Browse Prior Art Database

IMAP/POP AUTHorize Extension for Simple Challenge/Response (RFC2195)

IP.com Disclosure Number: IPCOM000002753D
Original Publication Date: 1997-Sep-01
Included in the Prior Art Database: 2000-Sep-13
Document File: 5 page(s) / 10K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

J. Klensin: AUTHOR [+3]

Abstract

While IMAP4 supports a number of strong authentication mechanisms as described in RFC 1731, it lacks any mechanism that neither passes cleartext, reusable passwords across the network nor requires either a significant security infrastructure or that the mail server update a mail-system-wide user authentication file on each mail access. This specification provides a simple challenge-response authentication protocol that is suitable for use with IMAP4. Since it utilizes Keyed-MD5 digests and does not require that the secret be stored in the clear on the server, it may also constitute an improvement on APOP for POP3 use as specified in RFC 1734.

This text was extracted from a ASCII Text document.
This is the abbreviated version, containing approximately 30% of the total text.

Network Working Group J. Klensin

Request for Comments: 2195 R. Catoe

Category: Standards Track P. Krumviede

Obsoletes: 2095 MCI

September 1997

IMAP/POP AUTHorize Extension for Simple Challenge/Response

Status of this Memo

This document specifies an Internet standards track protocol for the

Internet community, and requests discussion and suggestions for

improvements. Please refer to the current edition of the "Internet

Official Protocol Standards" (STD 1) for the standardization state

and status of this protocol. Distribution of this memo is unlimited.

Abstract

While IMAP4 supports a number of strong authentication mechanisms as

described in RFC 1731, it lacks any mechanism that neither passes

cleartext, reusable passwords across the network nor requires either

a significant security infrastructure or that the mail server update

a mail-system-wide user authentication file on each mail access.

This specification provides a simple challenge-response

authentication protocol that is suitable for use with IMAP4. Since

it utilizes Keyed-MD5 digests and does not require that the secret be

stored in the clear on the server, it may also constitute an

improvement on APOP for POP3 use as specified in RFC 1734.

1. Introduction

Existing Proposed Standards specify an AUTHENTICATE mechanism for the

IMAP4 protocol [IMAP, IMAP-AUTH] and a parallel AUTH mechanism for

the POP3 protocol [POP3-AUTH]. The AUTHENTICATE mechanism is

intended to be extensible; the four methods specified in [IMAP-AUTH]

are all fairly powerful and require some security infrastructure to

support. The base POP3 specification [POP3] also contains a

lightweight challenge-response mechanism called APOP. APOP is

associated with most of the risks associated with such protocols: in

particular, it requires that both the client and server machines have

access to the shared secret in cleartext form. CRAM offers a method

for avoiding such cleartext storage while retaining the algorithmic

simplicity of APOP in using only MD5, though in a "keyed" method.

At present, IMAP [IMAP] lacks any facility corresponding to APOP.

The only alternative to the strong mechanisms identified in [IMAP-

AUTH] is a presumably cleartext username and password, supported

through the LOGIN command in [IMAP]. This document describes a

simple challenge-response mechanism, similar to APOP and PPP CHAP

[PPP], that can be used with IMAP (and, in principle, with POP3).

This mechanism also has the advantage over some possible alternatives

of not requiring that the server maintain information about email

"logins" on a per-login basis. While mechanisms that do require such

per-login history records may offer enhanced security, protocols such

as IM...