RFC 1731 (rfc1731) - Page 2 of 6


IMAP4 Authentication Mechanisms



Alternative Format: Original Text Document



RFC 1731            IMAP4 Authentication Mechanisms        December 1994


   network byte order, the maximum cipher-text buffer size the server is
   able to receive.  The server must encrypt the 8 octets of data in the
   session key and issue that encrypted data in a second ready response.
   The client should consider the server authenticated if the first four
   octets the un-encrypted data is equal to one plus the checksum it
   previously sent.

   The client must construct data with the first four octets containing
   the original server-issued checksum in network byte order, the fifth
   octet containing the bit-mask specifying the selected protection
   mechanism, the sixth through eighth octets containing in network byte
   order the maximum cipher-text buffer size the client is able to
   receive, and the following octets containing a user name string.  The
   client must then append from one to eight octets so that the length
   of the data is a multiple of eight octets. The client must then PCBC
   encrypt the data with the session key and respond to the second ready
   response with the encrypted data.  The server decrypts the data and
   verifies the contained checksum.  The username field identifies the
   user for whom subsequent IMAP operations are to be performed; the
   server must verify that the principal identified in the Kerberos
   ticket is authorized to connect as that user.  After these
   verifications, the authentication process is complete.

   The protection mechanisms and their corresponding bit-masks are as
   follows:

      1 No protection mechanism
      2 Integrity (krb_mk_safe) protection
      4 Privacy (krb_mk_priv) protection


   EXAMPLE: The following are two Kerberos version 4 login scenarios
   (note that the line breaks in the sample authenticators are for
   editorial clarity and are not in real authenticators)

      S: * OK IMAP4 Server
      C: A001 AUTHENTICATE KERBEROS_V4
      S: + AmFYig==
      C: BAcAQU5EUkVXLkNNVS5FRFUAOCAsho84kLN3/IJmrMG+25a4DT
         +nZImJjnTNHJUtxAA+o0KPKfHEcAFs9a3CL5Oebe/ydHJUwYFd
         WwuQ1MWiy6IesKvjL5rL9WjXUb9MwT9bpObYLGOKi1Qh
      S: + or//EoAADZI=
      C: DiAF5A4gA+oOIALuBkAAmw==
      S: A001 OK Kerberos V4 authentication successful







Myers