Hi David,
On Tue, March 2, 2010 3:49 pm, [email protected] wrote: [snip] > > OTOH, I think you've oversimplified here ... > >> The candidate exchanges all rely on the "hard problem" of doing a >> discrete logarithm in one of the defined groups. It's the same "hard >> problem" that makes the Diffie-Hellman portion of IKE secure. If the >> group negotiated or demanded in IKE allows for an "easier attack" then >> it shouldn't be used in the IKE exchange to do the Diffie-Hellman. > > If I follow your logic, I think you're arguing that because the existing > groups allow easier attacks on password authentication (e.g., based on > checks on what a guessed password decrypts to) then they allow easier > attacks on IKE with existing authentication, *hence* those groups are > unacceptable to use with IKE. I think the *hence* is off the mark due to > the much larger candidate search space when other techniques (e.g., > certificate-based) are used to authenticate. That wasn't what I was arguing. I think all the candidate exchanges are based on the computational Diffie-Hellman assumption. And the work factor to attack them on that front should be the same as the work factor to attack a standard Diffie-Hellman key exchange. Or am I missing something? I don't think any of the currently-defined groups are unacceptable to use with IKE. But hypothetically, if there was some group defined that allowed an easy attack (the order was unacceptably small, for instance) then it would be unsuitable for IKE just like it would be unsuitable for any of the candidate password authentication schemes. For these password authentication schemes to be secure, the only method of attack is repeated active guessing attacks of the password (the advantage an attacker gains is through interaction, not computation). An "easier attack" is an off-line dictionary attack to learn the password (the advantage gained is through computation) and using any of the groups in IKE(v2)'s IANA registry with EKE would enable a dictionary attack. But the attacker doesn't learn the ephemeral secret that results from EKE, the CDH assumption still applies. The issue isn't with the group, per se, it's with the (mis)use of the group. regards, Dan. _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
