[imp] imp 2.3.x vs TWIG

Rich Lafferty rich@horde.org
Sun, 28 Jan 2001 13:23:47 -0500


On Sun, Jan 28, 2001 at 10:11:59AM -0800, andrew morgan (morgan@orst.edu) wrote:
> On Sun, 28 Jan 2001, Anil Madhavapeddy wrote:
> 
> > > I don't want IMP to store passwords in a database permanently.  I realize
> > > they are stored right now in the database temporarily while the user is
> > > logged in, but it seems like a bad security decision to keep the password
> > > in the database permanently (between logins).  Even if the password is
> > > encrypted/encoded/hashed, it would be possible to recover the plaintext
> > > password.
> >
> > Well, this depends on what kind of crypto strength you use, but it will
> > be near-impossible to brute-force the attacks unless you also give them
> > the decoding key, which shouldn't be stored in the database.
> 
> But the information has to be stored in an accessible manner so that it
> can be used between sessions. 

No, it doesn't -- for instance, you could have something like this:

Store an md5 hash of the Horde password, and store the IMAP passwords
encrypted symmetrically where the unhashed Horde password is the key
to the IMAP passwords.

(At this point, we can verify that, excluding attacks on the
cryptosystems themselves, the only attack on the IMAP passwords is to
determine the key or to use brute force in guessing the key, and the
only attack to determine the key is brute force. This is the same
situation as on a conventional Unix system.)

When the user logs in, he enters his Horde password, which is hashed
and compared against the stored md5 hash of the Horde password. If
they match, we know he entered the correct password, and we use the
plaintext that he entered as the key to unencrypt the IMAP passwords.

> This would be simpler for the users because they are already familiar with
> this style.  Also, it seems to me that this functionality should be in the
> client, not the proxy.

>From the *user's* perspective it happens in the client. Something as
simple as holding an IMAP connection open for more than one Web
transaction needs to be in a proxy, though, as PHP's IMAP library
doesn't offer it. 

  -Rich

-- 
------------------------------ Rich Lafferty ---------------------------
 Sysadmin/Programmer, Instructional and Information Technology Services
   Concordia University, Montreal, QC                 (514) 848-7625
------------------------- rich@alcor.concordia.ca ----------------------