On Fri, Mar 6, 2009 at 6:54 AM, Dave Cridland <[email protected]> wrote: > On Fri Mar 6 14:42:50 2009, Eric Rescorla wrote: >> >> You MITM the initial connection, then wait for one side to offer his >> proof. You then simulate a failure, crack the password, and move >> on. Note that if the password is short enough, you can crack it in >> real time and move on. > > Right, I see. > > Surely if I'm talking to Peter, and arrange a shared secret, and then I find > Peter rejects it, I'm going to tell him pretty quickly?
What do you mean rejects it? The attacker simulates a TCP-level failure. Alternately, he just stalls and waits for the client to give up if he can't brute-force the password in time. >> >> I heard suggestions of 4 digit PINs. Those can be bruteforced in less >> >> than >> >> a second. >> > >> > Still needs time travel to make this attack work, doesn't it? >> >> No. > > This is certainly going to be harder to deal with - the 4-digit pins are > really related to hardware and other such dumb devices. I'd guess that with > SRP, the timescales are simply going to be a bit longer, though? I don't understand the question. The whole point of PAKE protocols is that they preclude offline attacks--you need to do a new protocol run to verify every guess. That's very different. -Ekr
