[ previous ] [ next ] [ threads ]
 From:  Fred Wright <fw at well dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] Monowall and Freeswan
 Date:  Tue, 8 Feb 2005 13:20:56 -0800 (PST)
On Mon, 7 Feb 2005, Josh McAllister wrote:

> Actually, it's just a pre shared key, akin to a "password". I suppose
> it's possible that it's puking on a 1536 bit key. Try something more

No doubt.  ISTR racoon's having a limit of something like 128 characters,
but the m0n0wall WebGUI sets the field size to 40.  Don't know whether
that's "enforced".

> sane like 20 chars. To be sure keep it simple for testing. 20 chars
> should be reasonably secure... ever try to brute force a 20 char
> password? It would take more than a little while. ;) If you're still

Actually, ordinary English text has only about 1 bit of entropy per
character, so a 20-character "passphrase" is like a 20-bit key.  Even if
it takes a millisecond to compute each hash (probably conservative on a
modern processor), it would only take about 1000 seconds to brute-force a
20-bit key.

Given a "quality" binary random number, the question is how to map it to
printable text.  The most straightforward approach would be to use hex,
which gives you 4 bits of entropy per character, or up to 160 bits in 40
characters.  Base64 encoding would give 6 bits per character, or up to 240
bits.  Racoon also accepts hex-formatted PSKs in the config, and I doubt
that m0n0wall disallows that form, but if the limit is on the number of
characters rather than the number of bytes it doesn't offer any advantage
(in fact it's slightly worse than "hex text" due to the leading
"0x" consuming two character positions).

The vulnerability of a weak PSK is worse in aggressive mode than in main
mode.  Aggressive mode sends the keyed hash of the PSK in the clear, so an
eavesdropper need only brute-force the hash to recover the PSK.  Main mode
DH-encrypts the hash, so the attacker would need to brute-force the DH key
*and* the hash to recover the PSK.

Speaking of quality random numbers, on any m0n0wall with a crypto
accelerator, the hardware RNG contributes to the /dev/random entropy pool.

> -----Original Message-----
> From: Kevin Droz [mailto:drozk at moeller dot com] 
> Sent: Monday, February 07, 2005 8:02 AM
> To: Josh McAllister
> Subject: RE: [m0n0wall] Monowall and Freeswan
> Its still not working at this point. I'm making my key w/ranbits. I'm
> using
> the the command "ranbits 1536 > key" to make a key. I assume I'm making
> a
> key for 1536 because the Monowall is set to DH=5. We have the keys
> entered
> correctly and still its hanging up in the same area. Thanks for the
> help.

The PSK is *not* the DH parameters, and in fact there's no such thing as a
preconfigured DH "key".  The whole idea of DH is that an *ephemeral* key
is jointly computed by the two parties, based on certain parameters that
are prearranged but not secret.

					Fred Wright