CRAM-MD5

In cryptography, CRAM-MD5 is a challenge-response authentication mechanism (hence "CRAM") defined in RFC 2195 based on the HMAC-MD5 MAC algorithm. It is employed by some SASL implementations, and it is quite often supported by SMTP-AUTH Mail submission agents.

Protocol

1. Challenge: In CRAM-MD5 authentication, the server first sends a challenge string to the client.
2. Response: The client responds with a string created as follows.
   1. The challenge was sent as a base64-encoded string, which is decoded.
   2. The decoded challenge is encrypted using HMAC-MD5 with the user's password as the secret key.
   3. The encrypted challenge is converted to a string of hex digits.
   4. The username and a space character are prepended to the hex digits.
   5. The concatenation is then base64-encoded and sent to the server
3. Comparison: The server uses the same method to compute the expected response. If the given response and the expected response match then authentication was successful.

This provides three important types of security.

1. First, others cannot duplicate the hash without knowing the password. This provides authentication.
2. Second, others cannot replay the hash—it is dependent on the unpredictable challenge. This is variously called freshness or replay prevention.
3. Third, observers do not learn the password. This is called secrecy.

The two important features of this protocol that provide these three security benefits are the one-way hash and the fresh random challenge.

Protocol weaknesses

• No mutual authentication: client does not verify server.
• Weak password storage: Some implementation require access to the users' plain text passwords while some others (e.g. Dovecot) use the intermediate step of the HMAC process to store a sort of MD5 of the password (i.e. inner MD5 and outer MD5 combined).
• Threat of reversibility: offline dictionary attack to recover password feasible after capturing a successful CRAM-MD5 protocol exchange (e.g. Cain & Abel).

History

CRAM-MD5 was originally defined in RFC 2095, later rendered obsolete by RFC 2195. In practice it's the only allowed and supported SASL-mechanism for ESMTPA without Transport Layer Security (TLS). CRAM-MD5 is required for On-Demand Mail Relay (ODMR) defined in RFC 2645.

The also often supported SASL-mechanism plain for ESMTPA is officially not allowed outside of secure connections (TLS, the successor of SSL), and mechanism login is no SASL-mechanism at all—both transport unencrypted passwords. They encode the passwords with Base64 which does not provide secrecy.

The Internet Assigned Numbers Authority (IANA) maintains two registries relevant for CRAM-MD5:

1. SASL-mechanisms^[1] incl. CRAM-MD5 for limited use, PLAIN, and the historic^[2] DIGEST-MD5
2. Mail transmission protocol types^[3] incl. ESMTP, ESMTPA, ESMTPS, and ESMTPSA

ESMTPA stands for ESMTP with SMTP-AUTH, and ESMTP is SMTP with Service Extensions as defined in RFC 5321. ESMTPS is ESMTP over a secure connection. ESMTPSA is both ESMTPA and ESMTPS—that's a consolation where SASL-mechanism plain is allowed.

See also

• Simple Authentication and Security Layer (SASL)
• Simple Mail Transfer Protocol (SMTP)
• Internet Message Access Protocol (IMAP)
• Post Office Protocol (POP)
• HMAC, MD5, SMTP-AUTH
• John Klensin

References

1. "Simple Authentication and Security Layer (SASL) Mechanisms". Protocol Registries. IANA. 
2. "Moving DIGEST-MD5 to Historic". RFC 6133. IETF. 2011-07. 
3. "Mail Service Types". Protocol Registries. IANA.