> On Sep 22, 2005, at 1:27 PM, Erwin Hoffmann wrote:
> >>> If you use CRAM-MD5 for the AUTH method, it's impossible to sniff
> >>> the cleartext password.
> >
> > I don't bet on this. If you tape the SMTP dialoge, its easy to
encrypt
> > the password.
> 
> I think you're wrong.  AUTH PLAIN and AUTH LOGIN are just base64
> encoded cleartext and you can determine the password from them.
> CRAM-MD5 involves a one-way hash.  It is impossible to reverse the
hash
> and determine the cleartext password.  Each time you connect, a
> different challenge results in a different response.  The only way the
> server and client can generate the correct response is to have the
same
> cleartext password available.
> 
> Given the challenge and response, it is not possible to generate the
> cleartext password.

I'm with Tom on this one, the CRAM-MD5 algorithm makes snooping to get
the password unpossible excepting brute force.
The only real problem it has is that MD5 collisions are increasingly
easy to generate (down from 2^63 to the range of 2^48), however they're
still far from a practical means of faking authentication.

Reply via email to