draft-ietf-sasl-rfc2222bis-05.txt   draft-ietf-sasl-rfc2222bis-06.txt 
Network Working Group A. Melnikov Network Working Group A. Melnikov
Internet Draft Editor Internet Draft Editor
Document: draft-ietf-sasl-rfc2222bis-05.txt January 2004 Document: draft-ietf-sasl-rfc2222bis-06.txt February 2004
Obsoletes: RFC 2222 Expires in six months Obsoletes: RFC 2222 Expires in six months
Simple Authentication and Security Layer (SASL) Simple Authentication and Security Layer (SASL)
Status of this Memo Status of this Memo
This document is an Internet Draft and is in full conformance with This document is an Internet Draft and is in full conformance with
all provisions of Section 10 of RFC 2026. all provisions of Section 10 of RFC 2026.
Internet Drafts are working documents of the Internet Engineering Internet Drafts are working documents of the Internet Engineering
skipping to change at page 2, line ? skipping to change at page 2, line ?
Internet Drafts as reference material or to cite them other than as Internet Drafts as reference material or to cite them other than as
``work in progress''. ``work in progress''.
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
A revised version of this draft document will be submitted to the RFC A revised version of this draft document will be submitted to the RFC
editor as a Proposed Standard for the Internet Community. Discussion editor as a Standards Track RFC for the Internet Community.
and suggestions for improvement are requested. Distribution of this Discussion and suggestions for improvement are requested.
draft is unlimited. Distribution of this draft is unlimited.
When published as an RFC this document will obsolete RFC 2222. When published as an RFC this document will obsolete RFC 2222.
Internet DRAFT SASL 25 January 2004 Internet DRAFT SASL 14 February 2004
1. Abstract 1. Abstract
The Simple Authentication and Security Layer (SASL) provides a method The Simple Authentication and Security Layer (SASL) provides a method
for adding authentication support with an optional security layer to for adding authentication support with an optional security layer to
connection-based protocols. It also describes a structure for connection-based protocols. It also describes a structure for
authentication mechanisms. The result is an abstraction layer authentication mechanisms. The result is an abstraction layer
between protocols and authentication mechanisms such that any SASL- between protocols and authentication mechanisms such that any SASL-
compatible authentication mechanism can be used with any SASL- compatible authentication mechanism can be used with any SASL-
compatible protocol. compatible protocol.
This document describes how a SASL authentication mechanism is This document describes how a SASL authentication mechanism is
structured, describes how a protocol adds support for SASL, defines structured, describes how a protocol adds support for SASL, defines
the protocol for carrying a security layer over a connection, and the protocol for carrying a security layer over a connection, and
defines the EXTERNAL SASL authentication mechanism. defines the EXTERNAL SASL authentication mechanism.
2. Organization of this document 2. Organization of this document
2.1. How to read this document 2.1. How to read this document
This document is written to serve two different audiences, protocol This document is written to serve several different audiences,
designers using this specification to support authentication in their protocol designers using this specification to support authentication
protocol, and implementors of clients or servers for those protocols in their protocol, mechanism designers that define new SASL
using this specification. mechanisms, and implementors of clients or servers for those
protocols using this specification.
The sections "Overview", "Authentication Mechanisms", "Protocol The sections "Overview", "Authentication Mechanisms", "Protocol
Profile Requirements", "Specific Issues", and "Security Profile Requirements", "Specific Issues", and "Security
Considerations" cover issues that protocol designers need to Considerations" cover issues that protocol designers need to
understand and address in profiling this specification for use in a understand and address in profiling this specification for use in a
specific protocol. specific protocol.
The sections "Overview", "Authentication Mechanisms", "Mechanism
Profile Requirements" and "Security Considerations" cover issues that
mechanism designers need to understand and address in designing new
SASL mechanisms.
Implementors of a protocol using this specification need the Implementors of a protocol using this specification need the
protocol-specific profiling information in addition to the protocol-specific profiling information in addition to the
information in this document. information in this document.
2.2. Conventions used in this document 2.2. Conventions used in this document
In examples, "C:" and "S:" indicate lines sent by the client and In examples, "C:" and "S:" indicate lines sent by the client and
server respectively. server respectively.
The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY" The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY"
in this document are to be interpreted as defined in "Key words for in this document are to be interpreted as defined in "Key words for
use in RFCs to Indicate Requirement Levels" [KEYWORDS]. use in RFCs to Indicate Requirement Levels" [KEYWORDS].
Internet DRAFT SASL 14 February 2004
Character names in this document use the notation for code points and Character names in this document use the notation for code points and
names from the Unicode Standard [Unicode]. For example, the letter names from the Unicode Standard [Unicode]. For example, the letter
"a" may be represented as either <U+0061> or <LATIN SMALL LETTER A>. "a" may be represented as either <U+0061> or <LATIN SMALL LETTER A>.
This document uses terms "integrity protection" and "confidentiality This document uses terms "integrity protection" and "confidentiality
Internet DRAFT SASL 25 January 2004
protection". The former references to a security layer that is able protection". The former references to a security layer that is able
to detect data modification by using some kind of hash. However, to detect data modification by using some kind of hash. However,
integrity protection doesn't make the data unreadable to an attacker. integrity protection doesn't make the data unreadable to an attacker.
Confidentiality protection is a security layer that is able to make Confidentiality protection is a security layer that is able to make
the data unreadable to an attacker by using encryption. the data unreadable to an attacker by using encryption.
Confidentiality protection usually implies integrity protection. Confidentiality protection usually implies integrity protection.
3. Overview 3. Overview
The Simple Authentication and Security Layer (SASL) is a method for The Simple Authentication and Security Layer (SASL) is a method for
skipping to change at page 3, line 49 skipping to change at page 4, line 4
This separation between the definition of protocols and the This separation between the definition of protocols and the
definition of authentication mechanisms is crucial. It permits an definition of authentication mechanisms is crucial. It permits an
authentication mechanism to be defined once, making it usable by any authentication mechanism to be defined once, making it usable by any
SASL protocol profile. In many implementations, the same SASL SASL protocol profile. In many implementations, the same SASL
mechanism code is used for multiple protocols. mechanism code is used for multiple protocols.
4. Authentication mechanisms 4. Authentication mechanisms
SASL mechanisms are named by strings, from 1 to 20 characters in SASL mechanisms are named by strings, from 1 to 20 characters in
length, consisting of ASCII [ASCII] upper-case letters, digits, length, consisting of ASCII [ASCII] upper-case letters, digits,
Internet DRAFT SASL 14 February 2004
hyphens, and/or underscores. SASL mechanism names must be registered hyphens, and/or underscores. SASL mechanism names must be registered
with the Internet Assigned Numbers Authority (IANA). IETF standards with the Internet Assigned Numbers Authority (IANA). IETF standards
track documents may direct the IANA to reserve a portion of the SASL track documents may direct the IANA to reserve a portion of the SASL
mechanism namespace and may specify different registration criteria mechanism namespace and may specify different registration criteria
for the reserved portion; the GSSAPI mechanism specification for the reserved portion; the GSSAPI mechanism specification
Internet DRAFT SASL 25 January 2004
[SASL-GSSAPI] does this. Procedures for registering new SASL [SASL-GSSAPI] does this. Procedures for registering new SASL
mechanisms are given in section 8. mechanisms are given in section 8.
The "sasl-mech" production below defines the syntax of a SASL The "sasl-mech" production below defines the syntax of a SASL
mechanism name. This uses the Augmented Backus-Naur Form (ABNF) mechanism name. This uses the Augmented Backus-Naur Form (ABNF)
notation as specified in [ABNF] and the ABNF core rules as specified notation as specified in [ABNF] and the ABNF core rules as specified
in Appendix A of the ABNF specification [ABNF]. in Appendix A of the ABNF specification [ABNF].
sasl-mech = 1*20mech-char sasl-mech = 1*20mech-char
mech-char = %x41-5A / DIGIT / "-" / "_" mech-char = %x41-5A / DIGIT / "-" / "_"
skipping to change at page 4, line 47 skipping to change at page 5, line 5
or abort the exchange. The protocol's profile specifies how each of or abort the exchange. The protocol's profile specifies how each of
these is then represented over the connection. these is then represented over the connection.
