On Wed, Feb 19, 2003 at 02:57:19PM -0600, Matt Pavlovich wrote:
> Does the CRAM-SHA1 process hand a string that the mail server can
> eventually extract a 'normal' SHA1 hash out of?
>
> If so, then it would be trivial to support SHA1 hash compares if the
> password hash is stored as SHA1 in the directory server. Storing clear
> text passwords sucks, legal departments and mgmt frown on it..
No, it's a fundamental laws-of-the-universe thing from the irreversibility
of hashes.
When a user authenticates to a server, either:
(1) The user sends the password in cleartext over the wire
The server can keep a hash of the password
OR
(2) The user sends a hash derived from the password over the wire
The server needs to have the the cleartext password [or something
equivalent*] to validate it
Case (1) is normal logins (AUTH LOGIN or PLAIN and normal Unix shadow
files); case (2) is the CRAM-MD5's and CRAM-SHA1's of this world.
If you want to have your cake and eat it, the best you can do is to take
case (1), but encrypt the entire session. In other words the user sends
their cleartext password to the server, but it is protected against
eavesdropping by TLS.
[*] "Something equivalent" to a cleartext password means that it might not
actually be the sequence of letters which the user types, but knowledge of
this value is sufficient to authenticate yourself.
Windows NT domain authentication falls into this category. A hash of your
password text is stored on the server, and it is challenge-response
authentication. However, to participate in this mechanism, all you actually
need is the hash of the password text, you don't need to know what the
person's original password was. Hence if you break into the server and steal
this hash value, you can use it to gain access: this hash value is a
"plaintext password" in its own right.
Regards,
Brian.
-------------------------------------------------------
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge
_______________________________________________
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
