CRAM (challenge-response authentication mechanism)

CRAM (challenge-response authentication mechanism) is the two-level scheme for authenticating network users that is used as part of the Web's Hypertext Transfer Protocol (HTTP). The two levels are basic authentication and digest authentication.

Using the CRAM, the server (or, alternatively, a proxy server or gateway) issues a challenge to a user in the form of a "401 unauthorized" request for a password. The password is a string of characters known only to the user and the server. When the server receives the user response, it checks to be sure the password is correct. If so, the user is authenticated. If not, or if for any other reason the network does not want to accept the password, a "403 forbidden" message is issued, and access to the site is denied. The CRAM can be used in addition to other security features, such as strong encryption.

The basic form of CRAM can be abused because passwords are comparatively easy to steal. In digest authentication, the more sophisticated of the two forms of CRAM, the password does not appear as plain text sent over the network. This enhances security but does not provide entirely hack-proof protection. Even digest CRAM can be defeated under certain circumstances, giving an unauthorized hacker superuser status. This makes it possible for the hacker to launch a denial-of-service attack, making it difficult or impossible for authorized users to obtain authentication.

This was last updated in September 2005

Continue Reading About CRAM (challenge-response authentication mechanism)

Dig Deeper on Identity and access management