On Mon, 14 Mar 2005, Marco Colombo wrote:
I'm not happy to hear there is a 'large number of deployments' where RFC 2831 recommandation is violated. The admins of those site should consider either getting more resources (entropy, in this case) or stop running any strong but demanding SASL mechanism (or SSL/TLS). Once again, by definition, "a large number" does not mix well with the "particular circumstances" mentioned in the RFC.
It is highly likely that unless they have a REALLY good source of entropy, they could still be relatively easily DOS'd just by asking for lots of DIGEST authentications.
What's the point in using any strong auth mech in a way that violates its RFC recommandations? Moreover, is it ok for any software having a _default_ configuration that acts against some RFCs?
Its not acting against or violating the RFC. The RFC specifies a SHOULD. There is a supported configuration that agrees with the SHOULD even.
Its very important to keep in mind that the attack that is being defended against here would be extraordinarily difficult to make use of in practice, since the only benefit you'd see out of not having good entropy is the "ability" to select the server's nonce by controlling the PNRG of the server. So you could possibly precompute lookup tables based on the selected nonce which would allow you to break the shared secret (and thus, the session).
It is quite likely the case that there are easier attacks other parts of the server beyond the authentication exchange that would allow you to access the shared secret directly. Or its atleast spending the time to look for them before trying to predict the PNRG output.
Having said that, now I'll let this thread die, I promise. :-)
Sounds good.
--------------------------------------------------------------------- Rob Siemborski
--- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
