On Tue, Apr 18, 2017 at 4:44 PM, Ilari Liusvaara <ilariliusva...@welho.com> wrote:
> On Tue, Apr 18, 2017 at 03:51:53PM -0400, Eric Rescorla wrote: > > On Tue, Apr 18, 2017 at 3:41 PM, Ilari Liusvaara < > ilariliusva...@welho.com> > > wrote: > > > > > > On topic of PSKs, I noticed that TLS 1.3 makes it very easy to mount > > > dictionary attacks against PSK, regardless of DHE-PSK (especially to > > > recover the client PSK). I assumed that the document already documents > > > this, but I couldn't find any remark that using low-entropy PSKs is > very > > > bad idea. > > > > > > > Good point. As far as I can tell... > > > > 1. You can search the binder. > > 2. Because we forbid PSK with server authentication, you can also > > impersonate the server and then mount a dictionary attack (even w/o the > > binder). > > AFAICT, if I wanted to extract low-entropy client PSK, I wouldn't even > bother with 2, since 1 seems so much more efficient (all passive too!).. > I agree. I just meant that if we were to dispense with the binder it would still be trivial. -Ekr > > > Also, wonder if there are efficient ways of probing server PSKs (I > didn't compe up with one, even in pure-PSK, due to binders making > such probing nontrivial). > > > -Ilari >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
