[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: I-D ACTION:draft-funk-radiusext-shared-secret-amp-01.txt

To: "'Paul Funk'" <paul@funk.com>, "'Clint Chaplin'" <cchaplin@sj.symbol.com>, <radiusext@ops.ietf.org>
Subject: RE: I-D ACTION:draft-funk-radiusext-shared-secret-amp-01.txt
From: "Joseph Salowey" <jsalowey@cisco.com>
Date: Wed, 1 Sep 2004 19:45:33 -0700
In-reply-to: <5.2.0.9.2.20040901204445.049f4e60@mail.funk.com>
owner-radiusext@ops.ietf.org wrote:
> Clint,
> 
> I don't disagree. I'll even add to your point by saying that
> it makes no sense to talk about the entropy of a single
> password. Entropy applies to populations; the entropy of a
> single item is 0. So you can't properly say that the password
> "swordfish" has entropy of 20 bits. You could say that within
> the collection of passwords actually used, "swordfish" is
> used one in a million times, and therefore has probability of
> 2 ^ -20. But the collection itself may have very low entropy;
> for example, if the only other password ever used is "tuna",
> and it gets used 999,999 out of a million times. So the
> probability of a password is not directly related to the
> difficulty of attack -- in the case just described, you only have to
> try 2 passwords. 
> 
> In addition, the entropy of a collection is only indirectly
> related to the difficulty of attack, which can only be
> defined as the probability spectrum of success against number
> of tries. For example, a population in which "swordfish" is
> used 50% of the time, but a billion other passwords are
> equiprobable the other 50% of the time, has entropy of about
> 15 bits, but an attack will succeed in one try 50% of the time.
> 
> So talking about entropy in this context necessarily involves
> a kind of shorthand. I'm not entirely sure how to talk about
> it with clarity and mathematical precision at the same time.
> The dodge that I took was to define "effective entropy", and
> I really should use that term consistently, as you point out.
> If you have a suggestion for how to use comprehensible
> language to discuss these matters, let me know.
>

[Joe] It might be better to talk in terms of computational cost.  

