Re: ESMTPA vs. ESMTPS (was: SPF implementations)

On Tue, 16 Aug 2005, Frank Ellermann wrote:


There's no way to get the password by "watching" CRAM-MD5 or
similar SASL mechanisms.  Also no realistic dictionary attack.


CRAM-MD5 is susceptible to a passive offline dictionary attack, i.e. you
can listen to a CRAM-MD5 exchange and get enough data to verify a
correctly guessed password without actively asking the server.

http://www.iab.org/documents/drafts/draft-iab-auth-mech-03.txt

There is also a (perhaps less realistic) active dictionary attack
described in
http://www3.ietf.org/proceedings/05mar/IDs/draft-ietf-sasl-crammd5-04.txt

Tony.
-- 
f.a.n.finch  <dot(_at_)dotat(_dot_)at>  http://dotat.at/
BISCAY: WEST 5 OR 6 BECOMING VARIABLE 3 OR 4. SHOWERS AT FIRST. MODERATE OR
GOOD.

<Prev in Thread]	Current Thread	[Next in Thread>
Re: Re: SPF implementations, (continued) Re: Re: SPF implementations, Graham Murray Re: Re: SPF implementations, Scott Kitterman Re: Re: SPF implementations, Dick St.Peters Re: Re: SPF implementations, Håkon Alstadheim Re: Re: SPF implementations, Stuart D. Gathman Re: Re: SPF implementations, Jeremy Doupe Re: Re: SPF implementations, Stuart D. Gathman Re: Re: SPF implementations, Arjen de Korte Re: Re: SPF implementations, Stuart D. Gathman ESMTPA vs. ESMTPS (was: SPF implementations), Frank Ellermann Re: ESMTPA vs. ESMTPS (was: SPF implementations), Tony Finch <= Re: ESMTPA vs. ESMTPS (was: SPF implementations), william(at)elan.net Re: ESMTPA vs. ESMTPS, Scott Kitterman Re: ESMTPA vs. ESMTPS, william(at)elan.net Re: ESMTPA vs. ESMTPS (was: SPF implementations), Tony Finch Re: ESMTPA vs. ESMTPS, Frank Ellermann Re: Re: ESMTPA vs. ESMTPS, Scott Kitterman Re: ESMTPA vs. ESMTPS, Frank Ellermann Re: Re: ESMTPA vs. ESMTPS, william(at)elan.net Re: ESMTPA vs. ESMTPS, Frank Ellermann Re: Re: ESMTPA vs. ESMTPS, william(at)elan.net