CRAM-MD5
Encyclopedia
In cryptography
, CRAM-MD5 is a
challenge-response authentication
mechanism
(hence "CRAM") defined in RFC 2195 based on the
HMAC-MD5 MAC
algorithm. It is employed by some
SASL
implementations, and it is quite often supported
by SMTP-AUTH Mail submission agent
s.
This provides three important types of security.
The two important features of this protocol that provide these three security benefits are the one-way hash and the fresh random challenge.
(TLS). CRAM-MD5 is required for On-Demand Mail Relay (ODMR) defined in RFC 2645.
The also often supported SASL-mechanism plain for ESMTPA is officially not allowed outside of secure connections (TLS, the successor of SSL), and mechanism login is no SASL-mechanism at all—both transport unencrypted passwords. They scramble the passwords with Base64
encoding. Since Base64 is not one-way, there is no secrecy.
The Internet Assigned Numbers Authority
(IANA) maintains two registries relevant for CRAM-MD5:
ESMTPA stands for ESMTP with SMTP-AUTH, and ESMTP is SMTP
with Service Extensions as defined in RFC 5321. ESMTPS is ESMTP over a secure connection. ESMTPSA is both ESMTPA and ESMTPS—that's a consolation where SASL-mechanism plain is allowed.
Cryptography
Cryptography is the practice and study of techniques for secure communication in the presence of third parties...
, CRAM-MD5 is a
challenge-response authentication
Challenge-response authentication
In computer security, challenge-response authentication is a family of protocols in which one party presents a question and another party must provide a valid answer to be authenticated....
mechanism
(hence "CRAM") defined in RFC 2195 based on the
HMAC-MD5 MAC
Message authentication code
In cryptography, a message authentication code is a short piece of information used to authenticate a message.A MAC algorithm, sometimes called a keyed hash function, accepts as input a secret key and an arbitrary-length message to be authenticated, and outputs a MAC...
algorithm. It is employed by some
SASL
Simple Authentication and Security Layer
Simple Authentication and Security Layer is a framework for authentication and data security in Internet protocols. It decouples authentication mechanisms from application protocols, in theory allowing any authentication mechanism supported by SASL to be used in any application protocol that uses...
implementations, and it is quite often supported
by SMTP-AUTH Mail submission agent
Mail submission agent
A mail submission agent is a computer program or software agent that receives electronic mail messages from a mail user agent and cooperates with a mail transfer agent for delivery of the mail...
s.
Protocol
- Challenge: In CRAM-MD5 authentication, the server first sends a challenge string to the client.
- Response: The client responds with a string created as follows.
- The challenge was sent as a base64Base64Base64 is a group of similar encoding schemes that represent binary data in an ASCII string format by translating it into a radix-64 representation...
-encoded string, which is decoded. - The decoded challenge is encrypted using HMAC-MD5HMACIn cryptography, HMAC is a specific construction for calculating a message authentication code involving a cryptographic hash function in combination with a secret key. As with any MAC, it may be used to simultaneously verify both the data integrity and the authenticity of a message...
with the user's password as the secret key. - The encrypted challenge is converted to a string of hex digits.
- The username and a space character are prepended to the hex digits.
- The concatenation is then base64-encoded and sent to the server
- The challenge was sent as a base64
- Comparison: The server uses the same method to compute the expected response. If the given response and the expected response match then authentication was successful.
This provides three important types of security.
- First, others cannot duplicate the hash without knowing the password. This provides authentication.
- Second, others cannot replay the hash—it is dependent on the unpredictable challenge. This is variously called freshness or replay preventionReplay attackA replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack by IP packet...
. - Third, observers do not learn the password. This is called secrecy.
The two important features of this protocol that provide these three security benefits are the one-way hash and the fresh random challenge.
Protocol weaknesses
- No mutual authenticationMutual authenticationMutual authentication or two-way authentication refers to two parties authenticating each other suitably. In technology terms, it refers to a client or user authenticating themselves to a server and that server authenticating itself to the user in such a way that both parties are assured of the...
