cryptography Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adve ...

, CRAM-MD5 is a challenge–response authentication mechanism (CRAM) based on the HMAC-MD5 algorithm. As one of the mechanisms supported by the

Simple Authentication and Security Layer Simple Authentication and Security Layer (SASL) is a framework for authentication and data security in Internet protocols. It decouples authentication mechanisms from application protocols, in theory allowing any authentication mechanism suppor ...

(SASL), it is often used in email software as part of

SMTP Authentication SMTP Authentication, often abbreviated SMTP AUTH, is an extension of the Simple Mail Transfer Protocol (SMTP) whereby a client may log in using any authentication mechanism supported by the server. It is mainly used by submission servers, where aut ...

and for the authentication of

POP Pop or POP may refer to: Arts, entertainment, and media Music * Pop music, a musical genre Artists * POP, a Japanese idol group now known as Gang Parade * Pop!, a UK pop group * Pop! featuring Angie Hart, an Australian band Albums * ''Pop'' (G ...

and

IMAP In computing, the Internet Message Access Protocol (IMAP) is an Internet standard protocol used by email clients to retrieve email messages from a mail server over a TCP/IP connection. IMAP is defined by . IMAP was designed with the goal of pe ...

users, as well as in applications implementing

LDAP The Lightweight Directory Access Protocol (LDAP ) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory serv ...

XMPP Extensible Messaging and Presence Protocol (XMPP, originally named Jabber) is an open communication protocol designed for instant messaging (IM), presence information, and contact list maintenance. Based on XML (Extensible Markup Language), ...

, BEEP, and other protocols. When such software requires authentication over unencrypted connections, CRAM-MD5 is preferred over mechanisms that transmit passwords "in the clear," such as ''LOGIN'' and ''PLAIN''. However, it can't prevent derivation of a password through a

brute-force attack In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct ...

, so it is less effective than alternative mechanisms that avoid passwords or that use connections encrypted with

Transport Layer Security Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in secu ...

(TLS).

Protocol

The CRAM-MD5 protocol involves a single challenge and response cycle, and is initiated by the server: # Challenge: The server sends a

base64 In computer programming, Base64 is a group of binary-to-text encoding schemes that represent binary data (more specifically, a sequence of 8-bit bytes) in sequences of 24 bits that can be represented by four 6-bit Base64 digits. Common to all bina ...

-encoded string to the client. Before encoding, it could be any random string, but the standard that currently defines CRAM-MD5 says that it is in the format of a '' Message-ID'' email header value (including

angle bracket A bracket is either of two tall fore- or back-facing punctuation marks commonly used to isolate a segment of text or data from its surroundings. Typically deployed in symmetric pairs, an individual bracket may be identified as a 'left' or 'r ...

s) and includes an arbitrary string of random digits, a

timestamp A timestamp is a sequence of characters or encoded information identifying when a certain event occurred, usually giving date and time of day, sometimes accurate to a small fraction of a second. Timestamps do not have to be based on some absolut ...

, and the server's

fully qualified domain name A fully qualified domain name (FQDN), sometimes also referred to as an ''absolute domain name'', is a domain name that specifies its exact location in the tree hierarchy of the Domain Name System (DNS). It specifies all domain levels, including th ...

. # Response: The client responds with a string created as follows. ## The challenge is base64-decoded. ## The decoded challenge is hashed using HMAC-MD5, with a

shared secret In cryptography, a shared secret is a piece of data, known only to the parties involved, in a secure communication. This usually refers to the key of a symmetric cryptosystem. The shared secret can be a password, a passphrase, a big number, o ...

(typically, the user's password, or a hash thereof) as the secret key. ## The hashed challenge is converted to a string of lowercase hex digits. ## The

username A user is a person who utilizes a computer or network service. A user often has a user account and is identified to the system by a username (or user name). Other terms for username include login name, screenname (or screen name), account ...

and a space character are prepended to the hex digits. ## The concatenation is then base64-encoded and sent to the server # Comparison: The server uses the same method to compute the expected response. If the given response and the expected response match, then authentication was successful.

