When such software requires authentication over unencrypted connections, CRAM-MD5 is preferred over mechanisms that transmit passwords "in the clear," such as LOGIN and PLAIN. However, it can't prevent derivation of a password through a brute-force attack, so it is less effective than alternative mechanisms that avoid passwords or that use connections encrypted with Transport Layer Security (TLS).
The CRAM-MD5 protocol involves a single challenge and response cycle, and is initiated by the server:
Challenge: The server sends a base64-encoded string to the client. Before encoding, it could be any random string, but the standard that currently defines CRAM-MD5 says that it is in the format of a Message-ID email header value (including angle brackets) and includes an arbitrary string of random digits, a timestamp, and the server's fully qualified domain name.
Response: The client responds with a string created as follows.
The challenge is base64-decoded.
The decoded challenge is encrypted using HMAC-MD5, with a shared secret (typically, the user's password, or a hash thereof) as the secret key.
The encrypted challenge is converted to a string of hex digits.
The username and a space character are prepended to the hex digits.
The concatenation is then base64-encoded and sent to the server
Comparison: The server uses the same method to compute the expected response. If the given response and the expected response match, then authentication was successful.
The one-way hash and the fresh random challenge provide three types of security:
Others cannot duplicate the hash without knowing the password. This provides authentication.
Others cannot replay the hash—it is dependent on the unpredictable challenge. This is variously called freshness or replay prevention.
Observers do not learn the password; this is called secrecy.
Weak password storage: some implementations require access to the users' plain text passwords, while others (e.g. Dovecot) use the intermediate step of the HMAC process to store an MD5-based hash of the password (i.e., the inner MD5 and outer MD5 combined).
Threat of reversibility: an offline dictionary attack to recover the password is feasible after capturing a successful CRAM-MD5 protocol exchange (e.g., using Cain & Abel).