[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Authentication Methods for LDAP - last call

To: 'Chris Newman' <Chris.Newman@INNOSOFT.COM>
Subject: RE: Authentication Methods for LDAP - last call
From: Paul Leach <paulle@microsoft.com>
Date: Thu, 13 Aug 1998 11:27:06 -0700
Cc: IETF LDAP Extensions WG <ietf-ldapext@netscape.com>
Resent-date: Thu, 13 Aug 1998 11:27:27 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"aQOVb1.0.co.D0pqr"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

> -----Original Message-----
> From: Chris Newman [mailto:Chris.Newman@innosoft.com]
> Sent: Thursday, August 13, 1998 10:12 AM
> 
> On Wed, 12 Aug 1998, Paul Leach wrote:
> > "This provides client authentication with protection against passive
> > eavesdropping attacks, but does not provide protection 
> against active
> > intermediary attacks."
> > 
> > is incorrect. It provides somewhat more protection than 
> base64 encoding the
> > password, but leaves it susceptible to chosen plaintext 
> attacks and hence
> > precomputed dictionary attacks and batch brute force 
> attacks -- all of which
> > are passive eavesdropping attacks.
> 
> Incorrect.

You're right. I can't believe I said it. What I _meant_ to say is that they
are _not_ "active intermediary attacks". A rogue server, to which you have
been attracted or lured by a bogus URL in email or promises of useful
information, can perform the chosen plaintext attack. I don't call such a
server an "active intermediary".

Paul

Prev by Date: Re: Authentication Methods for LDAP - last call
Next by Date: RE: Authentication Methods for LDAP - last call
Index(es):
- Chronological
- Thread