At 15:41 22.09.2005 -0500, you wrote:
> On Sep 22, 2005, at 1:27 PM, Erwin Hoffmann wrote:
> >>> If you use CRAM-MD5 for the AUTH method, it's impossible to sniff
> >>> the cleartext password.
> > I don't bet on this. If you tape the SMTP dialoge, its easy to
> > the password.
> I think you're wrong. AUTH PLAIN and AUTH LOGIN are just base64
> encoded cleartext and you can determine the password from them.
> CRAM-MD5 involves a one-way hash. It is impossible to reverse the
> and determine the cleartext password. Each time you connect, a
> different challenge results in a different response. The only way the
> server and client can generate the correct response is to have the
> cleartext password available.
> Given the challenge and response, it is not possible to generate the
> cleartext password.
I'm with Tom on this one, the CRAM-MD5 algorithm makes snooping to get
the password unpossible excepting brute force.
The only real problem it has is that MD5 collisions are increasingly
easy to generate (down from 2^63 to the range of 2^48), however they're
still far from a practical means of faking authentication.
C'm on. The generation of the "challenge" and the way its used in qmail is
well documented on my web site http://www.fehcom.de/qmail/smtpauth.html.
Everyone can read that and download the code to do it.
The only free parameters are the timestamp and the pid of the current process.