On Tue, Feb 18, 2014 at 5:06 PM, Brian Warner <[email protected]> wrote: > On 2/18/14 3:30 PM, Trevor Perrin wrote: >> But for an online rendezvous, the meeting ID (derived from the shared >> secret) is the weak point: An attacker can try to guess the shared >> secret by making a large number of online queries for the meeting ID, >> and the rendezvous server can try to crack the meeting ID with offline >> search. >> >> You earlier suggested that users could agree on separate meeting IDs >> and shared secrets. But I'm not sure that gains anything. (Ex: if >> users can agree on 60 shared secret bits, splitting that into a 30-bit >> meeting ID and 30-bit shared secret weakens resistance against the >> offline attack to 30 bits). > > Oh, I probably didn't explain myself well: the users must specifically > agree on two *independent* secrets. [...] > But if the secrets are properly independent, then an attacker who wins > the 30-bit online attack against the channel-ID merely earns the right > to make the one (and only) guess at the 30-bit PAKE secret.
Good point, I agree that having separate secrets makes PAKE meaningful here, since it's no longer undermined by the Meeting ID. But the tradeoffs are complicated: Choosing two 30 bit secrets instead of one 60 bit means: (a) Easier for rendezvous server to do offline search and discover the Meeting ID secret. If that secret is something like "AliceAndBob123" which links one or both users then this is a problem. (b) Easier for online attacker to search 2^30 Meeting IDs, thus discovering the Meeting ID secret and disrupting the rendezvous. *BUT* + Instead of revealing the PAKE secret, these just give the attacker "one shot" at hijacking the connection with 2^-30 probability. If the total entropy is large enough to resist offline search (eg 80 bits plus key stretching), then splitting it doesn't help and could make (a) a problem. If the total entropy is small enough that splitting it makes (b) easy (eg 30 bits), then that's also probably a bad idea. There's probably a sweet spot in-between where separate secrets is a good idea. But I'm not sure exactly how big it is, or if we could get users to reliably hit it. Hmm. Trevor _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
