Re: CRAM-SHA1 support

help-gsasl

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CRAM-SHA1 support

From:	Simon Josefsson
Subject:	Re: CRAM-SHA1 support
Date:	Fri, 28 Aug 2009 11:13:35 +0200
User-agent:	Gnus/5.110011 (No Gnus v0.11) Emacs/23.1 (gnu/linux)

Lothar May <address@hidden> writes:

> Hi,
>
> I found an old git entry in gsasl:
>
> "* Version 0.2.4 (released 2005-01-01)
>  ** The CRAM-MD5 mechanism is now preferred over DIGEST-MD5.
> This decision was based on recent public research that suggest MD5 is
> broken, while HMAC-MD5 not immediately compromised, and the lack of
> public analysis on what consequences the MD5 break have for
> DIGEST-MD5.  Support for CRAM-SHA1 is under investigation, to enable
> users to avoid MD5 completely."
>
> Any news on this? I would like to use CRAM-SHA1 - DIGEST-MD5 is tagged
> as "historic", and CRAM-MD5 "potentially" broken.

The SASL WG has just completed a last call on SCRAM-SHA1 which is the
(long-awaited) replacement of both CRAM-MD5 and DIGEST-MD5.  I need to
find time to implement it in GNU SASL.  If anyone wants to help with the
implementation, that would be excellent.

I'm aware that there are some libraries that support CRAM-SHA1, but it
is not standardized.  It would be easier to implement than CRAM-MD5.
However, because it is not standardized, and has some poor security
properties as well (SCRAM solves them, that's why it took so long to
complete) I'm not sure it is a good idea to support it.  Thoughts?

/Simon

[Prev in Thread]

Current Thread

[Next in Thread]

CRAM-SHA1 support, Lothar May, 2009/08/28
- Re: CRAM-SHA1 support, Simon Josefsson <=
  - Re: CRAM-SHA1 support, Simon Josefsson, 2009/08/28
  - Re: CRAM-SHA1 support, Lothar May, 2009/08/28

Prev by Date: Bugfix for GSASL-1.2 with mingw+msys
Next by Date: Re: Bugfix for GSASL-1.2 with mingw+msys
Previous by thread: CRAM-SHA1 support
Next by thread: Re: CRAM-SHA1 support
Index(es):
- Date
- Thread