Authentication Problem

Joseph Tam jtam.home at gmail.com
Thu Dec 20 23:58:38 EET 2018


On Thu, 20 Dec 2018, Odhiambo Washington wrote:

> At the expense of sounding stupid, could you please expound on the
> sequence? :)

In a nutshell, during protocol handshake, the server gives the client
a random string (nonce).  Both the server and client performs a
cryptographic hash of nonce+password, and the client tells the server
the result of the hash, and the server compares the client's result with
its own.  If the results match, it proves the client has knowledge of
the password.

The strength relies upon cryptographics hashes not being invertible.
It's one way of protecting password from sniffing when you can't use SSL.
However, there's many weaknesses: the password must be kept on the server
in plaintext, offline brute forcing, etc.

Joseph Tam <jtam.home at gmail.com>


More information about the dovecot mailing list