Cryptography: Decode CRAM-MD5 algorithm

Question

I have an ASP.Net web application where I would like to implement cryptography for password security. I am not using SSL.

For that i studied and pick CRAM-MD5 algorithm for password authentication. I have implement javascript cram-md5 algorthim available at http://pajhome.org.uk/crypt/md5/

Here i would like to know that is there anyone used it and face that CRAM-MD5 authentication is decoded by hackers?

What are the possiblities of decoding CRAM-MD5 authentication?

Answer 1

For sure MD5 is no longer considered secure but the cryptanalysis vulnerabilities affecting him does not affect HMAC-MD5. It's a whole different beast.

I do agree that CRAM-MD5 would not be the best recommendation but it really has nothing to do with the insecurity of MD5.

Learn what's the difference.

See http://www.openauthentication.org/pdfs/Attacks%20on%20SHA-1.pdf, https://www.rfc-editor.org/rfc/rfc6151 and http://cseweb.ucsd.edu/~mihir/papers/hmac-new.html

Answer 2

Contrary to what others are saying, CRAM-MD5 is standard and safe to use. It's widely used in SASL for IMAP/SMTP authentication. You might be reading your EMail using CRAM-MD5. The other standard hashing algorithms are HTTP Digest Authentication and CHAP used in PPP but they all uses MD5 due to historical reasons. You can choose more secure SHA1-based hash but you will have to roll your own challenge schemes.

Because it uses challenge/response scheme, it's less vulnerable to the weakness of the MD5 hash. Unless you have special security requirements, stay with one of the standard algorithms.

Answer 3

As others have advised; don't use MD5, ever, for anything.

But as to an actual answer, how badly is it broken:

Well, with any one-hash it's, well, one-way, so you can't 'decode' it in that sense. What you can do, however, is generate collisions much faster than is acceptable. This allows the attackers to force matches in things that wouldn't otherwise match. It makes any validation of inference of the type 'md5(this) = md5(that) so this = that' wrong. This breaks digital signatures, and all sorts of other things.

Stay away from MD5, in any form.

-- Edit

Oh, and just a note, that hashing the password is no replacement for SSL. SSL is used to ensure, to the client, that the site they are browsing is yours, and to protect general sending of data.

Hashing is about protecting your database from a possible compromise. (And you always need to hash with a salt; you store the salt right next to the username in the db).

Answer 4

Don't self implement your hashing algorithm. There are well tested implementations in System.Security. As stated don't use MD5.

In addition you should salt your hashes. For example if you have a user table with a password field you can add a salt field that is simply an integer, or a guid, or even a timestamp, but something unique. The salt ensures you will not have hash collisions within your database. Here is a discussion on salting.

Answer 5

Implementing your own cryptography is generally seen as a bad idea.

Cryptographic algorithms have a lot of very specific demands, and if even one of them isn't met (and that usually happens when people do their own), it usually won't be all too much more secure than no crypto at all.

If you're not convinced, this Google Tech Talk should help.

Answer 6

From Wiki:

Protocol Weaknesses

 - No mutual authentication; client does not verify server.
 - Offline dictionary attack to recover password feasible after capturing a successful CRAM-MD5 protocol exchange.
 - Use of MD5 insufficient.
 - Carries server requirement for storage of reversibly encrypted passwords.

I'd be scared to use md5 hashing algorithm, as getting back the original password from hash can be done in few seconds, if password wasn't long enough (actually, you can google for md5 rainbow table, there are sites that will decode such hash in few seconds and give back the result ;) ).

Answer 7

MD5 is no longer considered secure, see MD5 vulnerabilities. For a more secure implementation, choose a different hash algorithm (such as SHA-256 or better).