Encrypted password or unencrypted password?
There are two methods of password authentication in encrypted form:
1. Use an encrypted password on an unencrypted connection
2. Use an unencrypted password on an encrypted connection
The first method is clearly not recommended. A typical example is the CRAM-MD5 mech.
Second, authentication over an encrypted connection with a cipher suite, for example TLS_AES_256_GCM_SHA384 of TLSv1.3 is secure.
By TLS, we mean entity authentication with digital certificates, at least for server with server certificates.
With TLSv1.3 the session key is randomly ephemeral generated using Perfect Forward Secrecy, which ensures non-repeating session keys. Thus, for example, if the session key is exposed, it will not affect the data of another session. Likewise, because the session key has nothing to do with the server's private key, if the server is compromised, the server's private key cannot decrypt the previously captured data.
What is session key used for?
It is the key of the symmetric encryption cipher, used to encrypt communication bulk data, the cipher here is 256-bit AES. The mode of operation of the cipher is counter (GCM - Galois Counter Mode). So AES_256_GCM goes into a cluster.
The encryption does not guarantee integrity.
There is no guarantee that the data received by the recipient is intact. From here comes the concept of authenticated encryption. This work is done using the hash function SHA384.
Password authentication like?
This is server authenticating client, see if the client has a credential to use its authentication-required service. On a TLS connection, passwords and other authentication-required information are presented by the client to the server as a normal transaction. All data has been securely encrypted as above. If authentication is successful, the client becomes an authenticated user. This applies to any service that uses a TLS connection.
Thus, an unencrypted password is more secure than an encrypted password.
Authentication mechanism
There are several different authentication mechanisms, but as we know there should be no problem using PLAIN mechanism on a TLS connection.
To practice, telnet to the omarine.org mail server:
telnet omarine.org 25
Then type the EHLO command:
EHLO localhost
Next, enter the AUTH command:
AUTH PLAIN 12345678
You will receive a notification as following:
503 TLS encryption or CRAM-MD5 required
That means the condition for authentication is TLS connection or using CRAM-MD5 authentication mechanism. We connect to port 25 unencrypted so being refused.
What's the contradiction here?
Actually I've configured the server to only accept authentication on TLS connection, and CRAM-MD5 matter is just a notification that I haven't modified. Do we need to fix it? unnecessary.
The complete error message is a vulnerability for an error attack.
To make a TLS connection to the omarine.org mail server, run this command:
openssl s_client -connect omarine.org:25 -starttls smtp
Contact: tuyen@omarine.org
Comments
There are currently no comments
New Comment