During the authentication protocol exchange, the mechanism performs During the authentication protocol exchange, the mechanism performs
authentication, transmits an authorization identity (frequently known authentication, transmits an authorization identity (frequently known
as a userid) from the client to server, and negotiates the use of a as a userid) from the client to server, and negotiates the use of a
mechanism-specific security layer. If the use of a security layer is mechanism-specific security layer. If the use of a security layer is
agreed upon, then the mechanism must also define or negotiate the agreed upon, then the mechanism must also define or negotiate the
maximum security layer buffer size that each side is able to receive. maximum security layer buffer size that each side is able to receive.
Internet DRAFT SASL 14 February 2004
4.2. Authorization and authentication identities 4.2. Authorization and authentication identities
SASL authentication deals with two identities: the authorization SASL authentication deals with two identities: the authorization
identity and the authentication identity. The transmitted identity and the authentication identity. The transmitted
authorization identity may be an empty string (zero length), but the authorization identity may be an empty string (zero length), but the
transmitted authentication identity may not be an empty string. transmitted authentication identity may not be an empty string.
Internet DRAFT SASL 25 January 2004 A mechanisms which are incapable of transmitting an authorization
identity must be treated as if it always transmits an authorization
While some legacy mechanisms are incapable of transmitting an identity of an empty string.
authorization identity (which means that for these mechanisms the
authorization identity is always the empty string), newly defined
mechanisms SHOULD be capable of transmiting a non-empty authorization
identity.
Authentication identity is the identity derived from the client's Authentication identity is the identity derived from the client's
authentication credentials. authentication credentials.
The authorization identity is used by the server as the primary The authorization identity is used by the server as the primary
identity for making access policy decisions. identity for making access policy decisions.
4.2.1. Authorization identities and proxy authentication 4.2.1. Authorization identities and proxy authentication
With any mechanism, transmitting an authorization identity of the With any mechanism, transmitting an authorization identity of the
skipping to change at page 5, line 47 skipping to change at page 5, line 52
exchange. exchange.
As a client might not have the same information as the server, As a client might not have the same information as the server,
clients SHOULD NOT derive authorization identities from clients SHOULD NOT derive authorization identities from
authentication identities. Instead, clients SHOULD provide no (or authentication identities. Instead, clients SHOULD provide no (or
empty) authorization identity when the user has not provided an empty) authorization identity when the user has not provided an
authorization identity. authorization identity.
The server SHOULD verify that a received authorization identity is in The server SHOULD verify that a received authorization identity is in
the correct form. Profiles whose authorization identities are simple the correct form. Profiles whose authorization identities are simple
user names (e.g. IMAP [RFC 3501]) SHOULD use "SASLPrep" profile user names (e.g. IMAP [RFC 3501]) SHOULD use "SASLprep" profile
[SASLPrep] of the "stringprep" algorithm [StringPrep] to prepare [SASLprep] of the "stringprep" algorithm [StringPrep] to prepare
these names for matching. The profiles MAY use a stringprep profile these names for matching. The profiles MAY use a stringprep profile
that is more strict than "SASLPrep". If the preparation of the
Internet DRAFT SASL 14 February 2004
that is more strict than "SASLprep". If the preparation of the
authorization identity fails or results in an empty string, the authorization identity fails or results in an empty string, the
server MUST fail the authentication exchange. The only exception to server MUST fail the authentication exchange. The only exception to
this rule is when the received authorization identity is already the this rule is when the received authorization identity is already the
empty string. empty string.
Internet DRAFT SASL 25 January 2004
4.2.2. Authorization Identity Format 4.2.2. Authorization Identity Format
An authorization identity is a string of zero or more Unicode An authorization identity is a string of zero or more Unicode
[Unicode] coded characters. The NUL <U+0000> character is not [Unicode] coded characters. The NUL <U+0000> character is not
permitted in authorization identities. permitted in authorization identities.
The character encoding scheme used for transmitting an authorization The character encoding scheme used for transmitting an authorization
identity over the protocol is specified in each authentication identity over the protocol is specified in each authentication
mechanism All IETF-defined mechanisms MUST, and all other mechanisms mechanism. All IETF-defined mechanisms MUST, and all other
SHOULD, use UTF-8 [UTF-8]. (See [CHARSET-POLICY] for IETF policy mechanisms SHOULD, use UTF-8 [UTF-8]. (See [CHARSET-POLICY] for IETF
regarding character sets and encoding schemes.) policy regarding character sets and encoding schemes.)
Mechanisms are expected to be capable of carrying the entire Unicode Mechanisms are expected to be capable of carrying the entire Unicode
repertoire (with the exception of the NUL character). An repertoire (with the exception of the NUL character). An
authorization identity of the empty string and an absent authorization identity of the empty string and an absent
authorization identity MUST be treated as equivalent. A mechanism authorization identity MUST be treated as equivalent. A mechanism
which provides an optional field for an authorization identity, which provides an optional field for an authorization identity,
SHOULD NOT allow that field, when present, to be empty. The meaning SHOULD NOT allow that field, when present, to be empty. The meaning
of an authorization identity of the empty string is described in the of the empty string as an authorization identity is described in the
previous section. previous section.
4.3. Security layers 4.3. Security layers
If use of a security layer is negotiated by the authentication If use of a security layer is negotiated by the authentication
protocol exchange, the security layer is applied to all subsequent protocol exchange, the security layer is applied to all subsequent
data sent over the connection (until another security layer is data sent over the connection (until another security layer is
negotiated; see also section 6.3). The security layer takes effect negotiated; see also section 6.3). The security layer takes effect
immediately following the last response of the authentication immediately following the last response of the authentication
exchange for data sent by the client and the completion indication exchange for data sent by the client and the completion indication
skipping to change at page 6, line 49 skipping to change at page 7, line 4
layer automatically select no security layer. layer automatically select no security layer.
Once the security layer is in effect the protocol stream is processed Once the security layer is in effect the protocol stream is processed
by the security layer into buffers of security encoded data. Each by the security layer into buffers of security encoded data. Each
buffer of security encoded data is transferred over the connection as buffer of security encoded data is transferred over the connection as
a stream of octets prepended with a four octet field in network byte a stream of octets prepended with a four octet field in network byte
order that represents the length of the following buffer. The length order that represents the length of the following buffer. The length
of the security encoded data buffer MUST be no larger than the of the security encoded data buffer MUST be no larger than the
maximum size that was either defined in the mechanism specification maximum size that was either defined in the mechanism specification
or negotiated by the other side during the authentication protocol or negotiated by the other side during the authentication protocol
Internet DRAFT SASL 14 February 2004
exchange. Upon the receipt of a data buffer which is larger than the exchange. Upon the receipt of a data buffer which is larger than the
defined/negotiated maximal buffer size the receiver SHOULD close the defined/negotiated maximal buffer size the receiver SHOULD close the
connection. This might be a sign of an attack or a buggy connection. This might be a sign of an attack or a buggy
implementation. implementation.
Internet DRAFT SASL 25 January 2004 5. Protocol and mechanism profiles
4.4. Character string issues
Authentication mechanisms SHOULD encode character strings in UTF-8
[UTF-8] (see [CHARSET-POLICY] for IETF policy regarding character
sets in IETF protocols). In order to avoid interoperability problems
due to differing normalizations, when a mechanisms specifies that
character data is to be used as input to a cryptographic and/or
comparison function, the mechanism specification MUST detail how the
data is to be represented, including any normalizations or other
preparations, to ensure proper function. Designers of mechanisms
SHOULD use the "SASLprep" profile [SASLPrep] of the "stringprep"
algorithm [StringPrep] where applicable.
There are three entities that have to deal with this issue: a client
(upon getting user input or retrieving a value from configuration), a
server (upon receiving the value from the client) and a utility that
is able to store passwords/hashes in a database that can be later
used by the server. SASL mechanisms must define which entity (or
entities) must perform the preparation. If preparation fails or
results in an empty string, the entity doing the preparation SHALL
fail the authentication exchange (or, in case of the utility, refuse
to store the data).
