Thursday, April 19, 2007

[Security] APOP for POP3 Mail receives protocol is now vulnerabile.

JPCERT/CC and IPA(INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN) reports APOP encrypted password decrypted vulnerability.

APOP is a protocol for authentication for POP3.
APOP uses md5 hash to check password.
hash protocol MD5 has collision for his hash.
If APOP hash tapped and stolen hashes, a malicious person might decipher it.

This problem causes from MD5 collision not only APOP.
but also If system uses MD5 same problem occurs.

------
http://d.hatena.ne.jp/shikap/20070419#p1)shikap said that

Almost everyone is uses POP, and APOP are only encrypting only password.
But receiving mail is still plaintext in POP protcol.

On this occasion, you might be shift to "POP over SSL".

Link
Practical Password Recovery on an MD5 Challenge-Response such as APOP (pdf) (FSE2007)
Extended APOP Password Recovery Attack (pdf) (FSE2007)

No comments: