> -----Original Message----- > From: Frank Ellermann [mailto:nobody@xxxxxxxxxxxxxxxxx] > Sent: Thursday, September 07, 2006 7:49 PM > To: ietf@xxxxxxxx > Subject: Re: RFC 2195 (Was: what happened to newtrk?) > > Christian Huitema wrote: > > > both Steve Bellovin and I presented the issues with such > > techniques. > > Is that presentation online available somewhere ? I find the > way to http://www3.ietf.org/proceedings/05aug/index.html but > then I'm lost. http://www.huitema.net/talks/ietf63-security.ppt > For a password in the dictionary, and if somebody sees the > challenge and the response. With a somewhat unusual password > I wouldn't know how an attack works. You would not, but the gentle folks writing the cracking tool certainly know. From the slide deck: - If (the password) is generated by the user, it can certainly be cracked - If (the password) can be remembered by the user, it can probably be cracked Basically, host should only accept password challenges on secure channels & after properly identifying the server posing the challenge. CRAM-5 fails both tests. The channel is not encrypted, and the server can be easily spoof, e.g. in a rogue Wi-Fi hot spot. Note that this is not related to potential weaknesses in MD5. The dictionary attack works just fine with other hash functions. -- Christian Huitema _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf