Dear Colleagues, Please let me summarise the additions and modifications to the proposal, and present you the next approximation. Only changes to the proposal are included below. Would it be possible to respond with your comments till the end of the next week so we can proceed with implementation?
Improving security of password (passphrase) based auth schemes (MD5 proposal) -============================================================================-
[...]
Proposal --------
A new "auth:" scheme is introduced based on MD5 hash algorithm. The format of the new "auth" scheme is:
auth: MD5-PW <md5-crypt> where <md5-crypt> is an output of the md5-crypt, which is concatenation of "$1$", the salt, and the 128-bit hash output. For example: auth: MD5-PW $1$sD9e4pQn$1832L4.BxsZHusy0plg8i0 #A comment: We feel that despite $1$ indication of the algorithm used we need #this separate "MD5-PW" label. Our experience shows that every effort made to #avoid confusion is eventually paid back. #Another comment: we would appreciate if someone writes an #internet-draft on md5-crypt and processes it through IETF, as Randy #suggested.
At the first character after the first white space (space or tab)
following the colon (":")
When submitting an update to the database that needs to be authorised using this scheme, a "password:" pseudo-attribute must be used to submit a key (passphrase). Line continuation is not allowed for this attribute, so the whole key should fit on one line. If the key gets split across multiple lines this will be treated as syntax error.
The value of the key starts at the first character after the first white space following the colon (":").
If the mntner that defines authorisation information for the submission has CRYPT-PW and MD5-PW "auth" schemes, the key specified by "password:" will be checked for both types.
Regards, Andrei Robachevsky RIPE NCC