[Standards] [Fwd: I-D Action:draft-melnikov-digest-to-historic-00.txt]
dave at cridland.net
Tue Sep 11 13:24:13 UTC 2007
On Tue Sep 11 11:55:35 2007, Jonathan Chayce Dickinson wrote:
> Interesting because most clients used Digest-MD5, so what do we use
> Cram-MD5? Or is there some other newfangled method out there?
DIGEST-MD5 is still more secure than CRAM-MD5, and this won't change
because of that draft. :-)
Some background - since I work with both Alexey and Kurt, one of the
chairs of the working group that issued this, as well as being in the
SASL WG in Prague where this was decided.
One upon a time, there was a mechanism called CRAM-MD5, which was
thought up as a simple challenge response mechanism. But, it's got a
number of weaknesses, the most important two being that its use of
MD5 is weak, and it more or less stores the password in the clear on
So, a number of replacement mechanisms were proposed. HTTP,
meanwhile, had developed Digest auth, and looking to unify HTTP auth
and SASL, Chris Newman abandoned his own mechanism, and instead
devoted much energy to getting a variant of Digest as a SASL
mechanism - which became DIGEST-MD5.
However, DIGEST-MD5 has a considerable amount of problems - these are
documented in the draft. Eventually, the SASL WG decided to abandon
its attempts to fix it, since it was exceedingly difficult to bring
it up to date, and some problems were simply beyond fixing.
Seeing this coming, a number of people decided to address the niche
by designing a new password based mechanism which had approximately
the same properties, but was more secure. These were:
HEXA (By Alexey and myself).
SCRAM-MD5 - a reissue and revamp of Chris Newman's original
mechanism, by Abhijit Menon-Sen (Who, if he reads this, will no doubt
correct my spelling). (Actually, it's SCRAM-*, now, as it's sprouted
YAP-* - a mechanism family intended to replace PLAIN in some
circumstances for RTT-sensitive applications, and also replace
In Prague, all three were presented and discussed at length, and we
decided to fold in the good bits of HEXA into SCRAM-MD5 and proceed
with SCRAM and YAP, ditching DIGEST-MD5 (and saving Alexey and me
lots of typing). SCRAM was designed a decade ago, and has actually
seen some limited deployment. I'd heartily recommend examining it
closely. Alexey and I hadn't actually read it when we designed HEXA
(in a pub, on the back of a beermat), although the two come out
looking very similar - both use "The Powerful XOR Encryption
Algorithm", as I like to call it.
So the short answer is: Carry on using DIGEST-MD5 until a replacement
comes out, watch SCRAM-* as a functional replacement, watch YAP-* as
a functional replacement for CRAM and PLAIN. If you're clear on the
patent situation - I'm not - then you may wish to look at SRP, which
seems more secure than any of these.
Some references for those willing to try the bleeding edge:
The last two are actively worked on, and I'm sure the authors would
be interested in comments. The first is just included for
Hope this helps.
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at jabber.org
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
More information about the Standards