[Swan-dev] shannon_entropy [was Re: ikev2-14-missing-ke test failure]

Paul Wouters paul at nohats.ca
Sun Jan 4 01:37:39 EET 2015 

On Sat, 3 Jan 2015, D. Hugh Redelmeier wrote:

> Lets look as some values calculated by the function.

Most example do not take into account that we would force a minimum PSK
length (which I had not yet implemented but was planning to add)

> Recommendation: don't use this function -- it probably isn't
> calculating anything useful and certainly isn't calculating entropy.
>
> [I welcome corrections.]

The recent NSA documents reveal a possible bruteforcing of PSKs. There
are also tools like http://ikecrack.sourceforge.net/

 	IKE Agressive Mode BruteForce Summary
 	Aggressive Mode IKE authentication is composed of the following steps:

 	1 - Initiating client sends encryption options proposal, DH public key,
 	random number [nonce_i], and an ID in an un-encrypted packet to the
 	gateway/responder.
 	2 - Responder creates a DH public value, another random number
 	[nonce_r], and calculates a HASH that is sent back to the initiator in
 	an un-encrypted packet. This hash is used to authenticate the parties to
 	each other, and is based on the exchange nonces, DH public values, the
 	initiator ID, other values from the initiator packet, and the
 	Pre-Shared-Key [PSK].
 	3 - The Initiating client sends a reply packet also containing a HASH,
 	but this response is normally sent in an encrypted packet.


 	IKECrack utilizies the HASH sent in step 2, and attempts a realtime
 	bruteforce of the PSK.

Since we cannot force people to stop using IKEv1 Aggressive Mode, we can
at least force them to use stronger passwords. Left on their own, they
have shown to use really stupidly simplistic PSKs - again look at the
NSA slides.


A minimum length plus shannon entropy test is just meant to raise the
bar. It is not meant to be foolproof as we know vpn sysadmins are very
competent fools.

This method seems to easiest to do without needing dictionaries of
words. So instead, I would like to reverse the question to you:

1) Do have you something better within the restrains of not using
dictories?

2) Does this code do anything bad? (I'd say at most a false sense of security?)

Paul

More information about the Swan-dev mailing list