home
NEWS       BLOGS       FORUMS       NEWSLETTERS       RESEARCH       EVENTS       DIGITAL LIBRARY       CAREERS  
Network Computing Network Computing Powered by InformationWeek Business Technology Network

IMMERSE YOURSELF:

SOA

  |

Data Center

  |

802.11n

  |

Data Privacy

  |
APO  |

Virtualization

  |

NAC

  |

Security

  |

Network Mgmt

  |

Enterprise Apps

  |

Storage & Servers



  W O R K S H O P

Securing POP and IMAP Sessions

September 6, 1999
By Dan Backman

our customizable newsletter, sends you security alerts, product updates and software patches on the products you use. Sign up now at www.networkcomputing.com /express/
Over the router and through the net, to the mail server we go..." Unfortunately, if Little Red Riding Hood were anything like your users, she'd have been screaming out the key code to grandma's door as she skipped through the woods. No wonder the wolf ate her. Yes, POP3 and IMAP4 are the standard protocols of choice, but like most Internet protocols, they default to plain-text authentication. And instead of sending push-flagged packets like telnet, both wrap the user's password within a single password--usually accompanied by the oh-so-cryptic verbs "pass" or "authenticate."

The obvious answer is to use transport-level encryption services, such as IPSec (IP Security) or other VPN (virtual private network) technologies, but these mainly protect against packet captures outside the firewall. Whether or not we like to admit it, most attacks originate inside the firewall. To be effective, network protocols should use some form of challenge/response protocol that never sends the actual password across the wire. Until point-to-point IPSec encryption becomes a reality, guarding your users' passwords should be a serious concern. The vendor community has recognized this problem and has presented various solutions for non-clear-text POP and IMAP authentication.

When we tested non-plain text authentication protocols for use in POP and IMAP services at our Real-World Labs® in San Mateo, Calif., we found that many products work exactly as billed, but a lack of standardization makes each a single-vendor solution.

In terms of interoperability, SSL POP and IMAP offer the best support, with client support from Microsoft Corp. and Netscape Communications Corp. Qualcomm's implementations of APOP (Authentication POP) and KPOP (Kerberos POP) can be convincing in the right environments, but like Microsoft's NTLM (NT LAN Man) via SASL (Simple Authentication Security Layer) authentication scheme, both offer limited cross-vendor support. Finally, SASL gives us a glimpse into the future of IP authentication and it's being rolled into LDAP and other protocols.

APOP
POP in RFC 1460 defines an MD5-based challenge/ response authentication algorithm dubbed APOP. A simple example of challenge/response authentication is that it adds a challenge string to the normal POP server. The client responds with a hash of that challenge and the user's password (see "Challenge/ Response Authentication," at www.networkcomputing. com/1018/1018ws2side1.html). If the client's response matches the server's own hash, the user is authenticated. The hash isn't reversible, so the user's password isn't compromised when sent over the network.

Despite APOP's appearance in the RFC, Qualcomm is the only vendor to support it. We were surprised and disappointed to find that Microsoft's Outlook Express and Outlook2000 POP3 support does not include APOP authentication. But if you're willing to stay inside Qualcomm's product line, APOP is an excellent choice for strong POP authentication. We tested APOP using Qualcomm's Eudora Pro 4.1 and qpopper, Qualcomm's Unix POP daemon.

Enabling APOP is easy. APOP is added as a configuration option when the qpopper POP3 daemon is compiled (like much Unix software, qpopper is distributed in source-code form). From then on, the administrator must define a separate APOP authentication database using the popauth command and must add a password for each user. After that, users connecting to the server must use APOP-capable clients.

Be aware that APOP must hash the user's password in combination with the server's challenge, so the POP server must maintain a separate authentication database for APOP users. Although qpopper provides the popauth utility for database administration (it also lets users reset their own APOP passwords), it means users must manage yet another password.



PAGE: 1 I 2 I 3 I NEXT PAGE
 





Ready to take that job and shove it?

Function:

Keyword(s):

State:
SPONSOR
RECENT JOB POSTINGS
CAREER NEWS
Aneesh Chopra is looking to other CIOs to advise him on fleshing out a more detailed agenda to best serve the president's IT agenda.

IT spending is expected to decline by 3.8 percent in 2009 according to Gartner.










2009 IT Salary Survey: Meager Raises, Solid Prospects
Though raises are notably smaller than a year ago, and job security’s shrinking, IT careers are looking safer than many others in this economic downturn. Get all the findings in InformationWeek's 2009 IT Salary Survey. Available FREE for a limited time.
 
ROLLING RIGHT ALONG
Follow key Network Computing Reviews from conception to completion. This Week: Holistic APM.



Network Computing Reports Emerging Enterprise Podcast Series: Secrets to Success








TechSearch


Microsite of the Week


Powerful Information at Your Fingertips



Techweb
Informationweek Business Technology Network
InformationweekInformationweek 500Informationweek 500 ConferenceInformationweek AnalyticsInformationweek Events
Informationweek MagazineGlobal CIOIWK Government ITbMightyByte and SwitchDark Reading
Digital LibraryIntelligent EnterpriseInternet EvolutionNetwork ComputingPlug Into The CloudDr. DobbsContentinople
space
TechWeb Events Network
InteropVoiceConWeb 2.0 ExpoWeb 2.0 SummitEnterprise 2.0Mobile Business ExpoNoJitter
Black HatGTECEnergy CampCloud ConnectGov 2.0 ExpoGov 2.0 Summit
space
Light Reading Communications Network
Light ReadingLight Reading AsiaUnstrungCable Digital NewsInternet EvolutionPyramid Research
Heavy ReadingLight Reading LiveLight Reading InsiderEthrnet ExpoTelco TVTower Technology Summit
space
Financial Technology Network
Advanced TradingBank Systems and TechnologyInsurance and TechnologyWall Street and TechnologyAccelerating WallstreetBST SummitBuyside Trading SummitIT Summit
space
Microsoft Technology Network
MSDNTechNetTotal IT ProTotal Dev ProNET Total Dev Pro CommunitySQL Total Dev Pro Community
space


App Infrastructure   |   Messaging & Collaboration   |   Network & Systems Mgmt   |   Network Infrastructure   |   Security  |   Storage & Servers   |   Wireless   |   Enterprise Apps
About Us  |  Contact Us  |  Site Map  |  Technology Marketing Solutions  |  Advertising Contacts  |   Briefing Centers
Copyright © 2009  United Business Media LLC  |  Privacy Statement  |  Terms of Service