On Wed, 14 Mar 2007, Frank Ellermann wrote:
| CRAM-MD5 is no longer considered to provide adequate protection.
...
It's also "better" than DIGEST-MD5 where it's easy to implement and almost impossible to get it wrong. Where somebody managed to implement 2069 / 2617 / 2831 / 2831bis with their many more or less subtle differences CRAM-MD5 still isn't much worse for its purpose: It only has no <cnonce> and no <response-auth>.
And no channel bindings, so it's subject to a channel replacement attack: you *thought* you were talking to the server over SSL, but you were really talking to that MitM. If he wants to go the catalog-of-passwords route, he can even supply you with his own constant challenge on your first login attempt, and then pass through the real server's challenge after you glare at your keyboard and try again.
Does anyone recall the expected cost-per-password that Christian Huitema claimed for dictionary and bruteforcing CRAM-MD5 traces during in his presentation to the apps area meeting in Paris? My notes simply say "cheap".
Philip Guenther