Re: [Emu] comment on draft-ietf-emu-eap-gpsk

To: "Glen Zorn" <gzorn at arubanetworks.com>
Subject: Re: [Emu] comment on draft-ietf-emu-eap-gpsk
From: "Dan Harkins" <dharkins at lounge.org>
Date: Thu, 24 Apr 2008 17:49:35 -0700 (PDT)
Cc: Dan at trepanning.net, Harkins at trepanning.net, " <dharkins at lounge.org>, emu at ietf.org"@trepanning.net, "Joseph Salowey " <jsalowey at cisco.com>, "@trepanning.net"@core3.amsl.com
Delivered-to: ietfarch-emu-web-archive at core3.amsl.com
Delivered-to: emu at core3.amsl.com
Importance: Normal
In-reply-to: <A3DA4C2546E1614D8ACC896746CDCF290106BA4E at aruba-mx1.arubanetworks.com>
List-archive: <http://www.ietf.org/pipermail/emu>
List-help: <mailto:emu-request@ietf.org?subject=help>
List-id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-post: <mailto:emu@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
References: <A3DA4C2546E1614D8ACC896746CDCF290106B3F8 at aruba-mx1.arubanetworks.com> <AC1CFD94F59A264488DC2BEC3E890DE50589AAD3 at xmb-sjc-225.amer.cisco.com> <A3DA4C2546E1614D8ACC896746CDCF290106BA4E at aruba-mx1.arubanetworks.com>
Sender: emu-bounces at ietf.org
User-agent: SquirrelMail/1.4.14 [SVN]

  I'm glad we three agree that EAP-GPSK should not be claiming resistance
to dictionary attack so what can we do about it?

  Dan.

