Re: [Emu] comment on draft-ietf-emu-eap-gpsk

To: "Glen Zorn" <gzorn at arubanetworks.com>, "Dan Harkins" <dharkins at lounge.org>
Subject: Re: [Emu] comment on draft-ietf-emu-eap-gpsk
From: "Joseph Salowey (jsalowey)" <jsalowey at cisco.com>
Date: Wed, 2 Apr 2008 09:30:52 -0700
Authentication-results: sj-dkim-3; header.From=jsalowey at cisco.com; dkim=pass ( sig from cisco.com/sjdkim3002 verified; );
Cc: emu at ietf.org
Delivered-to: ietfarch-emu-web-archive at core3.amsl.com
Delivered-to: emu at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=4962; t=1207153805; x=1208017805; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=jsalowey at cisco.com; z=From:=20=22Joseph=20Salowey=20(jsalowey)=22=20<jsalowey at ci sco.com> |Subject:=20RE=3A=20[Emu]=20comment=20on=20draft-ietf-emu-e ap-gpsk |Sender:=20; bh=Is7ABhry46wBzXSI39giUfBjqM0RMhRrkXIxOlpcO44=; b=Gufn22GXE4flnxgcngE2I3ZdTS59q3bMtzKj1khNlx1u1pY8bUUfWw1gCS yBk7LNV1dE/vsEYQG8sRPlqPTWdiPJs9303h8ldTDRGRsCCCbo46loHT+naT QYO1Skfi4P;
In-reply-to: <A3DA4C2546E1614D8ACC896746CDCF290106B3F8 at aruba-mx1.arubanetworks.com>
List-archive: <http://www.ietf.org/pipermail/emu>
List-help: <mailto:emu-request@ietf.org?subject=help>
List-id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-post: <mailto:emu@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
Sender: emu-bounces at ietf.org
Thread-index: AciUR5IDqUX4rjvFRSKAOGlSfX0yDQAM7nNAAAjzQpAAD9MLIA==
Thread-topic: [Emu] comment on draft-ietf-emu-eap-gpsk

OK, but do you agree that EAP-GPSK should not be claiming resistance to
dictionary attack if its security depends upon the selection of secret
from a pool that is large enough?

