On Sat, 31 Aug 2002, Tamas TEVESZ wrote:
> > Having the passwords stored encrypted and sending a shared secret and then
> > hash back would be good.
>
> no. it's impossible. you either store clear and transmit hash, or
> transmit clear and store hash.
I assume you are saying that it is not possible because no clients or POP3
servers currently support it.
> with cram (hmac), it's possible to _obfuscate_ the stored cleartext
> password, but it's just obfuscation (xor, exactly).
>
> > Anyone know of a POP3 (or related) standard that is commonly used by
> > popular mail clients that does that?
>
> none. and as long as it's hmac in use, there won't be any, either.
Store the hash on server.
The server sends unique shared secret to client.
The client makes a hash of its local plain text password (using same
algorithm that the server used). (It could be already stored on the client
computer.)
The client makes a second hash made from the shared secret and the hash of
the password. And send this to the server.
The server makes another hash of its stored (already encrypted
password) against the shared secret and compares this with the client's
authentication data.
I can quickly get vm-pop3d to support this. Is anyone here a developer of
a POP3 client?
Jeremy C. Reed
http://www.isp-faq.com/