On Thu, April 3, 2008 6:31 pm, Glen Zorn wrote:
> Joseph Salowey (jsalowey) <mailto:jsalowey at cisco.com> scribbled on
> Wednesday, April 02, 2008 9:31 AM:
>
>> OK, but do you agree that EAP-GPSK should not be claiming
>> resistance to dictionary attack if its security depends upon
>> the selection of secret from a pool that is large enough?
>
> Yes.
>
>>
>> Joe
>>
>>> -----Original Message-----
>>> From: Glen Zorn [mailto:gzorn at arubanetworks.com]
>>> Sent: Wednesday, April 02, 2008 2:09 AM
>>> To: Dan Harkins
>>> Cc: Joseph Salowey (jsalowey); emu at ietf.org
>>> Subject: RE: [Emu] comment on draft-ietf-emu-eap-gpsk
>>>
>>> Joseph Salowey (jsalowey) <> scribbled on :
>>>
>>>> Thanks Dan,  I agree with your assessment.  I think we should
>>>> include text similar to what you propose in the document.
>>>>
>>>> Joe
>>>>
>>>>> -----Original Message-----
>>>>> From: emu-bounces at ietf.org [mailto:emu-bounces at ietf.org] On Behalf
>>>>> Of Dan Harkins Sent: Tuesday, April 01, 2008 3:26 PM
>>>>> To: emu at ietf.org
>>>>> Subject: [Emu] comment on draft-ietf-emu-eap-gpsk
>>>>>
>>>>>
>>>>>   Hello,
>>>>>
>>>>>   Section 11.6 of draft-ietf-emu-eap-gpsk says:
>>>>>
>>>>>       EAP-GPSK relies on a long-term shared secret (PSK) that MUST
>>>>>       be based on at least 16 octets of entropy to guarantee
>>>>>       security against dictionary attacks.
>>>>>
>>>>> This is not a generally accepted view of resistance to dictionary
>>>>> attack. For instance, the excellent paper by Bellare, Pointcheval,
>>>>> and Rogaway, Authenticated Key Exchange Secure Against Dictionary
>>>>> Attacks says:
>>>>>
>>>>>       One sees whether or not one has security against dictionary
>>>>>       attacks by looking to see if maximal adversarial advantage
>>>>>       grows primarily with the ratio of interaction to the size of
>>>>> the       password space.
>>>
>>> In other word, if the choice of dictionary elements significantly
>>> increases the likelihood of success over that of randomly chosen
>>> strings from the search space.
>>>
>>>>>
>>>>>   Open Key Exchange-- How to Defeat Dictionary Attacks Without
>>>>> Encrypting Public Keys, by Stefan Lucks, says that the probability
>>>>> of success of the attacker is based on the size of the dictionary
>>>>> and the number of number of times the attacker has been rejected
>>>>> (after active attack), and "does not significantly exceed 1/(S-R)"
>>>>> where S is the size of the dictionary and R is the number or
>>>>> rejections.
>>>
>>> This says essentially the same thing, since 1/(S-R) is just the
>>> probability of success of a brute force attack.
>>>
>>>>>
>>>>>   Even RFC3748 says that for an EAP method to be resistant to
>>>>> dictionary attacks that:
>>>>>
>>>>>       ...the method does not allow an offline attack that has a
>>>>>       work factor based on the number of passwords in an
>>>>> attacker's dictionary.
>>>>>
>>>>>   The idea here is that merely making the size of the pool from
>>>>> which the secret is drawn (i.e. "the dictionary") large does not
>>>>> make a protocol resistant to dictionary attack. What makes it
>>>>> resistant to dictionary attacks is whether an attacker gets one
>>>>> guess at the password per active attack-- interaction-- and not an
>>>>> unlimited number after a single attack-- computation.
>>>
>>> No.  What makes a protocol resistant to dictionary attack is that the
>>> use of a dictionary (i.e., a subset of the search space chosen to
>>> increase the probability of success) doesn't work any better than a
>>> brute force attack without a dictionary.  That's why they are called
>>> "dictionary attacks" & not "one guess attacks" or some such thing.
>>>
>>>>>
>>>>>   This draft implies that since the secret has "16 octets of
>>>>> entropy"-- 2^128 bits, which is quite a requirement!-- that it is
>>>>> resistant to a dictionary attack. This is not correct.
>>>>>
>>>>>   I really think this draft should be corrected to not imply it has
>>>>> resistance to dictionary attack. I suggest something along the
>>>>> lines of:
>>>>>
>>>>>       The success of a dictionary attack against EAP-GPSK depends
>>>>>       on the strength of the long-term shared secret (PSK) it
>>>>>       uses. The PSK used by EAP-GPSK MUST be drawn from a pool of
>>>>>       secrets that is at least 2^128 bits large and whose
>>>>>       distribution is uniformly random. Note that this does not
>>>>>       imply resistance to dictionary attack, only that the
>>>>> probability of success in
>>>>> such an attack       is acceptably remote.
>>>>>
>>>>>   regards,
>>>>>
>>>>>   Dan.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Emu mailing list
>>>>> Emu at ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/emu
>>>>>
>>>> _______________________________________________
>>>> Emu mailing list
>>>> Emu at ietf.org
>>>> https://www.ietf.org/mailman/listinfo/emu
>


_______________________________________________
Emu mailing list
Emu at ietf.org
https://www.ietf.org/mailman/listinfo/emu

References:
- Re: [Emu] comment on draft-ietf-emu-eap-gpsk
  - From: Glen Zorn
- Re: [Emu] comment on draft-ietf-emu-eap-gpsk
  - From: Joseph Salowey (jsalowey)
- Re: [Emu] comment on draft-ietf-emu-eap-gpsk
  - From: Glen Zorn

Prev by Date: [Emu] Invitation to subscribe to IETF proxy mailing list
Next by Date: [Emu] new co-chairs for emu and msec
Previous by thread: Re: [Emu] comment on draft-ietf-emu-eap-gpsk
Next by thread: [Emu] Question on EAP-IKEv2
Index(es):
- Date
- Thread

Re: [Emu] comment on draft-ietf-emu-eap-gpsk

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.