Authenticated Post Office Protocol

Authenticated Post Office Protocol ( APOP ) is a method for the secure transmission of the password when retrieving e-mails using the Post Office Protocol , which was introduced in 1993 with RFC 1460 . Without APOP, the password is transmitted in clear text and can then come into the possession of unauthorized persons using a sniffer . APOP does not encrypt the transmission of e-mails. Passwords must also be saved unencrypted for this.

APOP is considered unsafe. The underlying Message Digest Algorithm 5, combined with the inevitably repeated transmission of the password, reveals even long passwords after a reasonable period of time.

APOP is not a mandatory part of the Post Office Protocol, but can be offered by mail servers .

Procedure

Mail servers offering APOP respond to contacts with a character string which, after the initial + OK, also contains a current time stamp . This must correspond to a msg-id according to RFC 822 and in particular be unique.

Mail user agents that support APOP search the received character string for the angle brackets that mark the time stamp. If you find a time stamp, append the password to it, calculate an MD5 hash value from this combination and send it back with the APOP command and the user name.

The mail server then performs the same calculation, compares the two hash values ​​and grants access if they match.

example

Alternatives

• Simple Authentication and Security Layer
• POP3S
• STARTTLS

Individual evidence

1. ^ Security of MD5 Challenge and Response: Extension of APOP Password Recovery Attack . In: Lecture Notes in Computer Science 4964/2008 . Pp. 1-18. Retrieved August 14, 2011.
2. ↑ Post Office Protocol - Version 3 . Internet Engineering Task Force . May 1996. Retrieved August 20, 2011.