[Swan-dev] shannon_entropy [was Re: ikev2-14-missing-ke test failure]
Paul Wouters
paul at nohats.ca
Sun Jan 4 01:37:39 EET 2015
On Sat, 3 Jan 2015, D. Hugh Redelmeier wrote:
> Lets look as some values calculated by the function.
Most example do not take into account that we would force a minimum PSK
length (which I had not yet implemented but was planning to add)
> Recommendation: don't use this function -- it probably isn't
> calculating anything useful and certainly isn't calculating entropy.
>
> [I welcome corrections.]
The recent NSA documents reveal a possible bruteforcing of PSKs. There
are also tools like http://ikecrack.sourceforge.net/
IKE Agressive Mode BruteForce Summary
Aggressive Mode IKE authentication is composed of the following steps:
1 - Initiating client sends encryption options proposal, DH public key,
random number [nonce_i], and an ID in an un-encrypted packet to the
gateway/responder.
2 - Responder creates a DH public value, another random number
[nonce_r], and calculates a HASH that is sent back to the initiator in
an un-encrypted packet. This hash is used to authenticate the parties to
each other, and is based on the exchange nonces, DH public values, the
initiator ID, other values from the initiator packet, and the
Pre-Shared-Key [PSK].
3 - The Initiating client sends a reply packet also containing a HASH,
but this response is normally sent in an encrypted packet.
IKECrack utilizies the HASH sent in step 2, and attempts a realtime
bruteforce of the PSK.
Since we cannot force people to stop using IKEv1 Aggressive Mode, we can
at least force them to use stronger passwords. Left on their own, they
have shown to use really stupidly simplistic PSKs - again look at the
NSA slides.
A minimum length plus shannon entropy test is just meant to raise the
bar. It is not meant to be foolproof as we know vpn sysadmins are very
competent fools.
This method seems to easiest to do without needing dictionaries of
words. So instead, I would like to reverse the question to you:
1) Do have you something better within the restrains of not using
dictories?
2) Does this code do anything bad? (I'd say at most a false sense of security?)
Paul
More information about the Swan-dev
mailing list