[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: pre-shared key v RSA encryption or RSA signatureauthentication modes

At 12:00 PM -0500 3/24/02, Andrew Krywaniuk wrote: 
Ask a politically incorrect question like that on a list like this and you
are bound to get a lot of FUD-type replies. Of course PK crypto has the
advantage of scalability, but that's not the question you asked. Some people
replied already, but here's a more presise response.

The fact is, you can get any arbitrary strength you want with either asymm
or symm algorithms by increasing the keylength. If you want a basis for
comparing their strengths, you could compare the speed of the algorithms for
equivalent crypto strength (which is not as silly as it seems, since you are
always trading off crypto strength for speed). In that case, you could say
that pre-shared secrets are stronger than public keys. (I don't know of any
fundamental difference between the strength of PK encryption and PK
signatures for authentication. )

Also, pre-shared secrets have an additional advantage for authentication,
which is that you cannot mount a pure offline attack against them. In order
to get some data for a brute force attack, you must first impersonate the
responder in an active attack against the initiator. With public keys, you
can conduct a purely offline attack. Of course, the strength of the
authentication will still be limited by the amount of entropy in the secret.

Andrew

I'm glad you mentioned what I consider to be a significant downside of pre-shared secrets, although we come to very different conclusions. It is not too hard to imagine an attack in which the initiator connects to the wrong address, e.g., via some form of DNS attack, and the fake responder collects the initiator's secret, then drops the connection. This seems like such a serious concern that it argues very strongly against pre-shared secrets vs. public keys. Note that using public keys. e.g., in self-signed certs, does not suffer from this problem.

Steve