[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Authentication Methods for LDAP - my vote for CRAM-MD5

To: 'George Powers' <george@packeteer.com>, ietf-ldapext@netscape.com
Subject: RE: Authentication Methods for LDAP - my vote for CRAM-MD5
From: Paul Leach <paulle@microsoft.com>
Date: Wed, 05 Aug 1998 12:11:27 -0700
Resent-date: Wed, 05 Aug 1998 12:11:44 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"ZeVCw3.0.gI2.kvAor"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com


> -----Original Message-----
> From: George Powers [mailto:george@packeteer.com]
> Sent: Wednesday, August 05, 1998 6:43 AM
> To: ietf-ldapext@netscape.com
> Subject: Authentication Methods for LDAP - my vote for CRAM-MD5
> 
> 
> I've read the arguments that question the security of 
> CRAM-MD5, but these
> arguments only demonstrate that a sophisticated attacker can 
> break CRAM-MD5
> in certain circumstances.  A system using CRAM-MD5 is still 
> much, much more
> secure than one using clear-text passwords.  Is there another, equally
> simple scheme that is open (no licensing required) and more secure?

HTTP Digest.

I have spent a year being beaten up about how trivial it is to break our
proprietary NTLM authentication scheme, which is almost completely
isomorphic to CRAM-MD5. There are web sites available that will tell you
your password in less than a second if you use NTLM to authenticate to them.
So, the attacks are not theoretical or require lots of sophistication. 

I cannot in good conscience support CRAM-MD5. If you want to make it
optional, fine, but not mandatory to implement -- it's a waste of time.

1. CRAM-MD5 has no client input into the challenge
2. CRAM-MD5 has no salt for the password
3. CRAM-MD5 has no way to generate session keys for integrity or encryption
4. CRAM-MD5 has no way to use third party authentication server

Paul

Prev by Date: RE: Authentication Methods for LDAP - last call
Next by Date: Re: Authentication Methods for LDAP - last call
Index(es):
- Chronological
- Thread