Re: [Fwd: new draft (draft-arsenault-sacred-reqs-00.txt)]

[Stephen Farrell <stephen.farrell@xxxxxxxxxxxx>]

Hi David,

> Thanks, I think. :-)

You're welcome. Honest. :-)

> 
> >I don't think I follow what is meant by "network-based off-line".
> >Can you elaborate?
> 
> I meant "network-based off-line attacks" to be the same as "off-line
> brute-force
> attacks from the network" -- generally attacks where the enemy is *not*
> presumed
> to be in control of the credentials server or have access to secret data on
> the server.
> But this enemy may eavesdrop, or pose (unsuccessfully) as a client to the
> server,
> or vice-versa, or maybe act as a man-in-the-middle, to obtain some crucial
> data.
> He then uses the data off-line to crack a password or private key.

Ok, now I see what you mean. 

Does anyone know of an existing classification of various attacks 
against password based authentication schemes that we might be 
able to re-use here? (Or feel like creating one?)

Reason I ask is that I can see us spending a lot of time explaining
ourselves to one another otherwise.

Stephen.

-- 
____________________________________________________________
Stephen Farrell         				   
Baltimore Technologies,   tel: (direct line) +353 1 647 7406
61 Fitzwilliam Lane,                    fax: +353 1 647 7499
Dublin 2.                mailto:stephen.farrell@xxxxxxxxxxxx
Ireland                             http://www.baltimore.com