On Mon, Mar 12, 2018 at 04:27:46PM +0100, Hubert Kario wrote:
> When the server supports externally set PSKs that use human readable
> identities (or, in general, guessable identities), the current text makes it
> trivial to perform enumeration attack.
What would be impact of such enumeration attack? It seems to me that
not disclosing identities is to make weak passwords more difficult to
attack, but here there are no weak passwords.
- There is no protection for the PSK identity, so putting anything
sensitive in it is a bad idea.
- The identity can not be used without the associated secret, which
needs to withstand serious offline cracking attempts anyway.
- Passive attack gives attacker not only a valid PSK identity, but
enough information to mount high-speed offline cracking attack on the
PSK secret. Only one captured key exchange is needed, and (EC)DHE
does not help.
The last point is why PSK secrets need to have enough entropy to resist
high-speed offline cracking.
TLS mailing list