: client does not verify server. - Weak password storage: Some implementation require access to the users' plain text passwords while some others (e.g. dovecot) use the intermediate step of the HMAC process to store a sort of MD5 of the password (i.e. inner MD5 and outer MD5 combined).
- Threat of reversibility: offline dictionary attack to recover password feasible after capturing a successful CRAM-MD5 protocol exchange (e.g. Cain & Abel).
History
CRAM-MD5 was originally defined in RFC 2095, later rendered obsolete by RFC 2195. In practice it's the only allowed and supported SASL-mechanism for ESMTPA without Transport Layer SecurityTransport Layer Security
Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
(TLS). CRAM-MD5 is required for On-Demand Mail Relay (ODMR) defined in RFC 2645.
The also often supported SASL-mechanism plain for ESMTPA is officially not allowed outside of secure connections (TLS, the successor of SSL), and mechanism login is no SASL-mechanism at all—both transport unencrypted passwords. They scramble the passwords with Base64
Base64
Base64 is a group of similar encoding schemes that represent binary data in an ASCII string format by translating it into a radix-64 representation...
encoding. Since Base64 is not one-way, there is no secrecy.
The Internet Assigned Numbers Authority
Internet Assigned Numbers Authority
The Internet Assigned Numbers Authority is the entity that oversees global IP address allocation, autonomous system number allocation, root zone management in the Domain Name System , media types, and other Internet Protocol-related symbols and numbers...
(IANA) maintains two registries relevant for CRAM-MD5:
- SASL-mechanisms incl. CRAM-MD5 for limited use, PLAIN, and the historic DIGEST-MD5
- Mail transmission protocol types incl. ESMTP, ESMTPA, ESMTPS, and ESMTPSA
ESMTPA stands for ESMTP with SMTP-AUTH, and ESMTP is SMTP
Simple Mail Transfer Protocol
Simple Mail Transfer Protocol is an Internet standard for electronic mail transmission across Internet Protocol networks. SMTP was first defined by RFC 821 , and last updated by RFC 5321 which includes the extended SMTP additions, and is the protocol in widespread use today...
with Service Extensions as defined in RFC 5321. ESMTPS is ESMTP over a secure connection. ESMTPSA is both ESMTPA and ESMTPS—that's a consolation where SASL-mechanism plain is allowed.
See also
- Simple Authentication and Security LayerSimple Authentication and Security LayerSimple Authentication and Security Layer is a framework for authentication and data security in Internet protocols. It decouples authentication mechanisms from application protocols, in theory allowing any authentication mechanism supported by SASL to be used in any application protocol that uses...
(SASL) - Simple Mail Transfer ProtocolSimple Mail Transfer ProtocolSimple Mail Transfer Protocol is an Internet standard for electronic mail transmission across Internet Protocol networks. SMTP was first defined by RFC 821 , and last updated by RFC 5321 which includes the extended SMTP additions, and is the protocol in widespread use today...
(SMTP) - Internet Message Access ProtocolInternet Message Access ProtocolInternet message access protocol is one of the two most prevalent Internet standard protocols for e-mail retrieval, the other being the Post Office Protocol...
(IMAP) - Post Office ProtocolPost Office ProtocolIn computing, the Post Office Protocol is an application-layer Internet standard protocol used by local e-mail clients to retrieve e-mail from a remote server over a TCP/IP connection. POP and IMAP are the two most prevalent Internet standard protocols for e-mail retrieval. Virtually all modern...
(POP) - HMACHMACIn cryptography, HMAC is a specific construction for calculating a message authentication code involving a cryptographic hash function in combination with a secret key. As with any MAC, it may be used to simultaneously verify both the data integrity and the authenticity of a message...
, MD5MD5The MD5 Message-Digest Algorithm is a widely used cryptographic hash function that produces a 128-bit hash value. Specified in RFC 1321, MD5 has been employed in a wide variety of security applications, and is also commonly used to check data integrity...
, SMTP-AUTH - John KlensinJohn KlensinDr. John C. Klensin is a computer science professional who is active in Internet-related issues.His career includes 30 years as a Principal Research Scientist at MIT, a stint as INFOODS Project Coordinator for the United Nations University, Distinguished Engineering Fellow at MCI WorldCom, and...