Network Working Group                               L. Nerenberg, Editor
Internet Draft: The CRAM-MD5 SASL Mechanism              Orthanc Systems
Document: draft-nerenberg-sasl-crammd5-03.txt              November 2002



                      The CRAM-MD5 SASL Mechanism


Status of this Memo

     This document is an Internet Draft and is in full conformance with
     all provisions of Section 10 of RFC 2026.

     Internet Drafts are working documents of the Internet Engineering
     Task Force (IETF), its areas, and its working groups.  Note that
     other groups may also distribute working documents as Internet
     Drafts.

     Internet Drafts are draft documents valid for a maximum of six
     months and may be updated, replaced, or obsoleted by other
     documents at any time.  It is inappropriate to use Internet Drafts
     as reference material or to cite them other than as "work in
     progress."

     The list of current Internet Drafts can be accessed at
     http://www.ietf.org/ietf/1id-abstracts.txt

     The list of Internet Draft Shadow Directories can be accessed at
     http://www.ietf.org/shadow.html.

     A revised version of this draft document will be submitted to the
     RFC editor as a Proposed Standard for the Internet Community.
     Discussion and suggestions for improvement are requested.
     Distribution of this draft is unlimited.


Copyright Notice

     Copyright (C) The Internet Society (2002).  All Rights Reserved.

How to Read This Document

     The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY"
     in this document are to be interpreted as defined in [KEYWORDS].


1.  Introduction

     This document defines a simple challenge-response [SASL]
     authentication mechanism, using a [KEYED-MD5] digest.






Nerenberg          draft-nerenberg-sasl-crammd5-03.txt          [Page 1]

Internet Draft           CRAM-MD5 SASL Mechanism           November 2002


2.  CRAM-MD5 Authentication Mechanism

     The mechanism name associated with CRAM-MD5 is 'CRAM-MD5'.

     This mechanism does not provide a security layer.

     The data encoded in the challenge contains a presumptively
     arbitrary string of random digits, a timestamp, and the fully-
     qualified primary host name of the server.

     The client makes note of the data and then responds with a string
     consisting of the user name, a space, and a "digest."  The latter
     is computed by applying the keyed MD5 algorithm from [KEYED-MD5]
     where the key is a shared secret and the digested text is the
     challenge (including angle-brackets). The client MUST NOT interpret
     or attempt to validate the contents of the challenge in any way.

     This shared secret is a string known only to the client and server.
     The "digest" parameter itself is a 16-octet value which is sent in
     hexadecimal format, using lower-case US-ASCII characters.

     When the server receives this client response, it verifies the
     digest provided.  Since the user name may contain the space
     character, the server MUST scan the client response from right to
     left; the first space character encountered separates the digest
     from the user name.  If the digest is correct, the server should
     consider the client authenticated and respond appropriately.

     The user name and shared secret MUST be represented in the Unicode
     character set [UNICODE], and MUST be normalised using the Unicode
     Normalisation Form KC [NFKC]. The resulting values MUST be encoded
     as UTF-8 [UTF8].


2.1.  Formal Syntax

     The following syntax specification uses the augmented Backus-Naur
     Form (ABNF) as specified in [ABNF], and incorporates by reference
     the Core Rules defined in that document.

     challenge  = "<" 1*DIGIT "." 1*DIGIT "@" hostname ">"

     digest     = 32(DIGIT / %x61-66)
                  ; A hexadecimal string using only lower-case
                  ; letters

     hostname   = 1*(ALPHA / DIGIT) *("." / "-" / ALPHA / DIGIT)

     response   = user SP digest

     user       = 1*OCTET






Nerenberg          draft-nerenberg-sasl-crammd5-03.txt          [Page 2]

Internet Draft           CRAM-MD5 SASL Mechanism           November 2002


2.2.  Examples

     The examples in this section do NOT form part of the specification.
     Where conflicts exist between the examples and the formal grammar
     or specification text, the latter are authoritative.

     These examples show the use of the CRAM-MD5 mechanism with the
     IMAP4 AUTHENTICATE command [IMAP4].  The base64 encoding of the
     challenges and responses is part of the IMAP4 AUTHENTICATE command,
     not part of the CRAM-MD5 specification itself.

          S: * OK IMAP4rev1 Server
          C: A0001 AUTHENTICATE CRAM-MD5
          S: + PDE4OTYuNjk3MTcwOTUyQHBvc3RvZmZpY2UucmVzdG9uLm1jaS5uZXQ+
          C: dGltIGI5MTNhNjAyYzdlZGE3YTQ5NWI0ZTZlNzMzNGQzODkw
          S: A0001 OK CRAM-MD5 authentication successful

     In this example, the shared secret is the string

          tanstaaftanstaaf

     Hence, the Keyed MD5 digest is produced by calculating

          MD5((tanstaaftanstaaf XOR opad),
               MD5((tanstaaftanstaaf XOR ipad),
               <1896.697170952@postoffice.reston.mci.net>))

     where ipad and opad are as defined in [KEYED-MD5] and the string
     shown in the challenge is the base64 encoding of
     <1896.697170952@postoffice.reston.mci.net>. The shared secret is
     null-padded to a length of 64 bytes. If the shared secret is longer
     than 64 bytes, the MD5 digest of the shared secret is used as a 16
     byte input to the keyed MD5 calculation.

     This produces a digest value (in hexadecimal) of

          b913a602c7eda7a495b4e6e7334d3890

     The user name is then prepended to it, forming

          tim b913a602c7eda7a495b4e6e7334d3890

     Which is then base64 encoded to meet the requirements of the IMAP4
     AUTHENTICATE command (or the similar POP3 AUTH command), yielding

          dGltIGI5MTNhNjAyYzdlZGE3YTQ5NWI0ZTZlNzMzNGQzODkw











Nerenberg          draft-nerenberg-sasl-crammd5-03.txt          [Page 3]

Internet Draft           CRAM-MD5 SASL Mechanism           November 2002


3.  References

3.1.  Normative References

     [ABNF]
          Crocker, D., P. Overell, "Augmented BNF for Syntax
          Specifications: ABNF", RFC2234, Internet Mail Consortium and
          Demon Internet Ltd., November 1997.

     [KEYED-MD5]
          Krawczyk, Bellare, Canetti, "HMAC: Keyed-Hashing for Message
          Authentication", RFC 2104, IBM and UCSD, February 1997.

     [KEYWORDS]
          Bradner, S., "Key words for use in RFCs to Indicate
          Requirement Levels", BCP 14, RFC2119, Harvard University,
          March 1997.

     [MD5]
          Rivest, R., "The MD5 Message Digest Algorithm", RFC 1321, MIT
          Laboratory for Computer Science and RSA Data Security, Inc.,
          April 1992.

     [NFKC]
          Davis, M., M. Durst, "Unicode Standard Annex #15: Unicode
          Normalisation Forms", An integral part of The Unicode
          Standard, Version 3.2.0
          (http://www.unicode.org/reports/tr15/).

     [SASL]