Hi Dan, > > I did not add killing PSKs to that draft, precisely because some > > objected because strong PSK's are stronger than PAKEs. > > Strong PSKs are not stronger than PAKEs. A PAKE will offer you the added > protection of resistance to dictionary attack against the symmetric > credential > (which could, in fact, be a PSK).
That's true. > The definition of dictionary attack is one in which the adversary > gains an > advantage through computation and not interaction. So even with a strong PSK > you are still susceptible to a dictionary attack since it is the > protocol that > is susceptible to attack and not the credential. With a strong PSK it just > makes the dictionary attack use much more time to be successful (and yes the > "true random strong PSK" that's 256 bits could make the attack > computationally > infeasible but then managing such a credential is similarly infeasible). It's a double edged sword. PAKE provides protection against passive attacks, so that easy manageable low entropy secrets can be used as PSKs. But if people get accustomed to use easily memorable low entropy secrets (because we say them that it's secure), then the protocol becomes susceptible to active attacks, and there is no an easy defense against them. Eventually you need to change the secrets frequently, thus making them even less manageable than traditional strong PSKs. Regards, Valery. [...] > regards, > > Dan. > > > > > _______________________________________________ > IPsec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/ipsec _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
