Quoth o...@eigenstate.org:
> Quoth Richard Miller <9f...@hamnavoe.com>:
> > I'm using a new subject [was: Interoperating between 9legacy and 9front]
> > in the hope of continuing discussion of the vulnerability of p9sk1 without
> > too many other distractions.
> >
> > mo...@posixcafe.org said:
> > > If we agree that:
> > >
> > > 1) p9sk1 allows the shared secret to be brute-forced offline.
> > > 2) The average consumer machine is fast enough to make a large amount of
> > > attempts in a short time,
> > > in other words triple DES is not computationally hard to brute force
> > > these days.
> > >
> > > I don't know how you don't see how this is trivial to do.
> >
> > I agree that 1) is true, but I don't think it's serious. The shared secret
> > is
> > only valid for the current session, so by the time it's brute forced, it may
> > be too late to use. I think the bad vulnerability is that the ticket request
> > and response can be used offline to brute force the (more permanent) DES
> > keys
> > of the client and server. Provided, of course, that the random teenager
> > somehow
> > is able to listen in on the conversation between my p9sk1 clients and
> > servers.
> >
> > On the other hand, it's hard to know whether to agree or disagree with 2),
> > without knowing exactly what is meant by "large amount", "short time",
> > "computationally hard", and "trivial".
> >
> > When Jacob told me at IWP9 in Waterloo that p9sk1 had been broken, not
> > just theoretically but in practice, I was looking forward to seeing
> > publication
> > of the details. Ori's recent claim in 9fans seemed more specific:
> >
>
> The intial exchange sends across the challenges:
>
> C→S: CHc
> S→C: AuthTreq, IDs, DN, CHs, -, -
>
Oops -- wrong messages; these are the ones
you want to be breaking:
C→A: AuthTreq, IDs, DN, CHs, IDc, IDr
A→C: AuthOK, Kc{AuthTc, CHs, IDc, IDr, Kn}, Ks{AuthTs, CHs,
IDc, IDr, Kn}
Thanks to cinap for pointing that out.
------------------------------------------
9fans: 9fans
Permalink:
https://9fans.topicbox.com/groups/9fans/T56397eff6269af27-M396fa4f83c1770df9b18c6f1
Delivery options: https://9fans.topicbox.com/groups/9fans/subscription