5. Protocol profile requirements 5.1. Protocol profile requirements
In order to use this specification, a protocol definition MUST supply In order to use this specification, a protocol definition MUST supply
the following information: the following information:
1) A service name, to be selected from the IANA registry of "service" 1) A service name, to be selected from the IANA registry of "service"
elements for the GSSAPI host-based service name form [GSSAPI]. This elements for the GSSAPI host-based service name form [GSSAPI]. This
service name is made available to the authentication mechanism. service name is made available to the authentication mechanism.
The registry is available at the URL The registry is available at the URL
<http://www.iana.org/assignments/gssapi-service-names>. <http://www.iana.org/assignments/gssapi-service-names>.
2) A definition of the command to initiate the authentication 2) A definition of the command to initiate the authentication
protocol exchange. This command must have as a parameter the name of protocol exchange. This command must have as a parameter the name of
the mechanism being selected by the client. the mechanism being selected by the client.
The command SHOULD have an optional parameter giving an initial The command SHOULD have an optional parameter giving an initial
response. This optional parameter allows the client to avoid a round response. If the protocol allows for the initial response, the
trip when using a mechanism which is defined to have the client send protocol profile SHOULD also describe how an empty initial response
data first. When this initial response is sent by the client and the is encoded. This optional parameter allows the client to avoid a
selected mechanism is defined to have the server start with an round trip when using a mechanism which is defined to have the client
initial challenge, the command fails. See section 6.1 of this send data first. When this initial response is sent by the client
and the selected mechanism is defined to have the server start with
an initial challenge, the command fails. See section 6.1 of this
document for further information. document for further information.
Internet DRAFT SASL 25 January 2004
3) A definition of the method by which the authentication protocol 3) A definition of the method by which the authentication protocol
exchange is carried out, including how the challenges and responses exchange is carried out, including how the challenges and responses
are encoded, how the server indicates completion or failure of the are encoded, how the server indicates completion or failure of the
exchange, how the client aborts an exchange, and how the exchange exchange, how the client aborts an exchange, and how the exchange
method interacts with any line length limits in the protocol. method interacts with any line length limits in the protocol.
The exchange method SHOULD allow the server to include an optional The exchange method SHOULD allow the server to include an optional
data ("optional challenge") with a success notification. This allows data ("optional challenge") with a success notification. This allows
the server to avoid a round trip when using a mechanism which is the server to avoid a round trip when using a mechanism which is
defined to have the server send additional data along with the defined to have the server send additional data along with the
indication of successful completion. See section 6.2 of this indication of successful completion. See section 6.2 of this
document for further information. document for further information.
4) A protocol profile SHOULD specify a mechanism through which a 4) A protocol profile SHOULD specify a mechanism through which a
client may obtain the names of the SASL mechanisms available to it. client may obtain the names of the SASL mechanisms available to it.
Internet DRAFT SASL 14 February 2004
This is typically done through the protocol's extensions or This is typically done through the protocol's extensions or
capabilities mechanism. capabilities mechanism.
5) Identification of the octet where any negotiated security layer 5) Identification of the octet where any negotiated security layer
starts to take effect, in both directions. starts to take effect, in both directions.
6) Specify if the protocol profile supports "multiple 6) Specify if the protocol profile supports "multiple
authentications" (see section 6.3). authentications" (see section 6.3).
7) If both TLS and SASL security layer are allowed to be negotiated 7) If both TLS and SASL security layer are allowed to be negotiated
by the protocol, the protocol profile MUST define in which order they by the protocol, the protocol profile MUST define in which order they
are applied to a cleartext data sent over the connection. are applied to a cleartext data sent over the connection.
8) A protocol profile MAY further refine the definition of an 8) A protocol profile MAY further refine the definition of an
authorization identity by adding additional syntactic restrictions authorization identity by adding additional syntactic restrictions
and protocol-specific semantics. A protocol profile MUST specify the and protocol-specific semantics. A protocol profile MUST specify the
form of the authorization identity (since it is protocol specific, as form of the authorization identity (since it is protocol specific, as
opposed to the authentication identity, which is mechanism specific) opposed to the authentication identity, which is mechanism specific)
and how authorization identities are to be compared. Profiles whose and how authorization identities are to be compared. Profiles whose
authorization identities are simple user names (e.g. IMAP [RFC 3501]) authorization identities are simple user names (e.g. IMAP [RFC 3501])
SHOULD use "SASLPrep" profile [SASLPrep] of the "stringprep" SHOULD use "SASLprep" profile [SASLprep] of the "stringprep"
algorithm [StringPrep] to prepare these names for matching. The algorithm [StringPrep] to prepare these names for matching. The
profiles MAY use a stringprep profile that is more strict than profiles MAY use a stringprep profile that is more strict than
SASLPrep. SASLprep.
A protocol profile SHOULD NOT attempt to amend the definition of A protocol profile SHOULD NOT attempt to amend the definition of
mechanisms or make mechanism-specific encodings. This breaks the mechanisms or make mechanism-specific encodings. This breaks the
separation between protocol and mechanism that is fundamental to the separation between protocol and mechanism that is fundamental to the
design of SASL. Likewise, SASL mechanisms SHOULD be profile neutral. design of SASL. Likewise, SASL mechanisms SHOULD be profile neutral.
Internet DRAFT SASL 25 January 2004 5.2. Mechanism profile guidelines
Designers of new SASL mechanism should be aware of the following
issues:
1) Authorization identity.
While some legacy mechanisms are incapable of transmitting an
authorization identity (which means that for these mechanisms the
authorization identity is always the empty string), newly defined
mechanisms SHOULD be capable of transmitting a non-empty
authorization identity. See also section 4.2.
2) Character string issues
Authentication mechanisms SHOULD encode character strings in UTF-8
[UTF-8] (see [CHARSET-POLICY] for IETF policy regarding character
Internet DRAFT SASL 14 February 2004
sets in IETF protocols). In order to avoid interoperability problems
due to differing normalizations, when a mechanisms specifies that
character data is to be used as input to a cryptographic and/or
comparison function, the mechanism specification MUST detail how the
data is to be represented, including any normalizations or other
preparations, to ensure proper function. Designers of mechanisms
SHOULD use the "SASLprep" profile [SASLprep] of the "stringprep"
algorithm [StringPrep] where applicable.
The preparation can be potentially performed on the client end (upon
getting user input or retrieving a value from configuration) or on
the server end (upon receiving the value from the client, retrieving
a value from its authentication database or generating a new value in
order to store in in the authentication database). SASL mechanisms
must define which entity (or entities) must perform the preparation.
If preparation fails or results in an empty string, the entity doing
the preparation SHALL fail the authentication exchange.
Implementation note: A server end can be represented by multiple
processes. For example, it may consist of the server process itself
that communicated with a client, and a command line utility (a server
agent) that is able to store passwords/hashes in a database that can
be later used by the server. For the server agent the requirement to
"fail the authentication exchange" should be interpreted as a
requirement to refuse to store the data in the database.
6. Specific issues 6. Specific issues
6.1. Client sends data first 6.1. Client sends data first
Some mechanisms specify that the first data sent in the Some mechanisms specify that the first data sent in the
authentication protocol exchange is from the client to the server. authentication protocol exchange is from the client to the server.
If a protocol's profile permits the command which initiates an If a protocol's profile permits the command which initiates an
authentication protocol exchange to contain an initial client authentication protocol exchange to contain an initial client
response, this parameter SHOULD be used with such mechanisms. response, this parameter SHOULD be used with such mechanisms.
If the initial client response parameter is not given, or if a If the initial client response parameter is not given, or if a
protocol's profile does not permit the command which initiates an protocol's profile does not permit the command which initiates an
authentication protocol exchange to contain an initial client authentication protocol exchange to contain an initial client
response, then the server issues a challenge with no data. The response, then the server issues a challenge with no data. The
client's response to this challenge is then used as the initial client's response to this challenge is then used as the initial
client response. (The server then proceeds to send the next client response. (The server then proceeds to send the next
challenge, indicates completion, or indicates failure.) challenge, indicates completion, or indicates failure.)
