Christian Huitema wrote:

> http://www.huitema.net/talks/ietf63-security.ppt

Thanks, with that hint I finally found the HTML version:
http://www3.ietf.org/proceedings/05aug/slides/apparea-4/ and
http://www3.ietf.org/proceedings/05aug/slides/plenaryt-1.pdf

>> With a somewhat unusual password I wouldn't know how an
>> attack works.

> You would not, but the gentle folks writing the cracking tool
> certainly know.

Certainly I don't know where to rent the zombie for 10 cents:
http://www3.ietf.org/proceedings/05aug/slides/apparea-4/sld5.htm

Next slide, yes, CRAM-MD5 is *not* designed for that attack.
Adding a prose version of your slides 3..6 and 13 to the
security considerations of a 2195bis could improve it.  Do I
miss a clue, or has DIGEST-MD5 essentially the same issue ?

> Note that this is not related to potential weaknesses in MD5.

Right, add 20% to your costs to get SHA-1, etc.  How did you
calculate this, how long have the rented bots to crack a given
observed C/R ?

Frank



_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Reply via email to