- From: Tim <tim-research@sentinelchicken.org>
- Date: Fri, 7 Jan 2011 09:42:13 -0800
- To: Simon Josefsson <simon@josefsson.org>
- Cc: websec <websec@ietf.org>, "kitten\@ietf\.org" <kitten@ietf.org>, "http-auth\@ietf\.org" <http-auth@ietf.org>, "ietf-http-wg\@w3\.org Group" <ietf-http-wg@w3.org>
> One final addition here, the situation for PSK depends on the flavour > and whether you are talking about active or passive attackers. The > statement is true for plain PSK, but less so for DHE_PSK and RSA_PSK. > Section 7.2 of 4279: > > For the PSK ciphersuites, an attacker can get the information > required for an off-line attack by eavesdropping on a TLS handshake, > or by getting a valid client to attempt connection with the attacker > (by tricking the client to connect to the wrong address, or by > intercepting a connection attempt to the correct address, for > instance). > > For the DHE_PSK ciphersuites, an attacker can obtain the information > by getting a valid client to attempt connection with the attacker. > Passive eavesdropping alone is not sufficient. > > For the RSA_PSK ciphersuites, only the server (authenticated using > RSA and certificates) can obtain sufficient information for an > off-line attack. In the general case, I don't think it is useful to differentiate between passive and active attackers. Performing man-in-the-middle attacks is no more difficult (in a big-O sense) than performing passive attacks. In almost every modern network, these attacks require the same level of network access. Just a pet peeve of mine. cheers, tim
Received on Friday, 7 January 2011 17:42:45 UTC