RFC 2095 (rfc2095) - Page 1 of 5


IMAP/POP AUTHorize Extension for Simple Challenge/Response



Alternative Format: Original Text Document



Network Working Group                                       J. Klensin
Request for Comments: 2095                                    R. Catoe
Category: Standards Track                                 P. Krumviede
                                                                   MCI
                                                          January 1997


       IMAP/POP AUTHorize Extension for Simple Challenge/Response

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Abstract

   While IMAP4 supports a number of strong authentication mechanisms as
   described in RFC 1731, it lacks any mechanism that neither passes
   cleartext, reusable passwords across the network nor requires either
   a significant security infrastructure or that the mail server update
   a mail-system-wide user authentication file on each mail access.
   This specification provides a simple challenge-response
   authentication protocol that is suitable for use with IMAP4.  Since
   it utilizes Keyed-MD5 digests and does not require that the secret be
   stored in the clear on the server, it may also constitute an
   improvement on APOP for POP3 use as specified in RFC 1734.

1. Introduction

   Existing Proposed Standards specify an AUTHENTICATE mechanism for the
   IMAP4 protocol [IMAP, IMAP-AUTH] and a parallel AUTH mechanism for
   the POP3 protocol [POP3-AUTH].  The AUTHENTICATE mechanism is
   intended to be extensible; the four methods specified in [IMAP-AUTH]
   are all fairly powerful and require some security infrastructure to
   support.  The base POP3 specification [POP3] also contains a
   lightweight challenge-response mechanism called APOP.  APOP is
   associated with most of the risks associated with such protocols: in
   particular, it requires that both the client and server machines have
   access to the shared secret in cleartext form. CRAM offers a method
   for avoiding such cleartext storage while retaining the algorithmic
   simplicity of APOP in using only MD5, though in a "keyed" method.







Klensin, Catoe & Krumviede  Standards Track