6.1.1. Examples Internet DRAFT SASL 14 February 2004
6.1.1. Client sends data first examples
The following are two examples of an SECURID authentication [SASL- The following are two examples of an SECURID authentication [SASL-
SECURID] in the SMTP protocol [SMTP]. In the first example below, SECURID] in the SMTP protocol [SMTP]. In the first example below,
the client is trying fast reauthentication by sending the initial the client is trying fast reauthentication by sending the initial
response: response:
S: 220-smtp.example.com ESMTP Server S: 220-smtp.example.com ESMTP Server
C: EHLO client.example.com C: EHLO client.example.com
S: 250-smtp.example.com Hello client.example.com, pleased to meet you S: 250-smtp.example.com Hello client.example.com, pleased to meet you
S: 250-AUTH GSSAPI SECURID S: 250-AUTH GSSAPI SECURID
skipping to change at page 10, line 5 skipping to change at page 10, line 35
S: 220-smtp.example.com ESMTP Server S: 220-smtp.example.com ESMTP Server
C: EHLO client.example.com C: EHLO client.example.com
S: 250-smtp.example.com Hello client.example.com, pleased to meet you S: 250-smtp.example.com Hello client.example.com, pleased to meet you
S: 250-AUTH GSSAPI SECURID S: 250-AUTH GSSAPI SECURID
S: 250 DSN S: 250 DSN
C: AUTH SECURID C: AUTH SECURID
S: 334 S: 334
C: AG1hZ251cwAxMjM0NTY3OAA= C: AG1hZ251cwAxMjM0NTY3OAA=
S: 235 Authentication successful S: 235 Authentication successful
Internet DRAFT SASL 25 January 2004
Section 7.2 contains an additional example. Section 7.2 contains an additional example.
6.2. Server returns success with additional data 6.2. Server returns success with additional data
Some mechanisms may specify that additional data be sent to the Some mechanisms may specify that additional data be sent to the
client along with an indication of successful completion of the client along with an indication of successful completion of the
exchange. This data would, for example, authenticate the server to exchange. This data would, for example, authenticate the server to
the client. the client.
If a protocol's profile does not permit this additional data to be If a protocol's profile does not permit this additional data to be
returned with a success indication, then the server issues the data returned with a success indication, then the server issues the data
as a server challenge, without an indication of successful as a server challenge, without an indication of successful
completion. The client then responds with no data. After receiving completion. The client then responds with no data. After receiving
this empty response, the server then indicates successful completion this empty response, the server then indicates successful completion
(with no additional data). (with no additional data).
Client implementors should be aware of an additional failure case Client implementors should be aware of an additional failure case
that might occur when the profile supports sending the additional that might occur when the profile supports sending the additional
data with success. Imagine that an active attacker is trying to data with success. Imagine that an active attacker is trying to
Internet DRAFT SASL 14 February 2004
impersonate the server and sends faked data, which should be used to impersonate the server and sends faked data, which should be used to
authenticate the server to the client, with success. (A similar authenticate the server to the client, with success. (A similar
situation can happen when either the server and/or the client has a situation can happen when either the server and/or the client has a
bug and they calculate different responses.) After checking the data, bug and they calculate different responses.) After checking the data,
the client will think that the authentication exchange has failed, the client will think that the authentication exchange has failed,
however the server will think that the authentication exchange has however the server will think that the authentication exchange has
completed successfully. At this point the client can not abort the completed successfully. At this point the client can not abort the
authentication exchange; it SHOULD close the connection instead. authentication exchange; it SHOULD close the connection instead.
However, if the profile did not support sending of additional data However, if the profile did not support sending of additional data
with success, the client could have aborted the exchange at the very with success, the client could have aborted the exchange at the very
last step of the authentication exchange. last step of the authentication exchange.
6.2.1. Examples 6.2.1. Server returns success with additional data examples
The following are two examples of a DIGEST-MD5 authentication [SASL- The following are two examples of a DIGEST-MD5 authentication [SASL-
DIGEST] in the XMPP protocol [XMPP]. In the first example below, the DIGEST] in the XMPP protocol [XMPP]. In the first example below, the
server is sending mutual authentication data with success. server is sending mutual authentication data with success.
C: <stream:stream C: <stream:stream
xmlns='jabber:client' xmlns='jabber:client'
xmlns:stream='http://etherx.jabber.org/streams' xmlns:stream='http://etherx.jabber.org/streams'
to='example.com' to='example.com'
version='1.0'> version='1.0'>
S: <stream:stream S: <stream:stream
xmlns='jabber:client' xmlns='jabber:client'
xmlns:stream='http://etherx.jabber.org/streams' xmlns:stream='http://etherx.jabber.org/streams'
id='c2s_234' id='c2s_234'
from='example.com' from='example.com'
Internet DRAFT SASL 25 January 2004
version='1.0'> version='1.0'>
S: <stream:features> S: <stream:features>
<mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
<mechanism>DIGEST-MD5</mechanism> <mechanism>DIGEST-MD5</mechanism>
<mechanism>CRAM-MD5</mechanism> <mechanism>CRAM-MD5</mechanism>
</mechanisms> </mechanisms>
</stream:features> </stream:features>
C: <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' C: <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl'
mechanism='DIGEST-MD5'/> mechanism='DIGEST-MD5'/>
S: <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> S: <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
cmVhbG09InNvbWVyZWFsbSIsbm9uY2U9Ik9BNk1HOXRFUUdtMmhoIixxb3A9ImF1dGgi cmVhbG09InNvbWVyZWFsbSIsbm9uY2U9Ik9BNk1HOXRFUUdtMmhoIixxb3A9ImF1dGgi
LGNoYXJzZXQ9dXRmLTgsYWxnb3JpdGhtPW1kNS1zZXNzCg== LGNoYXJzZXQ9dXRmLTgsYWxnb3JpdGhtPW1kNS1zZXNzCg==
</challenge> </challenge>
C: <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> C: <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
dXNlcm5hbWU9InNvbWVub2RlIixyZWFsbT0ic29tZXJlYWxtIixub25jZT0i dXNlcm5hbWU9InNvbWVub2RlIixyZWFsbT0ic29tZXJlYWxtIixub25jZT0i
T0E2TUc5dEVRR20yaGgiLGNub25jZT0iT0E2TUhYaDZWcVRyUmsiLG5jPTAw T0E2TUc5dEVRR20yaGgiLGNub25jZT0iT0E2TUhYaDZWcVRyUmsiLG5jPTAw
MDAwMDAxLHFvcD1hdXRoLGRpZ2VzdC11cmk9InhtcHAvZXhhbXBsZS5jb20i MDAwMDAxLHFvcD1hdXRoLGRpZ2VzdC11cmk9InhtcHAvZXhhbXBsZS5jb20i
LHJlc3BvbnNlPWQzODhkYWQ5MGQ0YmJkNzYwYTE1MjMyMWYyMTQzYWY3LGNo LHJlc3BvbnNlPWQzODhkYWQ5MGQ0YmJkNzYwYTE1MjMyMWYyMTQzYWY3LGNo
YXJzZXQ9dXRmLTgK YXJzZXQ9dXRmLTgK
Internet DRAFT SASL 14 February 2004
</response> </response>
S: <success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> S: <success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
cnNwYXV0aD1lYTQwZjYwMzM1YzQyN2I1NTI3Yjg0ZGJhYmNkZmZmZAo= cnNwYXV0aD1lYTQwZjYwMzM1YzQyN2I1NTI3Yjg0ZGJhYmNkZmZmZAo=
</success> </success>
The example below is almost identical to the previous, but here The example below is almost identical to the previous, but here
the server chooses not to use the additional data with success. the server chooses not to use the additional data with success.
