[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: shared secret vulnerability

To: cchaplin@sj.symbol.com,radiusext@ops.ietf.org
Subject: Re: shared secret vulnerability
From: Paul Funk <paul@funk.com>
Date: Thu, 05 Aug 2004 03:34:56 -0400
Cc: Joshua Wright <jwright@hasborg.com>

Clint,

Yes, the entropy isn't really increased. In the amplification draft,
I often used the term "effective entropy", since it is really that the
added difficulty in attacking the hashed secret makes it
equivalent in entropy to a stronger secret for the purpose of
dictionary attack.

There is a "precomputed" type of dictionary attack in which
a dictionary is computed in advance and stored on, say,
CD-ROM. The CD-ROM items are then used to attack a
signature. Thus, if the attacker first created a CD-ROM of all
amplified shared secrets based on likely precursor secrets,
the attack from such a CD-ROM against a signature with
an amplified secret would be no harder than an attack against
a signature based on a precursor secret. This illustrates your
point about conservation of entropy. However, to create such
a CD-ROM would take a very, very long time and you'd need
lots of CD-ROMs.

Paul

Clint Chapin wrote:
My impression is that hashing doesn't add any more entropy than was already present in the input. Yes, hashing adds time to the calculation, but the output itself isn't any more entropic than the input was. Am I incorrect?

Clint (JOATMON) Chaplin
>>> Joshua Wright <jwright@hasborg.com> 08/04/04 13:54 PM >>>
Paul Funk wrote:
> The idea is that you take an ordinary secret, hash it many times,
> and get a resulting "amplified" shared secret that multiplies the
> difficulty of attack by the number of times it has been hashed. The
> draft suggests 0x100000 (~ one million) iterations, adding 2 ^ 20
> bits of effective entropy to the secret.

While I believe this algorithm is effective at adding entropy to a
password such as the RADIUS secret, it does not resolve the issue of a
widespread shared secret distributed throughout an organization. Without
a mechanism in place to regularly change the secret, the use of shared
secrets in this fashion is reminiscent of WEP pre-shared keys. As most
people are painfully aware, shared secret do not stay secretive.

That being said, I like Paul's idea for effectively adding entropy to
the shared secret that will prolong a brute-force attack. However, I do
not believe that this is effective at resolving weak authentication
between the RADIUS authentication server and NAS.

-Joshua Wright
jwright@sans.org or
jwright@hasborg.com

--
-Joshua Wright
jwright@hasborg.com
http://home.jwu.edu/jwright/

pgpkey: http://home.jwu.edu/jwright/pgpkey.htm
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73

Paul Funk
Funk Software, Inc.
617 497-6339
paul@funk.com

Prev by Date: Re: shared secret vulnerability
Next by Date: Re: shared secret vulnerability
Previous by thread: Re: shared secret vulnerability
Next by thread: Re: shared secret vulnerability
Index(es):
- Date
- Thread