On Mon, Mar 12, 2018 at 04:27:46PM +0100, Hubert Kario wrote:
> When the server supports externally set PSKs that use human readable 
> identities (or, in general, guessable identities), the current text makes it 
> trivial to perform enumeration attack.

What would be impact of such enumeration attack? It seems to me that
not disclosing identities is to make weak passwords more difficult to
attack, but here there are no weak passwords.

Note that:

- There is no protection for the PSK identity, so putting anything
  sensitive in it is a bad idea.
- The identity can not be used without the associated secret, which
  needs to withstand serious offline cracking attempts anyway.
- Passive attack gives attacker not only a valid PSK identity, but
  enough information to mount high-speed offline cracking attack on the
  PSK secret. Only one captured key exchange is needed, and (EC)DHE
  does not help.

The last point is why PSK secrets need to have enough entropy to resist
high-speed offline cracking.


TLS mailing list

Reply via email to