On Tue, 16 Aug 2005, Arjen de Korte wrote:
SMTP AUTH uses CRAM-MD5 or DIGEST-MD5 (or any other protocol
implemented by both sides) to protect the password. It
is not sent in cleartext. The PLAIN protocol is usually
allowed only in conjunction with TLS.
But anyone sniffing the connection, might replay the encoded password. So
effectively, one doesn't need the plain password.
That's not now challenge response systems work. The encoded password
is different every time. Sniffing does no good. Here is a simplified overview
of how challenge response systems like CRAM-MD5, APOP, etc work:
Assume client is logging in to server:
1. server sends a 64 bit or larger random number - the challenge - to client
2. client hashes login,password,challenge using secure hash like MD5
3. client sends login,hash to server
4. server computes hash of login,password,challenge
5. server compares its hash with client - a match means client knows password
Real protocols may have a timestamp in there, and also arrange so that
the server stores hashes of the passwords.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.