Definition

CRAM (challenge-response authentication mechanism)

CRAM (challenge-response authentication mechanism) is the two-level scheme for authenticating network users that is used as part of the Web's Hypertext Transfer Protocol (HTTP). The two levels are basic authentication and digest authentication.

Using the CRAM, the server (or, alternatively, a proxy server or gateway) issues a challenge to a user in the form of a "401 unauthorized" request for a password. The password is a string of characters known only to the user and the server. When the server receives the user response, it checks to be sure the password is correct. If so, the user is authenticated. If not, or if for any other reason the network does not want to accept the password, a "403 forbidden" message is issued, and access to the site is denied. The CRAM can be used in addition to other security features, such as strong encryption.

The basic form of CRAM can be abused because passwords are comparatively easy to steal. In digest authentication, the more sophisticated of the two forms of CRAM, the password does not appear as plain text sent over the network. This enhances security but does not provide entirely hack-proof protection. Even digest CRAM can be defeated under certain circumstances, giving an unauthorized hacker superuser status. This makes it possible for the hacker to launch a denial-of-service attack, making it difficult or impossible for authorized users to obtain authentication.

Contributor(s): Susan Prestage
This was last updated in September 2005
Posted by: Margaret Rouse

Email Alerts

Register now to receive SearchSecurity.com-related news, tips and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

More News and Tutorials

Do you have something to add to this definition? Let us know.

Send your comments to techterms@whatis.com

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: