[techtalk] POP mail

Chris J/#6 sixie at nccnet.co.uk
Wed Dec 15 23:31:26 EST 1999 


> 
> I don't know exactly how it works, but secure pop provides for a secure
> mechanism of transmitting these data items, and possibly the content of
> the mail comming back to you.
> 

I'm not sure if there is a totally encrypted POP session, but usernames and 
passwords can be hidden using APOP. APOP is a replacement for user/pass 
authentication and works as follows.

When you connect to the POP server, it will reply with a unique identier as 
follows:

$ telnet pophost 110
Connected to pophost
Escape character is '^]'.
+OK random text <2297.945296254 at pophost>

That long string between the <> is essentially the session key. Broken down 
it is 'pid.timestamp at hostname'. The POP client, if it has been told to use 
APOP, will take this key, create an MD5 hash of the password (known as the 
'secret', rather than password) and sends to the server a line along the 
lines of:

APOP sixie A3E44624C100D7b835C7DEA24B

The POP server knows the session key it sent, and, after the arrival of the 
APOP command, can create the same MD5 hash locally. If the hashes match, then 
authentication is accepted, else it's a big no, and the authentication has to 
start again.

After successful authentication however, its normal POP, with RCPT, LIST, 
DELE and the rest - all unencrypted (so a snooper can still read all your 
email).

You may need to check with your service provider wheather APOP is supported. 
Even though you have the <> indentifier may not be a gurantee - sometimes a 
seperate database needs to be kept, as /etc/passwd cannot be used 
(/etc/passwd and /etc/shadow contain one way encoded passwords - to generate 
the MD5 hash, you need plaintext passwords. You can't get (realistically) the 
plaintext from /etc/passwd, unless you feel like a potential 1 month wait to 
login as Crack is ran against your password).

Chris...

-- 
@}-,'--------------------------------------------------  Chris Johnson --'-{@
    / "(it is) crucial that we learn the difference / sixie at nccnet.co.uk  \
   / between Sex and Gender. Therein lies the key  /                       \ 
  / to our freedom" -- LB                         / www.nccnet.co.uk/~sixie \ 



************
techtalk at linuxchix.org   http://www.linuxchix.org

More information about the Techtalk mailing list