C: <stream:stream C: <stream:stream
xmlns='jabber:client' xmlns='jabber:client'
skipping to change at page 12, line 4 skipping to change at page 12, line 36
S: <stream:features> S: <stream:features>
<mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
<mechanism>DIGEST-MD5</mechanism> <mechanism>DIGEST-MD5</mechanism>
<mechanism>CRAM-MD5</mechanism> <mechanism>CRAM-MD5</mechanism>
</mechanisms> </mechanisms>
</stream:features> </stream:features>
C: <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' C: <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl'
mechanism='DIGEST-MD5'/> mechanism='DIGEST-MD5'/>
S: <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> S: <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
cmVhbG09InNvbWVyZWFsbSIsbm9uY2U9Ik9BNk1HOXRFUUdtMmhoIixxb3A9ImF1dGgi cmVhbG09InNvbWVyZWFsbSIsbm9uY2U9Ik9BNk1HOXRFUUdtMmhoIixxb3A9ImF1dGgi
Internet DRAFT SASL 25 January 2004
LGNoYXJzZXQ9dXRmLTgsYWxnb3JpdGhtPW1kNS1zZXNzCg== LGNoYXJzZXQ9dXRmLTgsYWxnb3JpdGhtPW1kNS1zZXNzCg==
</challenge> </challenge>
C: <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> C: <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
dXNlcm5hbWU9InNvbWVub2RlIixyZWFsbT0ic29tZXJlYWxtIixub25jZT0i dXNlcm5hbWU9InNvbWVub2RlIixyZWFsbT0ic29tZXJlYWxtIixub25jZT0i
T0E2TUc5dEVRR20yaGgiLGNub25jZT0iT0E2TUhYaDZWcVRyUmsiLG5jPTAw T0E2TUc5dEVRR20yaGgiLGNub25jZT0iT0E2TUhYaDZWcVRyUmsiLG5jPTAw
MDAwMDAxLHFvcD1hdXRoLGRpZ2VzdC11cmk9InhtcHAvZXhhbXBsZS5jb20i MDAwMDAxLHFvcD1hdXRoLGRpZ2VzdC11cmk9InhtcHAvZXhhbXBsZS5jb20i
LHJlc3BvbnNlPWQzODhkYWQ5MGQ0YmJkNzYwYTE1MjMyMWYyMTQzYWY3LGNo LHJlc3BvbnNlPWQzODhkYWQ5MGQ0YmJkNzYwYTE1MjMyMWYyMTQzYWY3LGNo
YXJzZXQ9dXRmLTgK YXJzZXQ9dXRmLTgK
</response> </response>
S: <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> S: <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
cnNwYXV0aD1lYTQwZjYwMzM1YzQyN2I1NTI3Yjg0ZGJhYmNkZmZmZAo= cnNwYXV0aD1lYTQwZjYwMzM1YzQyN2I1NTI3Yjg0ZGJhYmNkZmZmZAo=
</challenge> </challenge>
C: <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/> C: <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>
S: <success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/> S: <success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>
6.3. Multiple authentications 6.3. Multiple authentications
Unless otherwise stated by the protocol's profile, only one Unless otherwise stated by the protocol's profile, only one
successful SASL negotiation may occur in a protocol session. In this successful SASL negotiation may occur in a protocol session. In this
Internet DRAFT SASL 14 February 2004
case, once an authentication protocol exchange has successfully case, once an authentication protocol exchange has successfully
completed, further attempts to initiate an authentication protocol completed, further attempts to initiate an authentication protocol
exchange fail. exchange fail.
If a profile explicitly permits multiple successful SASL negotiations If a profile explicitly permits multiple successful SASL negotiations
to occur, then in no case may multiple security layers be to occur, then in no case may multiple security layers be
simultaneously in effect. If a security layer is in effect and a simultaneously in effect. If a security layer is in effect and a
subsequent SASL negotiation selects a second security layer, then the subsequent SASL negotiation selects a second security layer, then the
second security layer replaces the first. If a security layer is in second security layer replaces the first. If a security layer is in
effect and a subsequent SASL negotiation selects no security layer, effect and a subsequent SASL negotiation selects no security layer,
skipping to change at page 13, line 5 skipping to change at page 13, line 34
implementations. The protocol profiles that allow for implementations. The protocol profiles that allow for
reauthentication SHOULD recommend that another security layer is reauthentication SHOULD recommend that another security layer is
negotiated once a security layer was installed. negotiated once a security layer was installed.
Also note, that if a subsequent authentication fails, the protocol Also note, that if a subsequent authentication fails, the protocol
profile MAY allow the connection state to return to non- profile MAY allow the connection state to return to non-
authenticated, however the previously negotiated security layer MUST authenticated, however the previously negotiated security layer MUST
NOT be removed. Only a successful reauthentication is able NOT be removed. Only a successful reauthentication is able
replace/remove the previously negotiated security layer. replace/remove the previously negotiated security layer.
Internet DRAFT SASL 25 January 2004
6.3.1. Description of Multiple Authentication attack 6.3.1. Description of Multiple Authentication attack
Let's assume that the protected resources on a server are partitioned Let's assume that the protected resources on a server are partitioned
into a set of protection spaces, each with its own authentication into a set of protection spaces, each with its own authentication
mechanisms and/or authorization database. Let's use the term mechanisms and/or authorization database. Let's use the term
"partition" to reference any such protected space. An example of a "partition" to reference any such protected space. An example of a
partition might be an HTTP "realm". Also a proxy/frontend can use partition might be an HTTP "realm". Also a proxy/frontend can use
different partitions for different servers/backends it represents. different partitions for different servers/backends it represents.
Now consider the following scenario. A client has already Now consider the following scenario. A client has already
authenticated and established a security layer with "Partition A" authenticated and established a security layer with "Partition A"
which is managed by the server AA. Now the same client authenticates which is managed by the server AA. Now the same client authenticates
to "Partition B" (managed by the server BB) without negotiating a new to "Partition B" (managed by the server BB) without negotiating a new
security layer, while the security layer negotiated with "Partition security layer, while the security layer negotiated with "Partition
A" remains in effect. The server BB is now able to observe how known A" remains in effect. The server BB is now able to observe how known
cleartext is encrypted. This scenario enables the server BB to make cleartext is encrypted. This scenario enables the server BB to make
guesses about previously observed ciphertext between the client and guesses about previously observed ciphertext between the client and
the server AA using the server's SASL engine as an oracle. This the server AA using the server's SASL engine as an oracle. This
scenario is illustrated below: scenario is illustrated below:
Internet DRAFT SASL 25 January 2004 Internet DRAFT SASL 14 February 2004
+---------+ +---------+ +---------+ +---------+
| | | | | | | |
|Partition| |Partition| |Partition| |Partition|
| B | | A | | B | | A |
+---------+ +---------+ +---------+ +---------+
| ^ | | ^ |
| : +-----------+ | | : +-----------+ |
Traffic from | : | Encryption| | Traffic from A Traffic from | : | Encryption| | Traffic from A
B to client +-------->| end point |<-------+ to client B to client +-------->| end point |<-------+ to client
skipping to change at page 14, line 35 skipping to change at page 14, line 35
(1) Recording +---------:| | and a single client only. (1) Recording +---------:| | and a single client only.
encrypted | | Separate tunnels to different encrypted | | Separate tunnels to different
traffic between | | clients. traffic between | | clients.
Partition A and client +---+ Partition A and client +---+
| |
| |
+-----------> Traffic to clients +-----------> Traffic to clients
<<Some text about trust relationship here. <<Some text about trust relationship here.
Where this suitation cannot be managed through trust relationship, it Where this situation cannot be managed through trust relationship, it
may be approrpiate for the server implementation to not support may be appropriate for the server implementation to not support
multiple authentications. >> multiple authentications. >>
7. The EXTERNAL mechanism 7. The EXTERNAL mechanism
The mechanism name associated with external authentication is The mechanism name associated with external authentication is
"EXTERNAL". "EXTERNAL".
The client sends an initial response with the UTF-8 encoding of the The client sends an initial response with the UTF-8 encoding of the
authorization identity. The form of the authorization identity is authorization identity. The form of the authorization identity is
further restricted by the application-level protocol's SASL profile. further restricted by the application-level protocol's SASL profile.
The server uses information, external to SASL, to determine whether The server uses information, external to SASL, to determine whether
the client is authorized to authenticate as the authorization the client is authorized to authenticate as the authorization
identity. If the client is so authorized, the server indicates identity. If the client is so authorized, the server indicates
successful completion of the authentication exchange; otherwise the successful completion of the authentication exchange; otherwise the
Internet DRAFT SASL 25 January 2004 Internet DRAFT SASL 14 February 2004
server indicates failure. server indicates failure.
