On Jan 31, 2008, at 3:44 PM, Florian Weimer wrote:
* Yoav Nir:The idea is that this shared secret has the properties that (a) it can't be used for anything other than IKEv2 so storing it is presumably OK (why?), and (b) it looks random. The RFC goes on to state this: As noted above, deriving the shared secret from a password is not secure. This construction is used because it is anticipated that people will do it anyway.[RFC 4306] In retrospect, this is a bit off--it's insecure in what context?
Depends on the usage. If one uses password-derived shared secret to authenticate key agreement (using it in HMAC-like construct or otherwise in place of a "good" shared secret), or worse - as keying material - then it's insecure because an attacker can perform off- line brute-forcing on the observed exchange targeting the weak link - the password itself. However there are ways (Encrypted Key Exchange is the best example) to authenticate DH using password-derived shared secret with sufficient security.
Also, the more complex the password is (length, distance from dictionary-found words, use of full-spectrum alphabet) - the more computing resources the attacker would need to have a reasonable chance of success.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list TLS@xxxxxxxx http://www.ietf.org/mailman/listinfo/tls