RE: Authentication Methods for LDAP - last call

[Chris Newman <Chris.Newman@INNOSOFT.COM>]

On Wed, 12 Aug 1998, Paul Leach wrote:
> "This provides client authentication with protection against passive
> eavesdropping attacks, but does not provide protection against active
> intermediary attacks."
> 
> is incorrect. It provides somewhat more protection than base64 encoding the
> password, but leaves it susceptible to chosen plaintext attacks and hence
> precomputed dictionary attacks and batch brute force attacks -- all of which
> are passive eavesdropping attacks.

Incorrect.  The chosen plaintext attack requires an active attacker to
either spoof the server or substitute plaintext for the server's challenge
string.  If the legitimate client and server log all actions, then the
chosen plaintext attack can be detected after the fact by comparing the
logs.

However, I agree that the quotation from the spec is incorrect.  CRAM-MD5
(and all hash-based mechanisms including HTTP digest) are susceptible to a
passive eavesdropping dictionary attack.  This attack is best mitigated by
using good passphrase policy (requring longer passphrases with at least
one non-alphanumeric character).

> I posted a proposed substitute section 8.1, using Digest instead of
> CRAM-MD5. It would permit shared authentication logic and authentication
> databases between HTTP and LDAP -- a BIG win, IMHO.

There is no standards track specification for HTTP digest in SASL at this
time, therefore it is out of order to propose it as a replacement.  The
proposal would have to be "put LDAP and LDAPEXT on hold until we reach
concensus on a replacement for CRAM-MD5 and that replacement becomes
standards track."  I'm neutral on this proposal.

		- Chris