Hi Hannes, On Sat, June 28, 2008 7:25 am, Hannes Tschofenig wrote: [snip] >> >> I'd like to suggest the following text for section 12.7: >> >> The success of a dictionary attack against EAP-GPSK depends on >> the strength of the long-term shared secret (PSK) it uses. The >> PSK used by EAP-GPSK SHOULD be drawn from a pool of secrets that >> is at least 2^128 bits large and whose distribution is uniformly >> random. Note that this does not imply resistance to dictionary >> attack, only that the probability of success in such an attack >> is acceptably remote. >> >> That is, I believe, fair, accurate, and unambiguous. > > Aren't we saying essentially the same in the previous sentences? > >------------------------------------------------------------------------------------------------ > > 12.7. Dictionary Attacks > > EAP-GPSK relies on a long-term shared secret (PSK) that SHOULD be > based on at least 16 octets of entropy to be fully secure. The EAP- > GPSK protocol makes no special provisions to ensure keys based on > passwords are used securely. Users who use passwords as the basis of > their PSK are not protected against dictionary attacks. Derivation > of the long-term shared secret from a password is strongly > discouraged. > > ------------------------------------------------------------------------ > > If you think we haven't discouraged folks enough to use passwords > with the current text then we could add your text in addition to it.
My original comment wasn't because passwords were not being discouraged sufficiently (although that is a good idea) but because EAP-GPSK just is not resistant to dictionary attack regardless of the "strength" of the PSK being input. The text above seems to suggest that the problem is that there are "no special provisions" to ensure that passwords aren't used. That's not really the problem. The problem is that EAP-GPSK allows an offline attack that has a work factor based on the size of the pool from which the secret was drawn. And that, according to RFC 3748 as well as other cryptographic literature, means that EAP-GPSK is not resistant to dictionary attack. It's not resistant to dictionary attack even if passwords aren't used. Thankfully EAP-GPSK strongly recommends that the pool from which the secret was drawn be extremely large (2^128). This makes a dictionary attack highly unlikely to succeed but the improbability of success does not mean EAP-GPSK is resistant to dictionary attack. I think it would be better to mention that the protocol itself is not resistant to dictionary attack and the likelihood of successful attack is inversely related to the strength of the PSK. In other words, use a strong PSK but don't think you're resistant to dictionary attack because you do. regards, Dan. _______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
