Systemspace Network List
Network Enhancement Idea 7
Quintuplicate
28 July 2021
PROGRESS REPORT ON SNIC
0. Introductory Note
This NEI reports the progress I have made on SNIC since NEI 5 was published in 3 aspects: (I) figuring out authentication; (II) getting an email address; (III) removal of unneeded features.

I. Authentication
The question of authentication and security had not been answered when NEI 5 was issued. Below I describe what I have done about it; I (A) state the relationship between IMAP, SASL, and OTP; (B) summarize how OTP works and refer to outstanding issues with implementing it in Python with notes {in curly brackets}; and (C) describe these issues. Please tell me if I got anything wrong or if you know any answers to the questions I have raised.

A. Relationship between IMAP, SASL, and OTP
IMAP is a protocol for accessing and working with emails. (See NEI 5 for a summary of how it works.) The problem, however, is that everything, including passwords, is sent in plaintext, and it is therefore vulnerable to eavesdropping. 

Simple Authentication and Security Layer (SASL) was designed to overcome this shortcoming of IMAP (RFC 2222). SASL is not by itself a mechanism of encryption; it is a uniform method by which clients and servers can agree on such a mechanism, like the One-Time Password (OTP) System (RFC 2289), which has been integrated into SASL in a manner compatible with IMAP (RFC 2444). 

B. How OTP Works
When the user initiates authentication specifying OTP as the mechanism, the server sends them, in plaintext, a challenge containing an identifier of the hash function being used, a sequence integer, and a seed separated by white spaces; IMAP4 encodes this in base 64 {1}. (A hash function is an algorithm that is easy to go from input to output but infeasible to reverse; ours is SHA1.)

The user has a secret passphrase of between 10 and 63 characters. The client concatenates it with a seed it has received from the server in plaintext {2}, then passes the result through the hash function and reduces it to 64 bits using an algorithm defined in Appendix A of RFC 2289 {3}.

The 64-bit output is passed through the hash function X number of times. This is sent to the server. The client then passes it through the same hash function X number of times minus one, and submits this to the server. For every subsequent login, the client just has to pass the output through the hash function one less time than before {4}. This way, the server has only to pass the one-time password submitted to server through the agreed-upon hash function once to verify it, whereas an attacker must invert the hash function to find the next password.

When the number of passes through the hash function reaches 1, the OTP generator has to be reinitialized, with either a new passphrase or a new seed {5}.
C. Outstanding Issues
Refer to the corresponding numbers in curly brackets in subpart B.
1. How do I turn that into something Python can work with (base64.b64decode doesn't seem to work)? 
2. How do I refer to just the seed and not the rest of the challenge?
3. What language is this in? How do I translate it into Python?
4. Does this mean two separate counters? One to measure how many times the output's been passed through, another to measure how many passes through the hash function have been made?
5. How do I do that?

II. Obtaining Email Address
Yesterday I registered SSN-l     at   yandex.com (remove the white spaces and substitute @ for "at"). Yandex allows IMAP, but only provides one authorization method, using an "app password". It requires SSL be used for all IMAP connections. Do we need more security?

If not, we'll have to find (1) a free online mail provider that (2) allows IMAP, (3) supports SASL as an authorization method, and (4) accepts OTP as one of its capabilities. Tall order? Unfortunately, in this day and age. Even (1) is getting rarer these days.

III. Feature Creep
A very good point was raised two weeks ago about feature creep. If we overload SNIC with suggestions for features, we will neglect essentials. Accordingly, I withdraw my recommendations in part II of NEI 5. Worse comes to worst, I'll manually forward emails sent to the address I have registered and filter out spam.