On Fri, Mar 6, 2009 at 5:04 AM, Dave Cridland <[email protected]> wrote: > On Fri Mar 6 03:33:53 2009, Eric Rescorla wrote: >> >> SCRAM is susceptible to offline dictionary attacks, whereas SRP is not. > > Indeed so, but... > > >> Obviously, you could do something SRP-oid at the app layer, but we really >> should decide if dictionary attack resistance is an important element. > > I don't think it is - we're not talking in terms of a long-term > shared-secret, we're talking about an ephemeral secret shared (say) over the > phone, used purely to verify a channel, and, by that, optionally the peer's > X.509 cert.
You're assuming that these aren't separated by a time scale of hours to days. I don' think that's at all safe. > If an offline dictionary attack can be mounted within the kind of timescales > we're talking, then I'm off to buy a tinfoil hat, because those guys have > had it right all along... ;-) I heard suggestions of 4 digit PINs. Those can be bruteforced in less than a second. -Ekr
