In message <8046C85964B8D5A4F24C9EAD(_at_)scan(_dot_)jck(_dot_)com>, John C
The claims about man-in-the-middle attacks are another matter.
When the analysis was done in 1996, the conclusion was that such
attacks were not possible unless either the secrets were already
known to the attacker or there was a plausible attack on
HMAC-MD5 itself. If such attacks are now seen to be plausible,
or if post-authentication session hijacking has become a
dominant concern in practice, it is, as I indicated in my
earlier note, time to document that and to use the documentation
as the basis for explicitly deprecating CRAM-MD5 (or HMAC-MD5
itself if necessary).
The environment has changed a great deal. I don't know why people
thought MITM attacks weren't feasible in 1996 -- Joncheray published a
paper on how to carry them out in 1995 -- but they're now trivial.
There are off-the-shelf tools -- see, for example, Dug Song's dsniff
package, and read the man pages for arpspoof, sshmitm, webmitm -- and
the advent of wireless has created a fertile ground for such things.
(Think about the "evil twin" wireless attacks.) Factor in routing
attacks -- they're happening, too -- and you'll see why I'm concerned.
For the record, I've seen active attacks on ssh and web in the wild, at
the Usenix Security conference and at the IETF itself. And those were
without even looking for them.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Ietf mailing list