The system providing this external information may be, for example, The system providing this external information may be, for example,
IPSec or TLS. However, the client can make no assumptions as to what IPSec or TLS. However, the client can make no assumptions as to what
information the server can use in determining client authorization. information the server can use in determining client authorization.
E.g., just because TLS was established, doesn't mean that the server For example, just because TLS was established, doesn't mean that the
will use the information provided by TLS. server will use the information provided by TLS.
If the client sends the empty string as the authorization identity If the client sends the empty string as the authorization identity,
(thus requesting that the authorization identity be derived from the the authorization identity is to be derived from authentication
client's authentication credentials), the authorization identity is credentials which exist in the system that is providing the external
to be derived from authentication credentials which exist in the authentication.
system that is providing the external authentication.
7.1. Formal syntax 7.1. Formal syntax
The following syntax specification uses the augmented Backus-Naur The following syntax specification uses the augmented Backus-Naur
Form (BNF) notation as specified in [ABNF]. This uses the ABNF core Form (BNF) notation as specified in [ABNF]. This uses the ABNF core
rules as specified in Appendix A of the ABNF specification [ABNF]. rules as specified in Appendix A of the ABNF specification [ABNF].
Non-terminals referenced but not defined below are as defined by Non-terminals referenced but not defined below are as defined by
[UTF-8]. [UTF-8].
The "extern-init-resp" rule below defines the initial response sent The "extern-init-resp" rule below defines the initial response sent
skipping to change at page 16, line 4 skipping to change at page 15, line 53
client's identity through IPsec and has a security policy that client's identity through IPsec and has a security policy that
permits that identity to proxy authenticate as any other identity. permits that identity to proxy authenticate as any other identity.
To the protocol profile, the four octet sequence "fred" is an opaque To the protocol profile, the four octet sequence "fred" is an opaque
binary data. The SASL protocol profile for SMTP [SMTP-AUTH] specifies binary data. The SASL protocol profile for SMTP [SMTP-AUTH] specifies
that server challenges and client responses are encoded in BASE64 that server challenges and client responses are encoded in BASE64
[BASE64]; the BASE64 encoding of "fred" is "ZnJlZA==". [BASE64]; the BASE64 encoding of "fred" is "ZnJlZA==".
S: 220 smtp.example.com ESMTP server ready S: 220 smtp.example.com ESMTP server ready
C: EHLO jgm.example.com C: EHLO jgm.example.com
S: 250-smtp.example.com
Internet DRAFT SASL 25 January 2004 Internet DRAFT SASL 14 February 2004
S: 250-smtp.example.com
S: 250 AUTH DIGEST-MD5 EXTERNAL S: 250 AUTH DIGEST-MD5 EXTERNAL
C: AUTH EXTERNAL ZnJlZA== C: AUTH EXTERNAL ZnJlZA==
S: 235 Authentication successful. S: 235 Authentication successful.
The following example is almost identical to the one above, but the The following example is almost identical to the one above, but the
client doesn't use proxy authentication. client doesn't use proxy authentication.
S: 220 smtp.example.com ESMTP server ready S: 220 smtp.example.com ESMTP server ready
C: EHLO jgm.example.com C: EHLO jgm.example.com
S: 250-smtp.example.com S: 250-smtp.example.com
skipping to change at page 17, line 5 skipping to change at page 16, line 49
mechanism registrations are currently available at the URL mechanism registrations are currently available at the URL
<http://www.iana.org/assignments/sasl-mechanisms>. <http://www.iana.org/assignments/sasl-mechanisms>.
There is no naming convention for SASL mechanisms; any name that There is no naming convention for SASL mechanisms; any name that
conforms to the syntax of a SASL mechanism name can be registered. conforms to the syntax of a SASL mechanism name can be registered.
An IETF Standards Track document may reserve a portion of the SASL An IETF Standards Track document may reserve a portion of the SASL
mechanism namespace ("family of SASL mechanisms") for its own use, mechanism namespace ("family of SASL mechanisms") for its own use,
amending the registration rules for that portion of the namespace. amending the registration rules for that portion of the namespace.
Each family of SASL mechanisms MUST be identified by a prefix. Each family of SASL mechanisms MUST be identified by a prefix.
Internet DRAFT SASL 25 January 2004
While the registration procedures do not require it, authors of SASL While the registration procedures do not require it, authors of SASL
Internet DRAFT SASL 14 February 2004
mechanisms are encouraged to seek community review and comment mechanisms are encouraged to seek community review and comment
whenever that is feasible. Authors may seek community review by whenever that is feasible. Authors may seek community review by
posting a specification of their proposed mechanism as an Internet- posting a specification of their proposed mechanism as an Internet-
Draft. SASL mechanisms intended for widespread use should be Draft. SASL mechanisms intended for widespread use should be
standardized through the normal IETF process, when appropriate. standardized through the normal IETF process, when appropriate.
8.3. Comments on SASL mechanism registrations 8.3. Comments on SASL mechanism registrations
Comments on registered SASL mechanisms should first be sent to the Comments on registered SASL mechanisms should first be sent to the
"owner" of the mechanism and/or to the SASL WG mailing list. "owner" of the mechanism and/or to the SASL WG mailing list.
skipping to change at page 18, line 5 skipping to change at page 17, line 53
The IESG is considered to be the owner of all SASL mechanisms which The IESG is considered to be the owner of all SASL mechanisms which
are on the IETF standards track. are on the IETF standards track.
8.5. Registration template 8.5. Registration template
Subject: Registration of SASL mechanism X Subject: Registration of SASL mechanism X
Family of SASL mechanisms: (YES or NO) Family of SASL mechanisms: (YES or NO)
Internet DRAFT SASL 25 January 2004
SASL mechanism name (or prefix for the family): SASL mechanism name (or prefix for the family):
Internet DRAFT SASL 14 February 2004
Security considerations: Security considerations:
Published specification (optional, recommended): Published specification (optional, recommended):
Person & email address to contact for further information: Person & email address to contact for further information:
Intended usage: Intended usage:
(One of COMMON, LIMITED USE or OBSOLETE) (One of COMMON, LIMITED USE or OBSOLETE)
skipping to change at page 19, line 5 skipping to change at page 18, line 51
Intended usage: COMMON Intended usage: COMMON
Owner/Change controller: IESG <iesg@ietf.org> Owner/Change controller: IESG <iesg@ietf.org>
Note: Updates existing entry for EXTERNAL Note: Updates existing entry for EXTERNAL
9. Security considerations 9. Security considerations
Security issues are discussed throughout this memo. Security issues are discussed throughout this memo.
Internet DRAFT SASL 25 January 2004
SASL implementations might be subject to online dictionary attacks
(e.g. username harvesting, password cracking). In order to mitigate
the attacks a server implementation is encouraged to implement a
policy when after a number of failed authentication attempts it
returns errors to all subsequent authentication attempts on the same
connection. Alternatively, the server may implement a policy whereby
the connection is dropped after a number of failed authentication
attempts. If a server implementation chooses to do so, it should not
drop the connection until at least 3 authentication attempts have
failed.
The mechanisms that support integrity protection are designed such The mechanisms that support integrity protection are designed such
that the negotiation of the security layer and authorization identity that the negotiation of the security layer and authorization identity
Internet DRAFT SASL 14 February 2004
is integrity protected. When the client selects a security layer is integrity protected. When the client selects a security layer
with at least integrity protection, this protects against an active with at least integrity protection, this protects against an active
attacker hijacking the connection and modifying the authentication attacker hijacking the connection and modifying the authentication
exchange to negotiate a plaintext connection. exchange to negotiate a plaintext connection.
