Pre-shared key

From Wikipedia, the free encyclopedia
Jump to: navigation, search

In cryptography, a pre-shared key or PSK is a shared secret which was previously shared between the two parties using some secure channel before it needs to be used.

To build a key from shared secret, the key derivation function should be used. Such systems almost always use symmetric key cryptographic algorithms. The term PSK is used in Wi-Fi encryption such as Wired Equivalent Privacy (WEP) or Wi-Fi Protected Access (WPA), notably in Extensible Authentication Protocol, where it is known as EAP-PSK, where both the wireless access points (AP) and all clients share the same key.

The characteristics of this secret or key are determined by the system which uses it; some system designs require that such keys be in a particular format. It can be a password, a passphrase, or a hexadecimal string. The secret is used by all systems involved in the cryptographic processes used to secure the traffic between the systems.

As in all cases of crypto systems relying on one or more keys for confidentiality, the key or keys used must be sufficiently difficult to attack. One particular attack is always possible against keys, the brute force key space search attack. A sufficiently long, randomly chosen, key can resist any practical brute force attack, though not in principle if an attacker has sufficient computational power (see password strength and password cracking for more discussion). Unavoidably, however, pre-shared keys are held by both parties to the communication, and so can be compromised at one end, without the knowledge of anyone at the other. There are several tools available to help one choose strong passwords, though doing so over any network connection is inherently unsafe as one cannot in general know who, if anyone, may be eavesdropping on the interaction. Choosing keys used by cryptographic algorithms is somewhat different in that any pattern whatsoever should be avoided, as any such pattern may provide an attacker with a lower effort attack than brute force search. This implies random key choice to force attackers to spend as much effort as possible; this is very difficult in principle and in practice as well. As a general rule, any software except a Cryptographically secure pseudorandom number generator should be avoided.