On Tue, 16 Aug 2005, Frank Ellermann wrote:
There's no way to get the password by "watching" CRAM-MD5 or
similar SASL mechanisms. Also no realistic dictionary attack.
CRAM-MD5 is susceptible to a passive offline dictionary attack, i.e. you
can listen to a CRAM-MD5 exchange and get enough data to verify a
correctly guessed password without actively asking the server.
http://www.iab.org/documents/drafts/draft-iab-auth-mech-03.txt
There is also a (perhaps less realistic) active dictionary attack
described in
http://www3.ietf.org/proceedings/05mar/IDs/draft-ietf-sasl-crammd5-04.txt
Tony.
--
f.a.n.finch <dot(_at_)dotat(_dot_)at> http://dotat.at/
BISCAY: WEST 5 OR 6 BECOMING VARIABLE 3 OR 4. SHOWERS AT FIRST. MODERATE OR
GOOD.