Strengths

The one-way hash and the fresh random challenge provide three types of security: * Others cannot duplicate the hash without knowing the password. This provides authentication. * Others cannot replay the hash—it is dependent on the unpredictable challenge. This is variously called freshness or replay prevention. * Observers do not learn the password; this is called secrecy.

Weaknesses

* No

mutual authentication Mutual authentication or two-way authentication (not to be confused with two-factor authentication) refers to two parties authenticating each other at the same time in an authentication protocol. It is a default mode of authentication in some pro ...

: the client does not verify the server. However, SASL authentication is usually done over a TLS connection, which verifies the server's identity. * Weak password storage: some implementations require access to the users' plain text passwords, while others (e.g. Dovecot) use the intermediate step of the HMAC process to store the MD5-hash of the password (strictly speaking of HMAC's internal variables i_key_pad and o_key_pad). Such implementations leverage that for computing md5(something_with_64_bytes , , something_else), only md5_internal(something_with_64_bytes) and something_else are needed to know (because of Merkle–Damgård usage in MD5; md5_internal is md5 without the final block). As i_key_pad and o_key_pad are at the start of the inner and outer hash of HMAC, and have a length of 64 bytes, this fact can be used. * Threat of reversibility: an offline

dictionary attack In cryptanalysis and computer security, a dictionary attack is an attack using a restricted subset of a keyspace to defeat a cipher or authentication mechanism by trying to determine its decryption key or passphrase, sometimes trying thousands o ...

to recover the password is feasible after capturing a successful CRAM-MD5 protocol exchange (e.g., using Cain & Abel). This threat is unavoidable in any password hashing scheme, but more modern algorithms use

key stretching In cryptography, key stretching techniques are used to make a possibly weak key, typically a password or passphrase, more secure against a brute-force attack by increasing the resources (time and possibly space) it takes to test each possible key ...

for increasing the cost of an attack by a factor of one thousand or more. Conversely, CRAM-MD5 digests can be calculated using very few computational resources on dedicated hardware, or even just standard

CPU A central processing unit (CPU), also called a central processor, main processor or just processor, is the electronic circuitry that executes instructions comprising a computer program. The CPU performs basic arithmetic, logic, controlling, an ...

s. * Proxy-ability: Unlike a

password-authenticated key agreement In cryptography, a password-authenticated key agreement method is an interactive method for two or more parties to establish cryptographic keys based on one or more party's knowledge of a password. An important property is that an eavesdropper or ...

(PAKE) scheme, CRAM-MD5 does not establish a secret shared between the two endpoints but unknown to an eavesdropper. An active

man in the middle In cryptography and computer security, a man-in-the-middle, monster-in-the-middle, machine-in-the-middle, monkey-in-the-middle, meddler-in-the-middle, manipulator-in-the-middle (MITM), person-in-the-middle (PITM) or adversary-in-the-middle (AiTM ...

can therefore open a connection to the server, get a challenge, offer that challenge to the client, receive the client's response, and forward that response to the server. It can now drop the client's further messages while impersonating the client to the server.

Standards

CRAM-MD5 is defined by the IETF standards-track document RFC 2195, which supersedes RFC 2095, from earlier in 1997. These ''de facto'' standards define CRAM-MD5 as an authentication method for the email mailbox-management protocols

and

. CRAM-MD5 is one of the authentication methods supported by

(SASL), defined in 2006 by RFC 4422, which supersedes the 1997 standard RFC 2222. The

Internet Assigned Numbers Authority The Internet Assigned Numbers Authority (IANA) is a standards organization that oversees global IP address allocation, autonomous system number allocation, root zone management in the Domain Name System (DNS), media types, and other Internet ...

(IANA) maintains a registry of SASL mechanisms, including CRAM-MD5, for limited use. CRAM-MD5 is required for On-Demand Mail Relay (ODMR), defined in RFC 2645.

Obsolete

It was recommended to deprecate the standard in 20 November 2008. As an alternative it recommends e.g.

SCRAM A scram or SCRAM is an emergency shutdown of a nuclear reactor effected by immediately terminating the fission reaction. It is also the name that is given to the manually operated kill switch that initiates the shutdown. In commercial reactor ...

or SASL Plain protected by TLS instead.

References