[ previous ] [ next ] [ threads ]
 
 From:  "Josh McAllister" <josh at bluehornet dot com>
 To:  "Fred Wright" <fw at well dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Monowall and Freeswan
 Date:  Tue, 8 Feb 2005 16:41:43 -0800
Sorry... but you're way off. You sound quite knowledgeable... perhaps
just misguided. If you take A-Z,a-z,1-10,!-), plus other assorted
symbols, you get > 72 possible char, but even @ 64 you'd still have a
theoretical best of 6 bits of entropy. 

The 1 bit notion is over-quoted, and over-exaggerated. That is worst
case scenario, which applies to (unfortunately too many) people who are
too ignorant to realize that "lastname" or "emantsal" are not strong
passwords. 

If you used a random generator to generate a 20 char. password even with
a limited char. set of 64 chars, you'd still get 6*20=120bits of
entropy. Real world numbers with a person selecting a "strong password"
with mixed case/numbers/symbols would be somewhere in the middle.

Also, in the real world, it take much more than 1 ms per try to conduct
any kind of man-in-the-middle / spoofing attack no matter how fast the
perpetrator can calculate the combinations.

Just trying to stop the perpetuation of FUD.

Josh McAllister


-----Original Message-----
From: Fred Wright [mailto:fw at well dot com] 
Sent: Tuesday, February 08, 2005 2:21 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] Monowall and Freeswan


On Mon, 7 Feb 2005, Josh McAllister wrote:

> Actually, it's just a pre shared key, akin to a "password". I suppose
> it's possible that it's puking on a 1536 bit key. Try something more

No doubt.  ISTR racoon's having a limit of something like 128
characters,
but the m0n0wall WebGUI sets the field size to 40.  Don't know whether
that's "enforced".

> sane like 20 chars. To be sure keep it simple for testing. 20 chars
> should be reasonably secure... ever try to brute force a 20 char
> password? It would take more than a little while. ;) If you're still

Actually, ordinary English text has only about 1 bit of entropy per
character, so a 20-character "passphrase" is like a 20-bit key.  Even if
it takes a millisecond to compute each hash (probably conservative on a
modern processor), it would only take about 1000 seconds to brute-force
a
20-bit key.

Given a "quality" binary random number, the question is how to map it to
printable text.  The most straightforward approach would be to use hex,
which gives you 4 bits of entropy per character, or up to 160 bits in 40
characters.  Base64 encoding would give 6 bits per character, or up to
240
bits.  Racoon also accepts hex-formatted PSKs in the config, and I doubt
that m0n0wall disallows that form, but if the limit is on the number of
characters rather than the number of bytes it doesn't offer any
advantage
(in fact it's slightly worse than "hex text" due to the leading
"0x" consuming two character positions).

The vulnerability of a weak PSK is worse in aggressive mode than in main
mode.  Aggressive mode sends the keyed hash of the PSK in the clear, so
an
eavesdropper need only brute-force the hash to recover the PSK.  Main
mode
DH-encrypts the hash, so the attacker would need to brute-force the DH
key
*and* the hash to recover the PSK.

Speaking of quality random numbers, on any m0n0wall with a crypto
accelerator, the hardware RNG contributes to the /dev/random entropy
pool.

> -----Original Message-----
> From: Kevin Droz [mailto:drozk at moeller dot com] 
> Sent: Monday, February 07, 2005 8:02 AM
> To: Josh McAllister
> Subject: RE: [m0n0wall] Monowall and Freeswan
> 
> Its still not working at this point. I'm making my key w/ranbits. I'm
> using
> the the command "ranbits 1536 > key" to make a key. I assume I'm
making
> a
> key for 1536 because the Monowall is set to DH=5. We have the keys
> entered
> correctly and still its hanging up in the same area. Thanks for the
> help.

The PSK is *not* the DH parameters, and in fact there's no such thing as
a
preconfigured DH "key".  The whole idea of DH is that an *ephemeral* key
is jointly computed by the two parties, based on certain parameters that
are prearranged but not secret.

					Fred Wright


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch