Quoth Richard Miller <9f...@hamnavoe.com>:
> I'm using a new subject [was: Interoperating between 9legacy and 9front]
> in the hope of continuing discussion of the vulnerability of p9sk1 without
> too many other distractions.
>
> mo...@posixcafe.org said:
> > If we agree that:
> >
> > 1) p9sk1 allows the shared secret to be brute-forced offline.
> > 2) The average consumer machine is fast enough to make a large amount of
> > attempts in a short time,
> > in other words triple DES is not computationally hard to brute force
> > these days.
> >
> > I don't know how you don't see how this is trivial to do.
>
> I agree that 1) is true, but I don't think it's serious. The shared secret is
> only valid for the current session, so by the time it's brute forced, it may
> be too late to use. I think the bad vulnerability is that the ticket request
> and response can be used offline to brute force the (more permanent) DES keys
> of the client and server. Provided, of course, that the random teenager
> somehow
> is able to listen in on the conversation between my p9sk1 clients and servers.
>
> On the other hand, it's hard to know whether to agree or disagree with 2),
> without knowing exactly what is meant by "large amount", "short time",
> "computationally hard", and "trivial".
>
> When Jacob told me at IWP9 in Waterloo that p9sk1 had been broken, not
> just theoretically but in practice, I was looking forward to seeing
> publication
> of the details. Ori's recent claim in 9fans seemed more specific:
>
The intial exchange sends across the challenges:
C→S: CHc
S→C: AuthTreq, IDs, DN, CHs, -, -
Because the challenge and IDs are sent as plain text, if I
can decrypt the client message with a key and find my known
plain text, that key will work to authenticate the client.
For example, if I have a ticket, and a trace of the first
few packets of the key exchange, I have enough information
to do something like this:
ticketpair = {
Kc{AuthTc, CHs, IDc, IDr, Kn},
Ks{AuthTs, CHs, IDc, IDr, Kn}
}
cmsg = ticketpair[0]
for(k in keyspace){
m = decrypt(k, cmsg)
if(m.CHs == CHs && m.IDs == IDs)
probably_bingo()
}
At that point, I need to guess the username, but this often
is relatively easy -- often, this is posted publicly; you
can probably guess that my user is 'ori' without trouble.
With those bits of information, you're able to complete a
new exchange as the client, and log in successfully.
The EFF was cracking DES keys in 22 hours back in 1998.
https://en.wikipedia.org/wiki/EFF_DES_cracker
Hardware, in particular GPUs, have gotten quite a bit
better since then.
------------------------------------------
9fans: 9fans
Permalink:
https://9fans.topicbox.com/groups/9fans/T56397eff6269af27-Mbe7e83e1e06339063e6d8e8f
Delivery options: https://9fans.topicbox.com/groups/9fans/subscription