When a server or client supports multiple authentication mechanisms, When a server or client supports multiple authentication mechanisms,
each of which has a different security strength, it is possible for each of which has a different security strength, it is possible for
an active attacker to cause a party to use the least secure mechanism an active attacker to cause a party to use the least secure mechanism
supported. To protect against this sort of attack, a client or supported. To protect against this sort of attack, a client or
server which supports mechanisms of different strengths should have a server which supports mechanisms of different strengths should have a
skipping to change at page 19, line 48 skipping to change at page 19, line 35
SASL mechanisms to be designed such that an active attacker cannot SASL mechanisms to be designed such that an active attacker cannot
obtain an authentication with weaker security properties by modifying obtain an authentication with weaker security properties by modifying
the SASL mechanism name and/or the challenges and responses. the SASL mechanism name and/or the challenges and responses.
In order to detect Man-in-the-middle (MITM) attacks the client MAY In order to detect Man-in-the-middle (MITM) attacks the client MAY
list available SASL mechanisms both before and after the SASL list available SASL mechanisms both before and after the SASL
security layer is negotiated. This allows the client to detect security layer is negotiated. This allows the client to detect
active attacks that remove mechanisms from the server's list of active attacks that remove mechanisms from the server's list of
supported mechanisms, and allows the client to ensure that it is supported mechanisms, and allows the client to ensure that it is
using the best mechanism supported by both client and server. New using the best mechanism supported by both client and server. New
protocol profiles SHOULd require servers to make the list of SASL protocol profiles SHOULD require servers to make the list of SASL
mechanisms available for the initial authentication available to the mechanisms available for the initial authentication available to the
client after security layers are established. Some older protocols client after security layers are established. Some older protocols
do not require this (or don't support listing of SASL mechanisms once do not require this (or don't support listing of SASL mechanisms once
authentication is complete); for these protocols clients MUST NOT authentication is complete); for these protocols clients MUST NOT
treat an empty list of SASL mechanisms after authentication as a MITM treat an empty list of SASL mechanisms after authentication as a MITM
attack. attack.
Internet DRAFT SASL 25 January 2004
Any protocol interactions prior to authentication are performed in Any protocol interactions prior to authentication are performed in
the clear and may be modified by an active attacker. In the case the clear and may be modified by an active attacker. In the case
where a client selects integrity protection, it is important that any where a client selects integrity protection, it is important that any
security-sensitive protocol negotiations be performed after security-sensitive protocol negotiations be performed after
authentication is complete. Protocols should be designed such that authentication is complete. Protocols should be designed such that
negotiations performed prior to authentication should be either negotiations performed prior to authentication should be either
ignored or revalidated once authentication is complete. ignored or revalidated once authentication is complete.
When use of a security layer is negotiated by the authentication When use of a security layer is negotiated by the authentication
protocol exchange, the receiver should handle gracefully any security protocol exchange, the receiver should handle gracefully any security
encoded data buffer larger than the defined/negotiated maximal size. encoded data buffer larger than the defined/negotiated maximal size.
In particular, it must not blindly allocate the amount of memory In particular, it must not blindly allocate the amount of memory
Internet DRAFT SASL 14 February 2004
specified in the buffer size field, as this might cause the "out of specified in the buffer size field, as this might cause the "out of
memory" condition. If the receiver detects a large block, it SHOULD memory" condition. If the receiver detects a large block, it SHOULD
close the connection. close the connection.
Distributed server implementations need to be careful in how they Distributed server implementations need to be careful in how they
trust other parties and, in particular, authentication secrets should trust other parties and, in particular, authentication secrets should
only be disclosed to other parties that are trusted to manage and use only be disclosed to other parties that are trusted to manage and use
those secrets in manner acceptable to disclosing party. It should be those secrets in manner acceptable to disclosing party. It should be
noted that where those secrets are used to providing data noted that, where those secrets are used to provide data
confidentiality protections, if a third party (other then the confidentiality protections, if a third party (other than the
discloser/declosee) has knowledge of some portion of the protected discloser/disclosee) has knowledge of some portion of the protected
information, it can use this knowledge in an attack upon other information, it can use this knowledge in an attack upon other
portions of the protected information. portions of the protected information.
Section 6.3.1 contains a description of a potential class of attack Section 6.3.1 contains a description of a potential class of attack
on a distributed server implementation. The section also gives some on a distributed server implementation. The section also gives some
recommendations about mitigating such attacks. recommendations about mitigating such attacks.
"stringprep" and Unicode security considerations apply to "stringprep" and Unicode security considerations apply to
authentication identities, authorization identities and passwords. authentication identities, authorization identities and passwords.
skipping to change at page 21, line 4 skipping to change at page 20, line 43
10. References 10. References
10.1. Normative References 10.1. Normative References
[ABNF] Crocker, D. (Ed.), Overell, P., "Augmented BNF for Syntax [ABNF] Crocker, D. (Ed.), Overell, P., "Augmented BNF for Syntax
Specifications: ABNF", RFC 2234, November 1997 Specifications: ABNF", RFC 2234, November 1997
[ASCII] American National Standards Institute, "Code Extension [ASCII] American National Standards Institute, "Code Extension
Techniques for Use with the 7-bit Coded Character Set of American Techniques for Use with the 7-bit Coded Character Set of American
National Standard Code (ASCII) for Information Interchange", FIPS PUB National Standard Code (ASCII) for Information Interchange", FIPS PUB
Internet DRAFT SASL 25 January 2004
35, 1974 35, 1974
[CHARSET-POLICY] Alvestrand, H., "IETF Policy on Character Sets and [CHARSET-POLICY] Alvestrand, H., "IETF Policy on Character Sets and
Languages", RFC 2277, BCP 18, January 1998 Languages", RFC 2277, BCP 18, January 1998
[GSSAPI] Linn, J., "Generic Security Service Application Program [GSSAPI] Linn, J., "Generic Security Service Application Program
Interface, Version 2, Update 1", RFC 2743, January 2000 Interface, Version 2, Update 1", RFC 2743, January 2000
[ISO-10646] "Universal Multiple-Octet Coded Character Set (UCS) - [ISO-10646] "Universal Multiple-Octet Coded Character Set (UCS) -
Architecture and Basic Multilingual Plane", ISO/IEC 10646-1 : 1993. Architecture and Basic Multilingual Plane", ISO/IEC 10646-1 : 1993.
[KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate
Internet DRAFT SASL 14 February 2004
Requirement Levels", RFC 2119, BCP 19, March 1997 Requirement Levels", RFC 2119, BCP 19, March 1997
[Unicode] The Unicode Consortium, "The Unicode Standard, Version [Unicode] The Unicode Consortium, "The Unicode Standard, Version
3.2.0" is defined by "The Unicode Standard, Version 3.0" (Reading, 3.2.0" is defined by "The Unicode Standard, Version 3.0" (Reading,
MA, Addison-Wesley, 2000. ISBN 0-201-61633-5), as amended by the MA, Addison-Wesley, 2000. ISBN 0-201-61633-5), as amended by the
"Unicode Standard Annex #27: Unicode 3.1" "Unicode Standard Annex #27: Unicode 3.1"
(http://www.unicode.org/reports/tr27/) and by the "Unicode Standard (http://www.unicode.org/reports/tr27/) and by the "Unicode Standard
Annex #28: Unicode 3.2" (http://www.unicode.org/reports/tr28/). Annex #28: Unicode 3.2" (http://www.unicode.org/reports/tr28/).
[Stringprep] Hoffman, P., Blanchet, M., "Preparation of [Stringprep] Hoffman, P., Blanchet, M., "Preparation of
Internationalized Strings ("stringprep")", RFC 3454, December 2002. Internationalized Strings ("stringprep")", RFC 3454, December 2002.
[SASLPrep] Zeilenga, K., "SASLprep: Stringprep profile for user names [SASLprep] Zeilenga, K., "SASLprep: Stringprep profile for user names
and passwords", Work in progress, draft-ietf-sasl-saslprep-XX.txt. and passwords", Work in progress, draft-ietf-sasl-saslprep-XX.txt.
[UTF-8] Yergeau, F., "UTF-8, a transformation format of ISO 10646", [UTF-8] Yergeau, F., "UTF-8, a transformation format of ISO 10646",
RFC 3629, STD 63, November 2003. RFC 3629, STD 63, November 2003.
