Next slide, yes, CRAM-MD5 is *not* designed for that attack.
That is my point. We should not, in 2006, standardize "security" methods
that are not robust against a fairly well known attack.
Adding a prose version of your slides 3..6 and 13 to the
security considerations of a 2195bis could improve it. Do I
miss a clue, or has DIGEST-MD5 essentially the same issue ?
DIGEST-MD5 is somewhat more robust than CRAM-MD5 because it incorporates
protection against "chosen plaintext" attacks. If an attacker can fake a
server and send a chosen challenge, then the dictionary attack can be
accelerated with a pre-computed catalog. However, current dictionary
attacks do not need to rely on pre-computation, since a modern PC can
compute more than a million MD5 hashes per second. So, yes, DIGEST-MD5
has essentially the same issue.
-- Christian Huitema
Ietf mailing list