<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}]  is a [Challenge-response Authentication Mechanism] ([CRAM]) based on the [{$pagename}] algorithm. 

As one of the mechanisms supported by the [Simple Authentication and Security Layer] ([SASL]), it is often used in email software as part of [SMTP] Authentication and for the authentication of [POP] and [IMAP] users, as well as in applications implementing [LDAP], [XMPP], [BEEP], and other [protocols].

When such software requires authentication over unencrypted connections, [{$pagename}] is preferred over mechanisms that transmit passwords &quot;in the clear,&quot; such as LOGIN and PLAIN. However, it __CAN NOT__ prevent derivation of a password through a [Brute-Force] attack, so it is less effective than alternative mechanisms that avoid passwords or that use connections encrypted with [Transport Layer Security] ([TLS]).

!! [Cryptographically Weak]
* No mutual authentication: the client does not verify the server. However, [SASL] [authentication] is usually done over a [TLS] connection, which verifies the server's identity.
* Weak password storage: some implementations require access to the users' plain text passwords, while others (e.g. Dovecot) use the intermediate step of the [HMAC] process to store the MD5-hash of the password (strictly speaking of HMAC's internal variables i_key_pad and o_key_pad).[1][2] Such implementations leverage that for computing md5(something_with_64_bytes || something_else), only md5_internal(something_with_64_bytes) and something_else are needed to know (because of Merkle–Damgård usage in MD5; md5_internal is md5 without the final block). As i_key_pad and o_key_pad are at the start of the inner and outer hash of HMAC, and have a length of 64 bytes, this fact can be used.
* Threat of reversibility: an offline dictionary attack to recover the password is feasible after capturing a successful [{$pagename}] protocol exchange (e.g., using Cain &amp; Abel).
* Proxy-ability: Unlike a [Password-authenticated Key Agreement] ([PAKE]) scheme, CRAM-MD5 does not establish a secret shared between the two endpoints but unknown to an eavesdropper. An [Man-In-The-Middle] can therefore open a connection to the server, get a challenge, offer that challenge to the client, receive the client's response, and forward that response to the server. It can now drop the client's further messages while impersonating the client to the server.

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
</pre>