[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Authentication Methods for LDAP - last call (mandatory CRAM-M D5)


> -----Original Message-----
> From: Bruce Greenblatt [mailto:Bgreenblatt@RSA.com]
> Sent: Wednesday, August 05, 1998 1:02 PM

> > 1. It permits a server to totally choose the challenge. 
> This permits a
> > whole
> > class of attacks known as chosen plaintext attacks. Among 
> the most serious
> > of these attacks is the precomputed dictionary attack -- 
> the responses for
> > millions of common passwords to a fixed challenge are 
> precomputed, and any
> > actual clients response can be matched to a password almost 
> instantly.
> > 
> [> ]  actually the server doesn't get to choose the 
> challenge.  It only gets
> to propose the challenge.  This is a subtle distinction.  If 
> the client
> doesn't like the proposed challenge, it is free to break off the
> authentication attempt.

A distinction without a difference. What client won't respond? If it
responds, it must respond to the challange chosen by the server, otherwise
authentication will fail. The client wants to authenticate, so it will
respond.

  Since the client will reply with a 
> digest that is
> computed (according to RFC 2195) using the shared secret 
> (i.e. the password)
> and the challenge.  I don't think that the precomputed 
> dictionary attack
> would be effective here.

You think incorrectly. All that a precomputed dictionary attack requires is
a response computed from a challenge that the server chose. The attacker
stores a table of (MD5(password, challenge), password) pairs, for the
challenge the server will always send the the client. When the client
responds, it looks up the response in the table, and reads out the password.

  Also note that MD5 is 16 bytes long 
> so there are 2
> ^ 108 different values.  Thus, it would take approximately 
> 2^107 attempts
> using a brute force method to guess the correct hash.  Even using the
> fastest processors that DEC just announced, it would still 
> take a while.

I didn't say that a brute force attack would be effective.

> 
> > 2. The password isn't salted so as to be specific to the 
> server. It is
> > very
> > common for users to use the same password for multiple 
> servers. This means
> > their password is only as secure as the least secure server.
> [> ]  This actually has nothing to do with salting and 
> CRAM-MD5, and would
> be true of any password based mechanism.  If I use the same 
> password all
> over the place, my password is only as secure as the least 
> secure server.

I think you don't understand hash functions. If ServerA has
	V1 = MD5(user-name, "ServerA", password)
and ServerB has
	V2 = MD5(user-name, "ServerB", password)
the compromise of V2 does not compromise V1, even though the password is the
same both places. This is how Digest stores password info -- "salted" with
the username and server name (aka "realm").

> 
> > 3. CRAM-MD5 by itself has no method to integrity check LDAP 
> requests; this
> > leaves it open to connection hijacking attacks and man-in-the-middle
> > attacks
> > that enable the attacker to access potentially any server 
> on which the
> > user
> > has an account.
> [> ]  This is true of any authentication only mechanism.

No it isn't. An auth-only mechanism where the client has input into the
challenge is not subject to this kind of MITM attack.

And you missed the point -- Digest auth isn't an auth-only mechanism; it can
also exchange keys.

Paul