RE: [Fwd: new draft (draft-arsenault-sacred-reqs-00.txt)]

[Mike Just <mike.just@xxxxxxxxxxx>]

Some suggested definitions below...

> -----Original Message-----
> From: Stephen Farrell [mailto:stephen.farrell@xxxxxxxxxxxx]
> Sent: Tuesday, September 26, 2000 5:17 PM
> To: David Jablon
> Cc: ietf-sacred
> Subject: Re: [Fwd: new draft (draft-arsenault-sacred-reqs-00.txt)]
> 

<...snip...>

> Does anyone know of an existing classification of various attacks 
> against password based authentication schemes that we might be 
> able to re-use here? (Or feel like creating one?)
> 

How about these for a start?

1. Encrypting for the "wrong server".  The attacker impersonates the server
to the user, so that the user unknowingly sends their password to the
attacker, as opposed to the server that they had intended to send their
password to. 
<< I think that this is an important one to try to protect against.>>

2. Online password guessing.  In an online password guessing attack, an
attacker attempts to impersonate the user to a server by attempting to guess
the legitimate user's password.

3. Offline password guessing.  In an offline password guessing attack, an
attacker has obtained an "image" of a user's password, and attempts to
exhaust potential passwords in an effort to reproduce the image.  When they
have found a password that reproduces the image, then they are able to
successfully impersonate the user.

There's also "shoulder surfing" and "social engineering" attacks, though I
don't think that the protocol will be able to prevent these (whereas user
education might).

I hadn't thought of David's distinction for "network-based offline" before
this.

Mike J.