[Dovecot] CRAM-MD5 Password Generation Algorithm

Douglas Willcocks douglas.willcocks at gmail.com
Sun Apr 13 13:57:16 EEST 2008

On Sun, 13 Apr 2008 01:39:44 -0400, Bill Cole
<dovecot-20061108 at billmail.scconsult.com> wrote:
> At 9:32 PM +0100 4/12/08, Douglas Willcocks  imposed structure on a
> stream of electrons, yielding:
> [...]
>>I've read through the document, and I now understand where exactly the
>>precomputed context sits in the whole picture, but I'm still unsure how
> to
>>reproduce it without dovecotpw.
> In looking a little closer at RFC1321 that defines MD5, I think I see
> the trick.  The stored contexts are not full MD5's of Ki and Ko, they
> are just the 16 bytes of state after hashing those single key blocks.
> A full MD5 hash gets finalized by padding out the data with nulls and
> a 64-bit count of the hashed data. If you  were to do a normal MD5 of
> Ki and Ko, the result would include the result of the finalization
> step.
> You can see this in the hmac_md5_get_cram_context and
> hmac_md5_set_cram_context functions in the Dovecot code. The former
> extracts just the 4 32-bit state values, and the latter sets them and
> sets the bit count in the context structure to 512 (i.e. 64 bytes)
> Maybe that provides a helpful clue...

Thank you very much for the time you spent looking into this.

There are still some wholes in the algorithm, but so far:

1. Do the first part of HMAC as normal up to XOR'ing with 0x5c, including
strangely enough what looks like a full (i.e. including nulling and
padding) md5 hash if the passphrase is longer than 64 (this step should be
feasible to replicate)

2. Do the first step of md5 hashing (again, using the Perl library you
suggested, it should be feasible to replicate the required functionality)

-- From now on, it gets a bit sketchy

3. Using the intermediate states of Ko and Ki, extract the various segments
into a char[] so you end up with an array of 32 8bit segments. I'm unsure
exactly what the bitwise AND operator is used for, I thought that a bitwise
AND with 0xFF would leave everything the same?

4. Display a hex representation of the array contents.

I'll have a go later today and report back any findings. Of course, I could
have completely misunderstood one of the steps, and that'll screw up the
others, but still.

> --
> Bill Cole
> bill at scconsult.com

Douglas Willcocks

More information about the dovecot mailing list