Author: Tamas TEVESZ Date: To: Jeremy C. Reed CC: pop-imap, exim-users Subject: Re: [Exim] a more or less special mail solution
On Sat, 31 Aug 2002, Jeremy C. Reed wrote:
> > > Having the passwords stored encrypted and sending a shared secret and then
> > > hash back would be good.
> >
> > no. it's impossible. you either store clear and transmit hash, or
> > transmit clear and store hash.
>
> I assume you are saying that it is not possible because no clients or POP3
> servers currently support it.
no. it is not possible because it's logically not possible. the heart
if this impossibility is that all these hashes are one way hashes.
think about it: if what you are wishing to have would be possible, we
all could throw out all of today's security, because that would mean
that the one-way hashes are not one-way at all.
> Store the hash on server.
>
> The server sends unique shared secret to client.
>
> The client makes a hash of its local plain text password (using same
> algorithm that the server used). (It could be already stored on the client
> computer.)
>
> The client makes a second hash made from the shared secret and the hash of
> the password. And send this to the server.
>
> The server makes another hash of its stored (already encrypted
> password) against the shared secret and compares this with the client's
> authentication data.
now. if i get access to the stored hashes, what exactly makes me
unable to re-use them ?
what you described is CRAM, with user's passwords replaced with their
hashes, and then the hash used as if it was the plain text password.