english only
School of Computer and Communication Sciences
LASEC - Security and Cryptography Laboratory
EPFL > IC > LASEC > Projects
Banner IC
INDEX
Home
People
Research
Teaching
Publications
Softwares & Events
Intranet
How to reach us

CONTACT

EPFL - I&C - ISC - LASEC
Station 14 - Building INF
CH-1015 Lausanne
Switzerland

Tel. +41 21 693 7603
Fax. +41 21 693 7689

Job application or support letter request:
please read our policy.

POP and IMAP access control
 
Author(s): Urs Nyffeler
  Lars Renfer
 
Supervisor(s): Prof. Serge Vaudenay
  Pascal Junod
 
Date: Winter Semester 2001-2002
 
Abstract: Many RFCs take care about security in the IMAPv4 and POP3 protocols. As an example, RFC 2195 adds MD-5 encryption to IMAPv4 and RFC 2595 a SSL/TLS extension. We took a closer look to both protocols and implemented a sniffer to get usernames and passwords out of the packets on the ethernet segment. Doing this we had a good insight in the lack of security for some authentication methods to IMAPv4 and POP3 servers. In the POP3 and IMAPv4 protocols exist several authentication methods. The most used are the plain text logins, which are called "LOGIN" for IMAPv4 and "USER" and "PASS" for POP3. By default, both kind of servers implement these methods. The problem is that "little" work has to be done to get the usernames and passwords out of the ethernet segments. To get more security, IMAPv4 and POP3 implement also some encoding. The protocols provide the AUTH (for POP3) and the AUTHENTICATION (for IMAPv4) commands to log in. With this command a client can negotiate the authentication mechanism by keywords. The keywords mentioned in the standard RFCs are "SKEY", "KERBEROS_V4" and "GSSAPI". These methods can provide strong authentication, but need a good infrastructure, like for Kerberos, or are not much used, like GSSAPI. POP3 provides the additional login command "APOP", which encrypts the password with the MD5 algorithm. It concatenates the password with a timestamp from the server and makes a non-reversible string out of it. RFC 2195 states an extension for the "AUTHENTICATION" command for IMAPv4 by adding the new keyword "CRAM-MD5" to the standard authentication methods. This gives IMAPv4 also the possibility to deal with MD5 encryption. But here only the password is encrypted. RFC 2595 specifies the commands "STARTTLS" and "STLS" for IMAPv4 and POP3 respectively to run the connection under the TLS layer. With this method the whole connection is encrypted, also the contents of the e-mails. So in fact, IMAPv4 and POP3 connections can be secured quite good. One of the easiest way is to use SSL/TLS to encrypt the connection as a whole. A big problem remains, because loads of e-mail retrival connections remain in clear text without any encryption.