Menu
Home
People
Places
Arts
History
Plants & Animals
Science
Life & Culture
Technology
Reference.org
CRAM-MD5
open-in-new
<h2 id="protocol">Protocol</h2> <p>The CRAM-MD5 protocol involves a single challenge and response cycle, and is initiated by the server: </p> <ol><li>Challenge: The server sends a <a href="/facts/Base64/xIvVm33q">base64</a>-encoded string to the client. Before encoding, it could be any random string, but the standard that currently defines CRAM-MD5 says that it is in the format of a <i><a href="/facts/Message-ID/MzMWt17h">Message-ID</a></i> email header value (including <a href="/facts/Angle_bracket/yzGM9J8A">angle brackets</a>) and includes an arbitrary string of random digits, a <a href="/facts/Timestamp/6lApANE6">timestamp</a>, and the server's <a href="/facts/Fully_qualified_domain_name/UgFMPQWD">fully qualified domain name</a>.</li> <li>Response: The client responds with a string created as follows. <ol><li>The challenge is base64-decoded.</li> <li>The decoded challenge is hashed using <a href="/facts/HMAC/Qy9WD4V9">HMAC-MD5</a>, with a <a href="/facts/Shared_secret/ATRz7LXy">shared secret</a> (typically, the user's password, or a hash thereof) as the secret key.</li> <li>The hashed challenge is converted to a string of lowercase hex digits.</li> <li>The <a href="/facts/Username/zQRzG0KG">username</a> and a space character are prepended to the hex digits.</li> <li>The concatenation is then base64-encoded and sent to the server</li></ol></li> <li>Comparison: The server uses the same method to compute the expected response. If the given response and the expected response match, then authentication was successful.</li></ol> <h2 id="strengths">Strengths</h2> <p>The one-way hash and the fresh random challenge provide three types of security: </p> <ul><li>Others cannot duplicate the hash without knowing the password. This provides authentication.</li> <li>Others cannot replay the hash—it is dependent on the unpredictable challenge. This is variously called freshness or <a href="/facts/Replay_attack/IpKW2kvf">replay prevention</a>.</li> <li>Observers do not learn the password; this is called secrecy.</li></ul> <h2 id="weaknesses">Weaknesses</h2> <ul><li>No <a href="/facts/Mutual_authentication/EYIuxstu">mutual authentication</a>: the client does not verify the server. However, SASL authentication is usually done over a <a href="/facts/Transport_layer_security/pGy16TnA">TLS</a> connection, which verifies the server's identity.</li> <li>Weak password storage: some implementations require access to the users' plain text passwords, while others (e.g. <a href="/facts/Dovecot_(software)/cNzef2k5">Dovecot</a>) use the intermediate step of the HMAC process to store the <a href="/facts/MD5/8WIXb9Dq">MD5</a>-hash of the password (strictly speaking of HMAC's internal variables i_key_pad and o_key_pad).<a class="footnote-ref" id="fnref:1" href="#fn:1"><sup>1</sup></a><a class="footnote-ref" id="fnref:2" href="#fn:2"><sup>2</sup></a> Such implementations leverage that for computing md5(something_with_64_bytes || something_else), only md5_internal(something_with_64_bytes) and something_else are needed to know (because of <a href="/facts/Merkle%25E2%2580%2593Damg%25C3%25A5rd_construction/nEuAJBAs"> Merkle–Damgård</a> usage in MD5; md5_internal is md5 without the final block). As i_key_pad and o_key_pad are at the start of the inner and outer hash of HMAC, and have a length of 64 bytes, this fact can be used.</li> <li>Threat of reversibility: an offline <a href="/facts/Dictionary_attack/0DdvVvBM">dictionary attack</a> to recover the password is feasible after capturing a successful CRAM-MD5 protocol exchange (e.g., using <a href="/facts/Cain_and_Abel_(software)/0YeEApNN">Cain & Abel</a>). This threat is unavoidable in any password hashing scheme, but more modern algorithms use <a href="/facts/Key_stretching/uVQSNI4H">key stretching</a> for increasing the cost of an attack by a factor of one thousand or more. Conversely, CRAM-MD5 digests can be calculated using very few computational resources on dedicated hardware, or even just standard <a href="/facts/CPU/Jxp1bqMV">CPUs</a>.