CRAM-MD5

CRAM-MD5

In cryptography, CRAM-MD5 is a
challenge-response authentication mechanism (hence "CRAM") defined in RFC 2195 based on the
HMAC-MD5 MACalgorithm. It is employed by some
SASLimplementations, and it is quite often supported by SMTP-AUTH Mail submission agents.

Protocol

In CRAM-MD5 authentication the server first sends a challenge string to the client. The client responds with a username followed by a space character and then a 16-byte
digest in hexadecimal notation.The digest is the output of HMAC-MD5 withthe user's password as the secret key, and the server's original challenge as the message. The server also calculates its own digest with its notion of the user's password, and if the client's digest and the server's digest match then authentication was successful.

This provides three important types of security. First, others cannot duplicate the hash without knowing the password.This provides authentication. Second, others cannot replay the hash—it is dependent on the unpredictable challenge.This is variously called freshness or replay prevention.Third, observers do not learn the password. This is called secrecy. The two important features of this protocol thatprovide these three security benefits are the one-way hash and the fresh random challenge.

History

CRAM-MD5 was originally defined in RFC 2095, laterobsoleted by RFC 2195. In practice it's the onlyallowed and supported SASL-mechanism for ESMTPA without
Transport Layer Security (TLS). CRAM-MD5 is required for On-Demand Mail Relay (ODMR) defined in RFC 2645. The also often supported SASL-mechanism plainfor ESMTPA is "officially" not allowed outsideof secure connections (TLS, the successor of SSL),and mechanism login is no SASL-mechanism atall - both transport unencrypted passwords. Theyscramble the passwords with Base64 encoding. SinceBase64 is not one-way, there is no secrecy.

The Internet Assigned Numbers Authority (IANA)maintains two registries relevant for CRAM-MD5:

# SASL-mechanisms incl. CRAM-MD5 for limited use, PLAIN, and DIGEST-MD5
# Mail transmission protocol types incl. ESMTP, ESMTPA, ESMTPS, and ESMTPSA

ESMTPA stands for ESMTP with SMTP-AUTH, andESMTP is SMTPwith Service Extensions as defined in RFC 2821.ESMTPS is ESMTP over a secure connection. ESMTPSAis both ESMTPA and ESMTPS - that's a constellationwhere SASL-mechanism plain is allowed.

John Klensin was the editor or co-author of(among many others) RFCs 2095, 2195, 2476, 2645, 2821, and 4409.

ee also

* Simple Authentication and Security Layer (SASL)
* Simple Mail Transfer Protocol (SMTP)
* Internet Message Access Protocol (IMAP)
* Post Office Protocol (POP)
* HMAC, MD5, SMTP-AUTH

External links

* RFC 2195 IMAP/POP AUTHorize Extension for Simple Challenge/Response
* [http://www.iana.org/assignments/sasl-mechanisms IANA registry of SASL mechanisms]
* [http://www.iana.org/assignments/mail-parameters IANA registry of MAIL parameters]
* [http://tools.ietf.org/html/draft-ietf-sasl-crammd5 2195bis Internet draft] (for I18N in SASL)
* [http://userpages.umbc.edu/~mabzug1/cs/md5/md5.html MD5 Homepage (unofficial)]


Wikimedia Foundation. 2010.

Игры ⚽ Поможем написать реферат

Look at other dictionaries:

  • CRAM-MD5 — (Challenge Response Authentication Mechanism, Message Digest 5) ist ein Authentifizierungsverfahren nach dem Challenge Response Prinzip auf der Basis des MD5 HMAC Algorithmus. Es wird beispielsweise gerne zur Authentifizierung gegenüber SMTP oder …   Deutsch Wikipedia

  • Cram-md5 — (Challenge Response Authentication Mechanism, Message Digest 5) ist ein Authentifizierungsverfahren nach dem Challenge Response Prinzip auf der Basis des MD5 HMAC Algorithmus. Es wird beispielsweise gerne zur Authentifizierung gegenüber SMTP oder …   Deutsch Wikipedia

  • CRAM-MD5 — В криптографии, CRAM MD5 является механизмом аутентификации вида запрос ответ (англ. challenge response authentication mechanism, отсюда «CRAM»), определенному в RFC 2195, основанному на алгоритме HMAC MD5 MAC. Он используется некоторыми… …   Википедия

  • MD5 — General Designers Ronald Rivest First published April 1992 Series MD2, MD4, MD5, MD6 Detail Digest sizes 128 bits …   Wikipedia

  • Comparison of mail servers — This is a comparison of mail servers: mail transfer agents, mail delivery agents, and other computer software which provide e mail services. Contents 1 Feature comparison 2 Authentication 3 Antispam Features …   Wikipedia

  • SMTP-Auth — (SMTP Authentifizierung, auch als ASMTP bezeichnet) ist eine Erweiterung des ESMTP Protokolls, die einem Mailserver eine Authentifizierung des Clients anhand seines Nutzernamens und Kennworts ermöglicht. Über einen SMTP Auth fähigen Server können …   Deutsch Wikipedia

  • Сравнение почтовых программ — Эту статью следует викифицировать. Пожалуйста, оформите её согласно правилам оформления статей …   Википедия

  • Comparison of email clients — The following tables compare general and technical features of a number of e mail client programs. Please see the individual products articles for further information. This article is not all inclusive or necessarily up to date. Contents 1… …   Wikipedia

  • SASL — Simple Authentication and Security Layer (SASL) ist ein Framework, das von verschiedenen Protokollen zur Authentifizierung im Internet verwendet wird. Es wurde im Oktober 1997 als RFC 2222 definiert und im Juni 2006 durch RFC 4422 ersetzt. SASL… …   Deutsch Wikipedia

  • Список RFC — Здесь представлен список RFC (документ запроса комментариев). Поскольку на данный момент их существует более 5000, то в данном списке представлены лишь наиболее значимые из них, по которым существуют связанные с ними статьи. Содержание 1 RFC по… …   Википедия

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”