Joe  

> -----Original Message-----
> From: Glen Zorn [mailto:gzorn at arubanetworks.com] 
> Sent: Wednesday, April 02, 2008 2:09 AM
> To: Dan Harkins
> Cc: Joseph Salowey (jsalowey); emu at ietf.org
> Subject: RE: [Emu] comment on draft-ietf-emu-eap-gpsk
> 
> Joseph Salowey (jsalowey) <> scribbled on :
> 
> > Thanks Dan,  I agree with your assessment.  I think we 
> should include 
> > text similar to what you propose in the document.
> > 
> > Joe
> > 
> >> -----Original Message-----
> >> From: emu-bounces at ietf.org [mailto:emu-bounces at ietf.org] 
> On Behalf Of 
> >> Dan Harkins Sent: Tuesday, April 01, 2008 3:26 PM
> >> To: emu at ietf.org
> >> Subject: [Emu] comment on draft-ietf-emu-eap-gpsk
> >> 
> >> 
> >>   Hello,
> >> 
> >>   Section 11.6 of draft-ietf-emu-eap-gpsk says:
> >> 
> >>       EAP-GPSK relies on a long-term shared secret (PSK) 
> that MUST be
> >>       based on at least 16 octets of entropy to guarantee security
> >>       against dictionary attacks.
> >> 
> >> This is not a generally accepted view of resistance to dictionary 
> >> attack. For instance, the excellent paper by Bellare, Pointcheval, 
> >> and Rogaway, Authenticated Key Exchange Secure Against Dictionary 
> >> Attacks says:
> >> 
> >>       One sees whether or not one has security against dictionary
> >>       attacks by looking to see if maximal adversarial advantage
> >>       grows primarily with the ratio of interaction to the size of
> >> the       password space. 
> 
> In other word, if the choice of dictionary elements 
> significantly increases the likelihood of success over that 
> of randomly chosen strings from the search space.  
>  
> >> 
> >>   Open Key Exchange-- How to Defeat Dictionary Attacks Without 
> >> Encrypting Public Keys, by Stefan Lucks, says that the 
> probability of 
> >> success of the attacker is based on the size of the dictionary and 
> >> the number of number of times the attacker has been 
> rejected (after 
> >> active attack), and "does not significantly exceed 
> 1/(S-R)" where S 
> >> is the size of the dictionary and R is the number or rejections.
> 
> This says essentially the same thing, since 1/(S-R) is just 
> the probability of success of a brute force attack.
> 
> >> 
> >>   Even RFC3748 says that for an EAP method to be resistant to 
> >> dictionary attacks that:
> >> 
> >>       ...the method does not allow an offline attack that 
> has a work
> >>       factor based on the number of passwords in an attacker's 
> >> dictionary.
> >> 
> >>   The idea here is that merely making the size of the pool 
> from which 
> >> the secret is drawn (i.e. "the dictionary") large does not make a 
> >> protocol resistant to dictionary attack. What makes it 
> resistant to 
> >> dictionary attacks is whether an attacker gets one guess at the 
> >> password per active attack-- interaction-- and not an unlimited 
> >> number after a single attack-- computation.
> 
> No.  What makes a protocol resistant to dictionary attack is 
> that the use of a dictionary (i.e., a subset of the search 
> space chosen to increase the probability of success) doesn't 
> work any better than a brute force attack without a 
> dictionary.  That's why they are called "dictionary attacks" 
> & not "one guess attacks" or some such thing.
> 
> >> 
> >>   This draft implies that since the secret has "16 octets of
> >> entropy"-- 2^128 bits, which is quite a requirement!-- that it is 
> >> resistant to a dictionary attack. This is not correct.
> >> 
> >>   I really think this draft should be corrected to not 
> imply it has 
> >> resistance to dictionary attack. I suggest something along 
> the lines
> >> of: 
> >> 
> >>       The success of a dictionary attack against EAP-GPSK 
> depends on
> >>       the strength of the long-term shared secret (PSK) it 
> uses. The
> >>       PSK used by EAP-GPSK MUST be drawn from a pool of 
> secrets that
> >>       is at least 2^128 bits large and whose distribution is
> >>       uniformly random. Note that this does not imply resistance to
> >>       dictionary attack, only that the probability of success in
> >> such an attack       is acceptably remote. 
> >> 
> >>   regards,
> >> 
> >>   Dan.
> >> 
> >> 
> >> 
> >> 
> >> _______________________________________________
> >> Emu mailing list
> >> Emu at ietf.org
> >> https://www.ietf.org/mailman/listinfo/emu
> >> 
> > _______________________________________________
> > Emu mailing list
> > Emu at ietf.org
> > https://www.ietf.org/mailman/listinfo/emu
> 
_______________________________________________
Emu mailing list
Emu at ietf.org
https://www.ietf.org/mailman/listinfo/emu

Follow-Ups:
- Re: [Emu] comment on draft-ietf-emu-eap-gpsk
  - From: Glen Zorn

References:
- Re: [Emu] comment on draft-ietf-emu-eap-gpsk
  - From: Glen Zorn

Prev by Date: Re: [Emu] comment on draft-ietf-emu-eap-gpsk
Next by Date: Re: [Emu] comment on draft-ietf-emu-eap-gpsk
Previous by thread: Re: [Emu] comment on draft-ietf-emu-eap-gpsk
Next by thread: Re: [Emu] comment on draft-ietf-emu-eap-gpsk
Index(es):
- Date
- Thread

Re: [Emu] comment on draft-ietf-emu-eap-gpsk

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.