Re: [Emu] comment on draft-ietf-emu-eap-gpsk

["Glen Zorn" <gzorn at arubanetworks.com>]

Joseph Salowey (jsalowey) <mailto:jsalowey at cisco.com> scribbled on
Wednesday, April 02, 2008 9:31 AM:

> OK, but do you agree that EAP-GPSK should not be claiming
> resistance to dictionary attack if its security depends upon
> the selection of secret from a pool that is large enough?

Yes.

> 
> Joe
> 
>> -----Original Message-----
>> From: Glen Zorn [mailto:gzorn at arubanetworks.com]
>> Sent: Wednesday, April 02, 2008 2:09 AM
>> To: Dan Harkins
>> Cc: Joseph Salowey (jsalowey); emu at ietf.org
>> Subject: RE: [Emu] comment on draft-ietf-emu-eap-gpsk
>> 
>> Joseph Salowey (jsalowey) <> scribbled on :
>> 
>>> Thanks Dan,  I agree with your assessment.  I think we should
>>> include text similar to what you propose in the document.
>>> 
>>> Joe
>>> 
>>>> -----Original Message-----
>>>> From: emu-bounces at ietf.org [mailto:emu-bounces at ietf.org] On Behalf
>>>> Of Dan Harkins Sent: Tuesday, April 01, 2008 3:26 PM
>>>> To: emu at ietf.org
>>>> Subject: [Emu] comment on draft-ietf-emu-eap-gpsk
>>>> 
>>>> 
>>>>   Hello,
>>>> 
>>>>   Section 11.6 of draft-ietf-emu-eap-gpsk says:
>>>> 
>>>>       EAP-GPSK relies on a long-term shared secret (PSK) that MUST
>>>>       be based on at least 16 octets of entropy to guarantee
>>>>       security against dictionary attacks.
>>>> 
>>>> This is not a generally accepted view of resistance to dictionary
>>>> attack. For instance, the excellent paper by Bellare, Pointcheval,
>>>> and Rogaway, Authenticated Key Exchange Secure Against Dictionary
>>>> Attacks says: 
>>>> 
>>>>       One sees whether or not one has security against dictionary
>>>>       attacks by looking to see if maximal adversarial advantage
>>>>       grows primarily with the ratio of interaction to the size of
>>>> the       password space.
>> 
>> In other word, if the choice of dictionary elements significantly
>> increases the likelihood of success over that of randomly chosen
>> strings from the search space.
>> 
>>>> 
>>>>   Open Key Exchange-- How to Defeat Dictionary Attacks Without
>>>> Encrypting Public Keys, by Stefan Lucks, says that the probability
>>>> of success of the attacker is based on the size of the dictionary
>>>> and the number of number of times the attacker has been rejected
>>>> (after active attack), and "does not significantly exceed 1/(S-R)"
>>>> where S is the size of the dictionary and R is the number or
>>>> rejections. 
>> 
>> This says essentially the same thing, since 1/(S-R) is just the
>> probability of success of a brute force attack.
>> 
>>>> 
>>>>   Even RFC3748 says that for an EAP method to be resistant to
>>>> dictionary attacks that: 
>>>> 
>>>>       ...the method does not allow an offline attack that has a
>>>>       work factor based on the number of passwords in an
>>>> attacker's dictionary. 
>>>> 
>>>>   The idea here is that merely making the size of the pool from
>>>> which the secret is drawn (i.e. "the dictionary") large does not
>>>> make a protocol resistant to dictionary attack. What makes it
>>>> resistant to dictionary attacks is whether an attacker gets one
>>>> guess at the password per active attack-- interaction-- and not an
>>>> unlimited number after a single attack-- computation.
>> 
>> No.  What makes a protocol resistant to dictionary attack is that the
>> use of a dictionary (i.e., a subset of the search space chosen to
>> increase the probability of success) doesn't work any better than a
>> brute force attack without a dictionary.  That's why they are called
>> "dictionary attacks" & not "one guess attacks" or some such thing.
>> 
>>>> 
>>>>   This draft implies that since the secret has "16 octets of
>>>> entropy"-- 2^128 bits, which is quite a requirement!-- that it is
>>>> resistant to a dictionary attack. This is not correct.
>>>> 
>>>>   I really think this draft should be corrected to not imply it has
>>>> resistance to dictionary attack. I suggest something along the
>>>> lines of: 
>>>> 
>>>>       The success of a dictionary attack against EAP-GPSK depends
>>>>       on the strength of the long-term shared secret (PSK) it
>>>>       uses. The PSK used by EAP-GPSK MUST be drawn from a pool of
>>>>       secrets that is at least 2^128 bits large and whose
>>>>       distribution is uniformly random. Note that this does not
>>>>       imply resistance to dictionary attack, only that the
>>>> probability of success in 
>>>> such an attack       is acceptably remote.
>>>> 
>>>>   regards,
>>>> 
>>>>   Dan.
>>>> 
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________
>>>> Emu mailing list
>>>> Emu at ietf.org
>>>> https://www.ietf.org/mailman/listinfo/emu
>>>> 
>>> _______________________________________________
>>> Emu mailing list
>>> Emu at ietf.org
>>> https://www.ietf.org/mailman/listinfo/emu
_______________________________________________
Emu mailing list
Emu at ietf.org
https://www.ietf.org/mailman/listinfo/emu