[Dovecot] CRAM-MD5 Password Generation Algorithm

Bill Cole dovecot-20061108 at billmail.scconsult.com
Sun Apr 13 08:39:44 EEST 2008

At 9:32 PM +0100 4/12/08, Douglas Willcocks  imposed structure on a 
stream of electrons, yielding:
>I've read through the document, and I now understand where exactly the
>precomputed context sits in the whole picture, but I'm still unsure how to
>reproduce it without dovecotpw.

In looking a little closer at RFC1321 that defines MD5, I think I see 
the trick.  The stored contexts are not full MD5's of Ki and Ko, they 
are just the 16 bytes of state after hashing those single key blocks. 
A full MD5 hash gets finalized by padding out the data with nulls and 
a 64-bit count of the hashed data. If you  were to do a normal MD5 of 
Ki and Ko, the result would include the result of the finalization 

You can see this in the hmac_md5_get_cram_context and 
hmac_md5_set_cram_context functions in the Dovecot code. The former 
extracts just the 4 32-bit state values, and the latter sets them and 
sets the bit count in the context structure to 512 (i.e. 64 bytes)

Maybe that provides a helpful clue...

Bill Cole
bill at scconsult.com

More information about the dovecot mailing list