> > >> The candidate exchanges all rely on the "hard problem" of doing a > > >> discrete logarithm in one of the defined groups. It's the same > > >> "hard problem" that makes the Diffie-Hellman portion of IKE > > >> secure. If the group negotiated or demanded in IKE allows for an > > >> "easier attack" then it shouldn't be used in the IKE exchange to > > >> do the Diffie-Hellman. > > > > > > If I follow your logic, I think you're arguing that because the > > > existing groups allow easier attacks on password authentication > > > (e.g., based on checks on what a guessed password decrypts to) then > > > they allow easier attacks on IKE with existing authentication, > > > *hence* those groups are unacceptable to use with IKE. I think the > > > *hence* is off the mark due to the much larger candidate search > > > space when other techniques (e.g., certificate-based) are used to > > > authenticate. > > > > That wasn't what I was arguing. I think all the candidate exchanges > > are based on the computational Diffie-Hellman assumption. And the > > work factor to attack them on that front should be the same as the > > work factor to attack a standard Diffie-Hellman key exchange. Or am > > I missing something? > > > > I don't think any of the currently-defined groups are unacceptable > > to use with IKE. But hypothetically, if there was some group defined > > that allowed an easy attack (the order was unacceptably small, for > > instance) then it would be unsuitable for IKE just like it would be > > unsuitable for any of the candidate password authentication schemes. > > > > For these password authentication schemes to be secure, the only > > method of attack is repeated active guessing attacks of the password > > (the advantage an attacker gains is through interaction, not > > computation). An "easier attack" is an off-line dictionary attack to > > learn the password (the advantage gained is through computation) and > > using any of the groups in IKE(v2)'s IANA registry with EKE would > > enable a dictionary attack. But the attacker doesn't learn the > > ephemeral secret that results from EKE, the CDH assumption still > > applies. The issue isn't with the group, per se, it's with the > > (mis)use of the group. > > > Right. In the original EKE paper, we called this a "partition > attack". There are others possible; it's important to take care to > avoid them. For example, suppose that we wanted a ~2048-bit -- 256 byte > -- modulus. Choosing a modulus of 2040 bits, though about the same > difficulty when it comes to solving discrete log, is unacceptable for > EKE, because in a correct guess the high-order byte would be all zeros; > an incorrect guess would, with probability 255/256, let you rule out a > candidate password. A good EKE modulus would be close enough to 2^2048 > to have a negligible probability of a decryption with a bad guess being > in the range [p, 2^2048-1]. In other words, good moduli for EKE have > specialized properties.
That's roughly what I understood - good groups for EKE should be good groups for IKE, but good groups for IKE (e.g., the existing groups) are not necessarily good groups for EKE because they may not have the specialized properties required to block additional attacks on EKE that don't apply to IKE. It appears like Dan agrees, so I may have misinterpreted what he originally wrote. Thanks, --David _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