 
> Paul
> 
> At 05:25 PM 9/1/2004 -0700, Clint Chaplin wrote:
>> I guess part of my problem is that the term "entropy" is being used
>> here in two different incompatible but related senses, sort of like
>> "pounds force" and "pounds mass".  Entropy in the cryptographic sense
>> is the measure of the possible values an item may take on, and is
>> measured in bits.  Entropy in the thermodynamic sense is the measure
>> of the disorder in a system. 
>> 
>> Talking about "effective entropy" is a little bit like talking about
>> "effective pounds mass" under acceleration, which makes my teeth
>> itch. 
>> 
>> Clint (JOATMON) Chaplin
>> Wireless Security Advisor
>> Wireless Standards Lead
>> 
>>>>> Bernard Aboba <aboba@internaut.com> 8/31/04 21:34:35 >>>
>> Forwarded from Clint Chaplin...
>> 
>> ---------- Forwarded message ----------
>> Date: Tue, 31 Aug 2004 19:47:20 -0700
>> From: Clint Chaplin <cchaplin@symbol.com>
>> To: aboba@internaut.com, radiusext@ops.ietf.org
>> Subject: Re: I-D ACTION:draft-funk-radiusext-shared-secret-amp-01.txt
>> 
>> Bernard: due to a snafu here at Symbol, the radiusext email list is
>> silently rejecting my posts to it; however, I can still receive the
>> emails from it.  Could you please forward this to the list for me?
>> Thanks! 
>> 
>> I still disagree with the use of the term "entropy" within this I-D.
>> As a simplistic way of looking at this, let's say that the input to
>> this algorithm can only take on two distinct values, and also the
>> salt can only take on two distinct values (these values may be
>> expressed using many bits, but that won't change the argument). 
>> Since the salt and the input can only have two distinct values, the
>> entropy of each is only 1, and the two combined can only take on
>> four distinct values, and thus have an entropy of 2.  Putting these
>> four distinct valuse through the amplification process will still
>> only yield an output with four distinct values (although these
>> output values may also be expressed using many bits).  No matter how
>> many times the algorithm is applied, the output will still only have
>> a max of four distinct values, and a max entropy of 2.  Hashing
>> never adds true entropy, and if a collision occurs, can reduce
>> entropy.  
>> 
>> Yes, the term "effective entropy" can be used, but that just confuses
>> the issue, I feel.  Plus, there are still places in the draft where
>> "effective entropy" should be used for consistancy sake, and it is
>> not. 
>> 
>> For instance, in the abstract, the phrase "A dictionary attack
>> against the resulting shared secret will be infeasible due to its
>> high entropy." should state "A dictionary attack against the
>> resulting shared secret will be infeasible due to its high effective
>> entropy." 
>> 
>> In the introduction, the phrase "A dictionary attack against the
>> resulting shared secret will be infeasible due to its high entropy."
>> should be "A dictionary attack against the resulting shared secret
>> will be infeasible due to its high effective entropy."
>> 
>> And so on.
>> 
>> Clint (JOATMON) Chaplin
>> Wireless Security Advisor
>> Wireless Standards Lead
>> 
>>>>> <Internet-Drafts@ietf.org> 8/27/04 12:42:15 >>>
>> A New Internet-Draft is available from the on-line Internet-Drafts
>> directories. 
>> 
>> 
>>         Title           : RADIUS Shared Secret Security Amplification
>>         Author(s)       : P. Funk
>>         Filename        :
> draft-funk-radiusext-shared-secret-amp-01.txt
>>         Pages           : 10
>>         Date            : 2004-8-27
>> 
>> This draft describes how a mechanism defined in [PKCS-5] can be used
>>    to amplify the security of a RADIUS shared secret; namely, that a
>>    precursor secret is hashed many times to produce an amplified
>>    shared secret for use in RADIUS.
>> 
>> A URL for this Internet-Draft is:
>> http://www.ietf.org/internet-drafts/draft-funk-radiusext-shar
>> ed-secret- amp-01.txt 
>> 
>> 
>> To remove yourself from the I-D Announcement list, send a message to
>> i-d-announce-request@ietf.org with the word unsubscribe in the body
>> of the message. You can also visit
>> https://www1.ietf.org/mailman/listinfo/I-D-announce
>> 
>> to change your subscription settings.
>> 
>> 
>> Internet-Drafts are also available by anonymous FTP. Login with the
>> username "anonymous" and a password of your e-mail address. After
>> logging in, type "cd internet-drafts" and then
>>         "get draft-funk-radiusext-shared-secret-amp-01.txt".
>> 
>> A list of Internet-Drafts directories can be found in
>> http://www.ietf.org/shadow.html or
>> ftp://ftp.ietf.org/ietf/1shadow-sites.txt
>> 
>> 
>> Internet-Drafts can also be obtained by e-mail.
>> 
>> Send a message to:
>>         mailserv@ietf.org.
>> In the body type:
>>         "FILE
>> /internet-drafts/draft-funk-radiusext-shared-secret-amp-01.txt".
>> 
>> NOTE:   The mail server at ietf.org can return the document in
>>         MIME-encoded form by using the "mpack" utility.  To use this
>>         feature, insert the command "ENCODING mime" before the "FILE"
>>         command.  To decode the response(s), you will need "munpack"
>>         or a MIME-compliant mail reader.  Different MIME-compliant
>>         mail readers exhibit different behavior, especially when
>>         dealing with "multipart" MIME messages (i.e. documents which
>>         have been split up into multiple messages), so check your
>>         local documentation on how to manipulate these messages.
>> 
>> 
>> Below is the data which will enable a MIME compliant mail reader
>> implementation to automatically retrieve the ASCII version of the
>> Internet-Draft. 
>> 
>> 
>> _____________________________________________________________
>> __________ _ This email has been scanned for computer viruses.
>> 
>> _____________________________________________________________
>> __________ _ This email has been scanned for computer viruses.
>> 
>> --
>> to unsubscribe send a message to radiusext-request@ops.ietf.org with
>> the word 'unsubscribe' in a single line as the message text body.
>> archive: <http://psg.com/lists/radiusext/>
>> 
>> _____________________________________________________________
>> __________ _ This email has been scanned for computer viruses.
>> 
>> --
>> to unsubscribe send a message to radiusext-request@ops.ietf.org with
>> the word 'unsubscribe' in a single line as the message text body.
>> archive: <http://psg.com/lists/radiusext/>
> 
> Paul Funk
> Funk Software, Inc.
> 617 497-6339
> paul@funk.com



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
References:
- Re: I-D ACTION:draft-funk-radiusext-shared-secret-amp-01.txt
  - From: Paul Funk <paul@funk.com>
Prev by Date: Re: I-D ACTION:draft-funk-radiusext-shared-secret-amp-01.txt
Next by Date: AW: I-D ACTION:draft-funk-radiusext-shared-secret-amp-01.txt
Previous by thread: Re: I-D ACTION:draft-funk-radiusext-shared-secret-amp-01.txt
Next by thread: RE: I-D ACTION:draft-funk-radiusext-shared-secret-amp-01.txt
Index(es):
- Date
- Thread