On Fri, 8 Aug 2003, Brian Candler wrote:

> On Fri, Aug 08, 2003 at 12:03:01AM +0900, Hugh Sasse Staff Elec Eng wrote:

  (what was effectively a crayon sketch of CRAM MD5, roughly)
>
> OK. That lets B authenticate A. The main weakness is that if the nonce and

So I have them both ways.

> response are sniffed, the password is subject to an off-line dictionary
> attack.

Agreed.  I don't know a good way round this.  I expect any method
based on Hashing has this misfeature.  SHA is said to be better than
MD5 in the RFCs, small help though that is.
>
> And of course, this exchange does not protect the rest of the data in
> transit. An active attacker could allow this authentication exchange to take
> place, and then substitute the subsequent session data with something else.

Which is why I keep changing the nonce for each bit of dialogue
between the machines, try to ensure (Time(),Date()) that it never
repeats, and make the plain text part of the input to the hasher, so
its authenticity gets tested when the hash is checked.

I'm sure I've missed something, though.  The phrase "cunning plan"
springs to mind, unfortunately.

>
> Regards,
>
> Brian.
>
        Hugh
>