In message <8046C85964B8D5A4F24C9EAD@xxxxxxxxxxxx>, John C Klensin writes: >The claims about man-in-the-middle attacks are another matter. >When the analysis was done in 1996, the conclusion was that such >attacks were not possible unless either the secrets were already >known to the attacker or there was a plausible attack on >HMAC-MD5 itself. If such attacks are now seen to be plausible, >or if post-authentication session hijacking has become a >dominant concern in practice, it is, as I indicated in my >earlier note, time to document that and to use the documentation >as the basis for explicitly deprecating CRAM-MD5 (or HMAC-MD5 >itself if necessary). The environment has changed a great deal. I don't know why people thought MITM attacks weren't feasible in 1996 -- Joncheray published a paper on how to carry them out in 1995 -- but they're now trivial. There are off-the-shelf tools -- see, for example, Dug Song's dsniff package, and read the man pages for arpspoof, sshmitm, webmitm -- and the advent of wireless has created a fertile ground for such things. (Think about the "evil twin" wireless attacks.) Factor in routing attacks -- they're happening, too -- and you'll see why I'm concerned. For the record, I've seen active attacks on ssh and web in the wild, at the Usenix Security conference and at the IETF itself. And those were without even looking for them. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf