org/mailman/listinfo/emu
_______________________________________________
Emu mailing list
Emu at ietf.org
https://www.ietf.org/mailman/listinfo/emu

Follow-Ups:
- Re: [Emu] comment on draft-ietf-emu-eap-gpsk
  - From: Joseph Salowey (jsalowey)

References:
- [Emu] comment on draft-ietf-emu-eap-gpsk
  - From: Dan Harkins
- Re: [Emu] comment on draft-ietf-emu-eap-gpsk
  - From: Joseph Salowey (jsalowey)

Prev by Date: Re: [Emu] comment on draft-ietf-emu-eap-gpsk
Next by Date: Re: [Emu] comment on draft-ietf-emu-eap-gpsk
Previous by thread: Re: [Emu] comment on draft-ietf-emu-eap-gpsk
Next by thread: Re: [Emu] comment on draft-ietf-emu-eap-gpsk
Index(es):
- Date
- Thread

Re: [Emu] comment on draft-ietf-emu-eap-gpsk

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.