Re: l2tp as ipsra solution

[Hugo Krawczyk <hugo@xxxxxxxxxxxxxxxxx>]

> Any low entropy password based system is vulnerable to dictionary attack
> (not necessarily off-line). I don't see how using the password as a
> pre-shared key worsens the situation, or how any other scheme makes it
> better. This is an inherent vulnerability of password based systems.
> 

I disagree.

An *off-line* guessing attack against a password-authentication protocol
is one in which with a piece of public information produced by the protocol
an attacker can seat at his home's PC and scan, say, 100K passwords to find
the one used to generate that information (assuming the used password is
one of the 100K scanned passwords).

Contrast this with the *on-line* attack where the attacker *actively* 
tries to authenticate to a remote server by *trying* guesses to the 
actual password. If the system limits the failed authentication attempts
to, say, 20, then such an attacker has a probability of 20/100000 to
succeed.

A well-designed password protocol is one that makes the on-line attack the
only viable way to attack the system.

Using pre-shared IKE mode with a password is NOT a well designed password
authentication protocol since it allows for the first attack.


> Using challenge-response mechanisms within the context of IKE, doesn't
> make sense because, our main goal in IKE is not just authenticate the
> user, but also authenticate the SA parameters that are negotiated, and
> also the DH.

You can have GOOD password protocols that will also authenticate the DH
key exchange. PIC is just one example.

> 
> one-time-passwords, if can be made accessable from a legacy authentication
> system to IKE, could actually mean a high entropy password mechanism, that

Depends on the one-time-password scheme. Some of these schemes derive 
the "one-time" passwords from a fixed password and then are subject 
to off-line attacks.  A well-designed one-time-password scheme 
can indeed be of value.  In any case, in the ipsra group we cannot 
choose the legacy system, the protocol has to be as good as posssible 
with every legacy system (including those based on a single 
human-memorizable  password)

> is to some degree secure against online dictionary attacks. I guess this
> is more useful in the context of IKE. Or even if just the master
> pre-shared secret is provided to IKE, we can use a one-time-password type
> of mechanism for IKE authentication, instead of directly using the master
> pre-shared key. This is just an implementation detail, and doesn't need
> any change in the IKE protocol. We are just leveraging the existing legacy
> authentication infrastructure that already maintains a database of
> pre-shared secrets with each individual user/machine that we need to
> communicate to. Routers do use legacy authentication to authenticate to
> other routers, when trying to initiate PPP sessions, and so it could be a
> machine that we are authenticating using legacy authentication systems.
> 
> I guess, the off-line dictionary attack threat model is too simple to
> guard against, because there is a general assumption that the legacy
> authentication infrastructure(server) is reasonably secure, and doesn't
> have to be connected to the Internet for everybody to hack it, and take
> the information to do off-line dictionary attacks.

As explained above, if a protocol is not well-designed then off-line attacks 
can succeed even when the legacy dtabase is perfectly protected.


> 
> > 
> > There have been several questions in this list regarding the meaning
> > of "user authentication".  From a cryptographic point of view the
> > short (low entropy) secret that (human) users use is the main line
> > separating "user authentication" from "machine authentication". Of
> > course, there is another important security aspect of "user
> > authentication"  which is the granularity of policy decisions that you
> > can make at the level of individual users.
> 
> Cryptographic definition of "user authentication"! I disagree. If a router
> uses a low entropy CHAP password to authenticate to another router to
> bring up a ppp link, then is it considered "user authentication"?!

Let's not make this a linguistic discussion.  Cryptography does not care
about "users" and "machines".  In cryptography these are all "entities"
(or principals). The real cryptographic issue is what keys these entities
have, what functions are keyed with these keys, and how the protocol that
uses these functions is designed.  Thus from a cryptographic point of view
the case of the router using low-entropy passwords is similar to the human
user authenticating with his memorizable password. While the case of a
router authenticating with a digital signature is closer to the user that
authenticates herself via a digital signature produced by her smartcard. 

(From a security point of view, however, it is sad to see routers
authenticating with low-entropy keys...)

> 
> I think that the diffrence between "user authentication" and "machine
> authentication" is much more basic than that. If only the user
> has/provides the information needed in the authentication process, then it
> is "user authentication" and if only the machine has/provides the
> information needed in the authentication process, then it would be
> "machine authentication".

this is certainly a valid literary definition, but not very useful in
a technical cryptographic context.

Hugo

> 
>     chinna
> 
> > 
> > Hugo
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> 
> chinna narasimha reddy pellacuru
> s/w engineer
> 
>