Re: MD5 authentication needs help -SCRAM

On 03/09/2015 04:43 PM, Abhijit Menon-Sen wrote:
> At 2015-03-09 13:52:10 +0200, hlinnaka(at)iki(dot)fi wrote:
>>
>> Do you have any insight on why the IETF working group didn't choose a
>> PAKE protocol instead of or in addition to SCRAM, when SCRAM was
>> standardized?
>
> Hi Heikki.
>
> It was a long time ago, but I recall that SRP was patent-encumbered:
>
> https://datatracker.ietf.org/ipr/search/?rfc=2945&submit=rfc
>
> The Wikipedia page says the relevant patents expired in 2011 and 2013.
> I haven't followed SRP development since then, maybe it's been revised.
>
> When SCRAM was being discussed, I can't recall any other proposals for
> PAKE protocols. Besides, as you may already know, anyone can submit an
> internet-draft about anything. It needs to gain general support for an
> extended period in order to advance through the standards process.

Ok, makes sense. Perhaps it would be time to restart the discussion on
standardizing SRP as a SASL mechanism in IETF. Or we could just
implement the draft as it is.

> Could you please explain what exactly you mean about a SCRAM
> eavesdropper gaining some advantage in being able to mount a
> dictionary attack? I didn't follow that part.

Assume that the connection is not encrypted, and Eve captures the SCRAM
handshake between Alice and Bob. Using the captured handshake, she can
try to guess the password, offline. With a PAKE protocol, she cannot do
that.

- Heikki