Re: [Exim] CRAM-MD5 with no clear password

Góra strony
Delete this message
Reply to this message
Autor: Calum Mackay
Data:  
Dla: Nico Erfurth
CC: Silmar A. Marca, exim-users
Temat: Re: [Exim] CRAM-MD5 with no clear password
Nico Erfurth wrote:
> With CRAM the password is NEVER transmitted over the wire, CRAM means
> Challenge-Response-Authentication-Mechanism. The idea is to encrypt some
> random string with the password on both sides and compare the encrypted
> strings. So you need the PLAINTEXT passwords on both sides.


Actually, with the MD5 digest that's used in CRAM, this isn't the case,
I believe. It is possible to pre-compute part of the calculation, and
store this, instead of the plaintext password, at one end.

Not with exim currently mind you, but it is possible from an MD5 point
of view.

cheers,
c.