Re: Security (crammd5)

[Frank Ellermann <nobody@xxxxxxxxxxxxxxxxx>]

Philip Guenther wrote:

  [comparison with 2831bis authentication]
>> CRAM-MD5 still isn't much worse for its purpose:  It only has 
>> no <cnonce> and no <response-auth>.
 
> And no channel bindings, so it's subject to a channel replacement
> attack: you *thought* you were talking to the server over SSL,
> but you were really talking to that MitM.

Yes, I tried to mention that near the begin of my mail as "over TLS
it could be fine (ignoring the issue discussed in a separate thread
wrt 2554bis)".  

Maybe not exactly the same issue, Sam's 2554bis discuss wasn't about
"channel bindings".  And as far as CRAM-MD5 or DIGEST-MD5 are only
used for authentication (not auth-int or auth-conf) I still fail to
see the point of "channel bindings":

Again assuming that folks don't accept TLS certificates just because
they happen to be syntactically valid.

2195 clearly says "CRAM does not support a protection mechanism" and
2195bis states "This mechanism does not provide a security layer".

> If he wants to go the catalog-of-passwords route, he can even supply
> you with his own constant challenge on your first login attempt, and
> then pass through the real server's challenge after you glare at
> your keyboard and try again.

Yes, that's addressed in the 2195bis security considerations.  I did
not claim that a <cnonce> as in DIGEST-MD5 is pointless.  CRAM-MD5 is
better than plain text, "login", APOP, or a derived SMTP-after-APOP
kludge, but it's not what you want to secure say banking transactions.

Wrt a constant challenge it would be better if 2195bis sticks to the
original <msg-id> concept, where that's at least in theory forbidden,
I've noted that in another mail.

Frank