Dave Cridland <[email protected]> writes: > On Fri Mar 6 14:58:05 2009, Eric Rescorla wrote: >> What do you mean rejects it? The attacker simulates a TCP-level >> failure. >> Alternately, he just stalls and waits for the client to give up if >> he can't >> brute-force the password in time. > > Right, well, I think I've made myself look stupid enough for one day, > so I'll restrict myself to asking questions. > > So, we have some potential problems with the use of anything that's > subject to an offline dictionary attack. > > Have you got any figures on timescales for this, and computing power > required? I mean, is this something that anyone who hasn't upset the > NSA or GCHQ should be concerned about, or are we within reasonable > range of someone trying to phish credit card numbers?
SCRAM says to use an iteration count of 128, and due to the salting, that means the attacker needs to perform 128 hashes to test a particular password for one session. 'openssl speed sha1' on my machine does around 1000000 16-byte hashes per second. So the attacker can test around 8000 passwords per second. My /usr/share/dict/american-english contains around 100000 words. So it takes around 13 seconds to go through this dictionary on my laptop. This may not be completely correct, and I may be completely wrong about something, but I hope the magnitude is about right. Btw, this argues that the SCRAM iteration count should really be much higher. RFC 3962 uses 4096 by default but even that is slightly low. /Simon
