> Next slide, yes, CRAM-MD5 is *not* designed for that attack. That is my point. We should not, in 2006, standardize "security" methods that are not robust against a fairly well known attack. > Adding a prose version of your slides 3..6 and 13 to the > security considerations of a 2195bis could improve it. Do I > miss a clue, or has DIGEST-MD5 essentially the same issue ? DIGEST-MD5 is somewhat more robust than CRAM-MD5 because it incorporates protection against "chosen plaintext" attacks. If an attacker can fake a server and send a chosen challenge, then the dictionary attack can be accelerated with a pre-computed catalog. However, current dictionary attacks do not need to rely on pre-computation, since a modern PC can compute more than a million MD5 hashes per second. So, yes, DIGEST-MD5 has essentially the same issue. -- Christian Huitema _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf