703:
713:
209:-hash of the password (strictly speaking of HMAC's internal variables i_key_pad and o_key_pad). Such implementations leverage that for computing md5(something_with_64_bytes || something_else), only md5_internal(something_with_64_bytes) and something_else are needed to know (because of
244:
can therefore open a connection to the server, get a challenge, offer that challenge to the client, receive the client's response, and forward that response to the server. It can now drop the client's further messages while impersonating the client to the
228:
for increasing the cost of an attack by a factor of one thousand or more. Conversely, CRAM-MD5 digests can be calculated using very few computational resources on dedicated hardware, or even just standard
213:
usage in MD5; md5_internal is md5 without the final block). As i_key_pad and o_key_pad are at the start of the inner and outer hash of HMAC, and have a length of 64 bytes, this fact can be used.
502:
303:
157:
Comparison: The server uses the same method to compute the expected response. If the given response and the expected response match, then authentication was successful.
102:-encoded string to the client. Before encoding, it could be any random string, but the standard that currently defines CRAM-MD5 says that it is in the format of a
508:
66:
When such software requires authentication over unencrypted connections, CRAM-MD5 is preferred over mechanisms that transmit passwords "in the clear," such as
659:
569:
558:
348:
742:
520:
465:
307:
277:
36:
373:
28:
647:
237:
526:
406:
284:
210:
598:
671:
653:
270:
48:
240:(PAKE) scheme, CRAM-MD5 does not establish a secret shared between the two endpoints but unknown to an eavesdropper. An active
677:
514:
582:
747:
323:
458:
737:
119:
173:
Others cannot replay the hash—it is dependent on the unpredictable challenge. This is variously called freshness or
201:
Weak password storage: some implementations require access to the users' plain text passwords, while others (e.g.
82:, so it is less effective than alternative mechanisms that avoid passwords or that use connections encrypted with
716:
564:
311:
241:
221:
195:
83:
706:
543:
451:
604:
424:
220:
to recover the password is feasible after capturing a successful CRAM-MD5 protocol exchange (e.g., using
191:
302:
It was recommended to deprecate the standard in 20 November 2008. As an alternative it recommends e.g.
94:
The CRAM-MD5 protocol involves a single challenge and response cycle, and is initiated by the server:
291:
266:
255:
44:
615:
593:
40:
490:
202:
79:
259:
217:
224:). This threat is unavoidable in any password hashing scheme, but more modern algorithms use
194:: the client does not verify the server. However, SASL authentication is usually done over a
170:
Others cannot duplicate the hash without knowing the password. This provides authentication.
496:
641:
625:
474:
265:
define CRAM-MD5 as an authentication method for the email mailbox-management protocols
225:
731:
287:(IANA) maintains a registry of SASL mechanisms, including CRAM-MD5, for limited use.
174:
136:
111:
398:
329:
20:
688:
280:(SASL), defined in 2006 by RFC 4422, which supersedes the 1997 standard RFC 2222.
166:
The one-way hash and the fresh random challenge provide three types of security:
620:
421:
105:
610:
115:
146:
32:
575:
142:
The hashed challenge is converted to a string of lowercase hex digits.
139:(typically, the user's password, or a hash thereof) as the secret key.
683:
665:
636:
99:
631:
443:
258:
RFC 2195, which supersedes RFC 2095, from earlier in 1997. These
553:
532:
132:
125:
Response: The client responds with a string created as follows.
60:
56:
52:
447:
152:
The concatenation is then base64-encoded and sent to the server
78:. However, it can't prevent derivation of a password through a
230:
206:
205:) use the intermediate step of the HMAC process to store the
399:"Simple Authentication and Security Layer (SASL) Mechanisms"
180:
Observers do not learn the password; this is called secrecy.
276:
CRAM-MD5 is one of the authentication methods supported by
114:) and includes an arbitrary string of random digits, a
149:
and a space character are prepended to the hex digits.
39:(SASL), it is often used in email software as part of
35:
algorithm. As one of the mechanisms supported by the
542:
481:
198:connection, which verifies the server's identity.
51:users, as well as in applications implementing
509:Java Authentication and Authorization Service
459:
8:
660:Protected Extensible Authentication Protocol
570:Challenge-Handshake Authentication Protocol
466:
452:
444:
521:Simple Authentication and Security Layer
278:Simple Authentication and Security Layer
37:Simple Authentication and Security Layer
340:
131:The decoded challenge is hashed using
7:
712:
648:Password-authenticated key agreement
238:password-authenticated key agreement
216:Threat of reversibility: an offline
527:Security Support Provider Interface
285:Internet Assigned Numbers Authority
666:Remote Access Dial In User Service
599:Extensible Authentication Protocol
14:
743:Computer access control protocols
29:challenge–response authentication
711:
702:
701:
672:Resource Access Control Facility
654:Password Authentication Protocol
559:Authentication and Key Agreement
515:Pluggable Authentication Modules
128:The challenge is base64-decoded.
678:Secure Remote Password protocol
583:Central Authentication Service
110:email header value (including
98:Challenge: The server sends a
43:and for the authentication of
31:mechanism (CRAM) based on the
1:
503:Generic Security Services API
349:"function verify_credentials"
324:Simple Mail Transfer Protocol
294:(ODMR), defined in RFC 2645.
256:IETF standards-track document
533:XCert Universal Database API
254:CRAM-MD5 is defined by the
120:fully qualified domain name
764:
697:
565:CAVE-based authentication
290:CRAM-MD5 is required for
236:Proxy-ability: Unlike a
84:Transport Layer Security
63:, and other protocols.
605:Host Identity Protocol
425:"CRAM-MD5 to Historic"
192:mutual authentication
748:Email authentication
292:On-Demand Mail Relay
403:Protocol Registries
310:Plain protected by
118:, and the server's
41:SMTP Authentication
738:Internet Standards
491:BSD Authentication
378:Dovecot 2.0 source
353:Dovecot 2.0 source
80:brute-force attack
725:
724:
374:"file hmac-md5.c"
242:man in the middle
218:dictionary attack
175:replay prevention
755:
715:
714:
705:
704:
468:
461:
454:
445:
439:
438:
436:
435:
417:
411:
410:
395:
389:
388:
386:
384:
370:
364:
363:
361:
359:
345:
108:
76:
70:
16:Network protocol
763:
762:
758:
757:
756:
754:
753:
752:
728:
727:
726:
721:
693:
545:
538:
497:eAuthentication
483:
477:
472:
442:
433:
431:
419:
418:
414:
397:
396:
392:
382:
380:
372:
371:
367:
357:
355:
347:
346:
342:
338:
320:
300:
252:
222:Cain & Abel
187:
164:
104:
92:
74:
68:
17:
12:
11:
5:
761:
759:
751:
750:
745:
740:
730:
729:
723:
722:
720:
719:
709:
698:
695:
694:
692:
691:
686:
681:
675:
669:
663:
657:
651:
645:
642:OpenID Connect
639:
634:
629:
626:NT LAN Manager
623:
618:
613:
608:
602:
596:
591:
586:
580:
579:
578:
567:
562:
556:
550:
548:
544:Authentication
540:
539:
537:
536:
530:
524:
518:
512:
506:
500:
494:
487:
485:
482:Authentication
479:
478:
475:Authentication
473:
471:
470:
463:
456:
448:
441:
440:
429:tools.ietf.org
412:
390:
365:
339:
337:
334:
333:
332:
327:
319:
316:
299:
296:
251:
248:
247:
246:
234:
226:key stretching
214:
211:Merkle–Damgård
199:
186:
183:
182:
181:
178:
171:
163:
160:
159:
158:
155:
154:
153:
150:
143:
140:
129:
123:
112:angle brackets
91:
88:
15:
13:
10:
9:
6:
4:
3:
2:
760:
749:
746:
744:
741:
739:
736:
735:
733:
718:
710:
708:
700:
699:
696:
690:
687:
685:
682:
679:
676:
673:
670:
667:
664:
661:
658:
655:
652:
649:
646:
643:
640:
638:
635:
633:
630:
627:
624:
622:
619:
617:
614:
612:
609:
606:
603:
600:
597:
595:
592:
590:
587:
584:
581:
577:
574:
573:
571:
568:
566:
563:
560:
557:
555:
552:
551:
549:
547:
541:
534:
531:
528:
525:
522:
519:
516:
513:
510:
507:
504:
501:
498:
495:
492:
489:
488:
486:
480:
476:
469:
464:
462:
457:
455:
450:
449:
446:
430:
426:
422:
420:Zeilenga <
416:
413:
408:
404:
400:
394:
391:
379:
375:
369:
366:
354:
350:
344:
341:
335:
331:
328:
325:
322:
321:
317:
315:
313:
309:
305:
297:
295:
293:
288:
286:
281:
279:
274:
272:
268:
264:
262:
257:
249:
243:
239:
235:
232:
227:
223:
219:
215:
212:
208:
204:
200:
197:
193:
189:
188:
184:
179:
176:
172:
169:
168:
167:
161:
156:
151:
148:
144:
141:
138:
137:shared secret
134:
130:
127:
126:
124:
121:
117:
113:
109:
107:
101:
97:
96:
95:
89:
87:
85:
81:
77:
71:
64:
62:
58:
54:
50:
46:
42:
38:
34:
30:
26:
22:
588:
432:. Retrieved
428:
423:>, Kurt.
415:
402:
393:
381:. Retrieved
377:
368:
356:. Retrieved
352:
343:
330:John Klensin
301:
289:
282:
275:
260:
253:
165:
103:
93:
73:
67:
65:
24:
21:cryptography
18:
621:LAN Manager
732:Categories
493:(BSD Auth)
434:2020-12-05
383:23 January
358:23 January
336:References
185:Weaknesses
106:Message-ID
650:protocols
611:IndieAuth
546:protocols
314:instead.
263:standards
250:Standards
162:Strengths
135:, with a
116:timestamp
707:Category
668:(RADIUS)
616:Kerberos
594:Diameter
589:CRAM-MD5
505:(GSSAPI)
318:See also
298:Obsolete
261:de facto
147:username
133:HMAC-MD5
90:Protocol
33:HMAC-MD5
25:CRAM-MD5
717:Commons
689:Woo–Lam
576:MS-CHAP
572:(CHAP)
499:(eAuth)
245:server.
203:Dovecot
86:(TLS).
684:TACACS
674:(RACF)
662:(PEAP)
644:(OIDC)
637:OpenID
628:(NTLM)
535:(XUDA)
529:(SSPI)
523:(SASL)
511:(JAAS)
326:(SMTP)
100:base64
680:(SRP)
656:(PAP)
632:OAuth
607:(HIP)
601:(EAP)
585:(CAS)
561:(AKA)
517:(PAM)
304:SCRAM
75:PLAIN
69:LOGIN
27:is a
554:ACF2
484:APIs
407:IANA
385:2014
360:2014
308:SASL
283:The
271:IMAP
269:and
231:CPUs
145:The
72:and
61:BEEP
57:XMPP
53:LDAP
49:IMAP
47:and
312:TLS
306:or
267:POP
207:MD5
196:TLS
190:No
45:POP
19:In
734::
427:.
405:.
401:.
376:.
351:.
273:.
59:,
55:,
23:,
467:e
460:t
453:v
437:.
409:.
387:.
362:.
233:.
177:.
122:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.