</li> <li>Proxy-ability: Unlike a <a href="/facts/Password-authenticated_key_agreement/udf3tV4x">password-authenticated key agreement</a> (PAKE) scheme, CRAM-MD5 does not establish a secret shared between the two endpoints but unknown to an eavesdropper. An active <a href="/facts/Man-in-the-middle_attack/dx4cojdz">man in the middle</a> can therefore open a connection to the server, get a challenge, offer that challenge to the client, receive the client's response, and forward that response to the server. It can now drop the client's further messages while impersonating the client to the server.</li></ul> <h2 id="standards">Standards</h2> <p>CRAM-MD5 is defined by the <a href="/facts/Request_for_Comments/esftTvE7">IETF standards-track document</a> RFC 2195, which supersedes RFC 2095, from earlier in 1997. These <a href="/facts/De_facto_standard/TRELHVwI"><i>de facto</i> standards</a> define CRAM-MD5 as an authentication method for the email mailbox-management protocols <a href="/facts/Post_Office_Protocol/QCp6qJQm">POP</a> and <a href="/facts/Internet_Message_Access_Protocol/QMnyvUwk">IMAP</a>. </p><p>CRAM-MD5 is one of the authentication methods supported by <a href="/facts/Simple_Authentication_and_Security_Layer/4z9w1bx6">Simple Authentication and Security Layer</a> (SASL), defined in 2006 by RFC 4422, which supersedes the 1997 standard RFC 2222. </p><p>The <a href="/facts/Internet_Assigned_Numbers_Authority/b6MlP6zQ">Internet Assigned Numbers Authority</a> (IANA) maintains a registry of SASL mechanisms,<a class="footnote-ref" id="fnref:3" href="#fn:3"><sup>3</sup></a> including CRAM-MD5, for limited use. </p><p>CRAM-MD5 is required for <a href="/facts/On-Demand_Mail_Relay/x2FCp7By">On-Demand Mail Relay</a> (ODMR), defined in RFC 2645. </p> <h2 id="obsolete">Obsolete</h2> <p>It was recommended to deprecate the standard in 20 November 2008. As an alternative it recommends e.g. <a href="/facts/Salted_Challenge_Response_Authentication_Mechanism/8G5cx8UV">SCRAM</a> or <a href="/facts/Simple_Authentication_and_Security_Layer/4z9w1bx6">SASL</a> Plain protected by <a href="/facts/Transport_Layer_Security/pGy16TnA">TLS</a> instead.<a class="footnote-ref" id="fnref:4" href="#fn:4"><sup>4</sup></a> </p> <h2 id="see-also">See also</h2> <ul><li><a href="/facts/Simple_Mail_Transfer_Protocol/TeCRKDpJ">Simple Mail Transfer Protocol</a> (SMTP)</li> <li><a href="/facts/John_Klensin/vKFykDm2">John Klensin</a></li></ul> <h2 id="references">References</h2> <ol> <li id="fn:1"><p>"function verify_credentials". Dovecot 2.0 source. Retrieved 23 January 2014. <a href="http://git.infradead.org/dovecot/dovecot-2.0/blob/c68fb0dbc05e1a472d5a043ee368954b1034d8cb:/src/auth/mech-cram-md5.c#l48" target="_blank">http://git.infradead.org/dovecot/dovecot-2.0/blob/c68fb0dbc05e1a472d5a043ee368954b1034d8cb:/src/auth/mech-cram-md5.c#l48</a> <a href="#fnref:1" class="footnote-back-ref">↩</a></p></li> <li id="fn:2"><p>"file hmac-md5.c". Dovecot 2.0 source. Retrieved 23 January 2014. <a href="http://git.infradead.org/dovecot/dovecot-2.0/blob/c68fb0dbc05e1a472d5a043ee368954b1034d8cb:/src/lib/hmac-md5.c" target="_blank">http://git.infradead.org/dovecot/dovecot-2.0/blob/c68fb0dbc05e1a472d5a043ee368954b1034d8cb:/src/lib/hmac-md5.c</a> <a href="#fnref:2" class="footnote-back-ref">↩</a></p></li> <li id="fn:3"><p>"Simple Authentication and Security Layer (SASL) Mechanisms". Protocol Registries. IANA. <a href="https://www.iana.org/assignments/sasl-mechanisms" target="_blank">https://www.iana.org/assignments/sasl-mechanisms</a> <a href="#fnref:3" class="footnote-back-ref">↩</a></p></li> <li id="fn:4"><p>Zeilenga, Kurt (24 November 2008). "CRAM-MD5 to Historic". tools.ietf.org. Retrieved 2020-12-05. <a href="https://tools.ietf.org/html/draft-ietf-sasl-crammd5-to-historic-00.html" target="_blank">https://tools.ietf.org/html/draft-ietf-sasl-crammd5-to-historic-00.html</a> <a href="#fnref:4" class="footnote-back-ref">↩</a></p></li> </ol>