[Swan-dev] shannon_entropy [was Re: ikev2-14-missing-ke test failure]

Sun Jan 4 06:44:49 EET 2015

On Sat, 3 Jan 2015, D. Hugh Redelmeier wrote:

> | Most example do not take into account that we would force a minimum PSK
> | length (which I had not yet implemented but was planning to add)
>
> I was basically showing that the function is not what it is
> represented to be, Shannon Entropy.  Furthermore, the result is not
> meaningfully read as bits, which is what one would expect.

We are mostly concerned about people using "ascii" as PSK. People
inputting straight hex usually do have good entropy because they're
inputting random numbers in hex form. It's the ascii/text people that
are the problem.

> | Since we cannot force people to stop using IKEv1 Aggressive Mode,
>
> We disagree about that.  You've just proved it is a weakness.  I guess
> rate-limiting would be a useful bandaid.

I don't think rate limiting helps. This is not an active attack, but a
passive attack that can be done offline.

> Perhaps we should mount a PR campaign to shame those who insist on
> Aggressive Mode.

We'll still have to support it, eg for stupid certification reasons. But
also because 75% of IKEv1 deployed is Aggressive Mode :(

> | 1) Do have you something better within the restrains of not using
> | dictories?
>
> pam_cracklib seems to exist already, be available on most systems we
> target, be designed for this purpose, be widely used already, stood
> the test of time, and already experienced by users.

And it does require a dictionary. I tried to stay away from "password
hacking" tools and make it simpler. Because we wouldn't catch people
using a single character 20 times in a foreign script.

> | 2) Does this code do anything bad? (I'd say at most a false sense of
> | security?)
>
> It is quite misleading.  That is always a problem in security systems.

Is it? Would it be less misleading if we hide the reason and number and
just say "we deem this PSK too weak" ?

> It is training users to meet a meaningless goal.

It's raising the bar. The bar is quite low as it is now. Even if you
limit the minimum length to 8, you will get "testtest".

> Often they rebel in
> ways that impair security.  (The tales of this are legion.)

They also do when using "test" as PSK now. I'm just trying to make it
a little harder, a litle more secure. It does not have to be guaranteed.
Right now, the bar is at the floor and getting abused.

> (A minimum key length is not perfect but it is clearly so and thus
> doesn't mislead users.  They might still rebel.)

Yeah, it's too simple, "testtesttesttest"

> BTW, reporting "Shannon Entropy" values might be leaking valuable
> information to an attacker, assuming they can see the message.

I have no problem making that a debug only, or even DBG_CRYPT only
display - or just never displaying it at all and just saying "too weak".

Paul