10.2. Informative References 10.2. Informative References
[SASL-GSSAPI] Melnikov, A., "SASL GSSAPI mechanisms", work in [SASL-GSSAPI] Melnikov, A., "SASL GSSAPI mechanisms", work in
progress, draft-ietf-sasl-gssapi-XX.txt, November 2003 progress, draft-ietf-sasl-gssapi-XX.txt, November 2003
skipping to change at page 22, line 5 skipping to change at page 21, line 43
[SASL-OTP] Newman, C., "The One-Time-Password SASL Mechanism", RFC [SASL-OTP] Newman, C., "The One-Time-Password SASL Mechanism", RFC
2444, October 1998. 2444, October 1998.
[SASL-SECURID] Nystrom, M., "The SecurID(r) SASL Mechanism", RFC [SASL-SECURID] Nystrom, M., "The SecurID(r) SASL Mechanism", RFC
2808, April 2000. 2808, April 2000.
[SMTP] Klensin, J., "Simple Mail Transfer Protocol", RFC 2821, April [SMTP] Klensin, J., "Simple Mail Transfer Protocol", RFC 2821, April
2001. 2001.
Internet DRAFT SASL 25 January 2004
[SMTP-AUTH] Myers, J., "SMTP Service Extension for Authentication", [SMTP-AUTH] Myers, J., "SMTP Service Extension for Authentication",
RFC 2554, March 1999. RFC 2554, March 1999.
Being revised by Siemborski, R., "SMTP Service Extension for Being revised by Siemborski, R., "SMTP Service Extension for
Authentication", work in progress, draft-siemborski-rfc2554bis- Authentication", work in progress, draft-siemborski-rfc2554bis-
XX.txt. XX.txt.
[XMPP] Saint-Andre, P., "Extensible Messaging and Presence Protocol [XMPP] Saint-Andre, P., "Extensible Messaging and Presence Protocol
(XMPP): Core", work in progress, draft-ietf-xmpp-core-XX.txt. (XMPP): Core", work in progress, draft-ietf-xmpp-core-XX.txt.
[BASE64] Josefsson, S., "The Base16, Base32, and Base64 Data [BASE64] Josefsson, S., "The Base16, Base32, and Base64 Data
Internet DRAFT SASL 14 February 2004
Encodings", RFC 3548, July 2003. Encodings", RFC 3548, July 2003.
[RFC-INSTRUCTIONS] Postel, J., Reynolds, J., "Instructions to RFC [RFC-INSTRUCTIONS] Postel, J., Reynolds, J., "Instructions to RFC
Authors", RFC 2223, October 1997. Authors", RFC 2223, October 1997.
[IANA-SASL] IANA, "SIMPLE AUTHENTICATION AND SECURITY LAYER (SASL) [IANA-SASL] IANA, "SIMPLE AUTHENTICATION AND SECURITY LAYER (SASL)
MECHANISMS", http://www.iana.org/assignments/sasl-mechanisms. MECHANISMS", http://www.iana.org/assignments/sasl-mechanisms.
11. Editor's Address 11. Editor's Address
skipping to change at page 22, line 45 skipping to change at page 22, line 34
This document is a revision of RFC 2222 written by John G. Myers. He This document is a revision of RFC 2222 written by John G. Myers. He
also contributed significantly to this revision. also contributed significantly to this revision.
Magnus Nystrom provided the ASCII art used in Section 6.3. Magnus Nystrom provided the ASCII art used in Section 6.3.
Definition of partition was extracted from RFC 2617 ("HTTP Definition of partition was extracted from RFC 2617 ("HTTP
Authentication: Basic and Digest Access Authentication"). Authentication: Basic and Digest Access Authentication").
Contributions of many members of the SASL mailing list are gratefully Contributions of many members of the SASL mailing list are gratefully
acknowledged, in particular Kurt D. Zeilenga, Peter Saint-Andre, Rob acknowledged, in particular Kurt D. Zeilenga, Peter Saint-Andre, Rob
Siemborski, Jeffrey Hutzelman, Hallvard B Furuseth and Tony Hansen Siemborski, Jeffrey Hutzelman, Hallvard B Furuseth, Tony Hansen and
for proofreading the document and various editorial suggestions. Abhijit Menon-Sen for proofreading the document and various editorial
suggestions.
13. Full Copyright Statement 13. Full Copyright Statement
Copyright (C) The Internet Society (2004). All Rights Reserved. Copyright (C) The Internet Society (2004). All Rights Reserved.
This document and translations of it may be copied and furnished to This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it others, and derivative works that comment on or otherwise explain it
Internet DRAFT SASL 25 January 2004
or assist in its implementation may be prepared, copied, published or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than followed, or as required to translate it into languages other than
Internet DRAFT SASL 14 February 2004
English. English.
The limited permissions granted above are perpetual and will not be The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns. revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
skipping to change at page 24, line 4 skipping to change at page 23, line 45
the access privileges of the identity for which they are proxying. the access privileges of the identity for which they are proxying.
Upon successful completion of an authentication exchange, the Upon successful completion of an authentication exchange, the
server knows the authorization identity the client wishes to use. server knows the authorization identity the client wishes to use.
This allows servers to move to a "user is authenticated" state in This allows servers to move to a "user is authenticated" state in
the protocol. the protocol.
These features are extremely important to some application protocols, These features are extremely important to some application protocols,
yet Transport Security services do not always provide them. To yet Transport Security services do not always provide them. To
define SASL mechanisms based on these services would be a very messy define SASL mechanisms based on these services would be a very messy
Internet DRAFT SASL 25 January 2004
task, as the framing of these services would be redundant with the task, as the framing of these services would be redundant with the
framing of SASL and some method of providing these important SASL framing of SASL and some method of providing these important SASL
features would have to be devised. features would have to be devised.
Sometimes it is desired to enable within an existing connection the Sometimes it is desired to enable within an existing connection the
use of a security service which does not fit the SASL model. (TLS is use of a security service which does not fit the SASL model. (TLS is
an example of such a service.) This can be done by adding a command, an example of such a service.) This can be done by adding a command,
for example "STARTTLS", to the protocol. Such a command is outside for example "STARTTLS", to the protocol. Such a command is outside
the scope of SASL, and should be different from the command which the scope of SASL, and should be different from the command which
starts a SASL authentication protocol exchange. starts a SASL authentication protocol exchange.
Internet DRAFT SASL 14 February 2004
In certain situations, it is reasonable to use SASL underneath one of In certain situations, it is reasonable to use SASL underneath one of
these Transport Security services. The transport service would these Transport Security services. The transport service would
secure the connection, either service would authenticate the client, secure the connection, either service would authenticate the client,
and SASL would negotiate the authorization identity. The SASL and SASL would negotiate the authorization identity. The SASL
negotiation would be what moves the protocol from "unauthenticated" negotiation would be what moves the protocol from "unauthenticated"
to "authenticated" state. The "EXTERNAL" SASL mechanism is to "authenticated" state. The "EXTERNAL" SASL mechanism is
explicitly intended to handle the case where the transport service explicitly intended to handle the case where the transport service
secures the connection and authenticates the client and SASL secures the connection and authenticates the client and SASL
negotiates the authorization identity. negotiates the authorization identity.
skipping to change at page 25, line 4 skipping to change at page 24, line 44
Added a section on character string issues. Added a section on character string issues.
The word "must" in the first paragraph of the "Protocol profile The word "must" in the first paragraph of the "Protocol profile
requirements" section was changed to "MUST". requirements" section was changed to "MUST".
Specified that protocol profiles SHOULD provide a way for clients to Specified that protocol profiles SHOULD provide a way for clients to
discover available SASL mechanisms. discover available SASL mechanisms.
Made the requirement that protocol profiles specify the semantics of Made the requirement that protocol profiles specify the semantics of
the authorization identity optional to the protocol profile. the authorization identity optional to the protocol profile.
Internet DRAFT SASL 25 January 2004
Clarified that such a specification is a refinement of the definition Clarified that such a specification is a refinement of the definition
in the base SASL spec. in the base SASL spec.
Added a requirement discouraging protocol profiles from breaking the Added a requirement discouraging protocol profiles from breaking the
separation between protocol and mechanism. separation between protocol and mechanism.
Mentioned that standards track documents may carve out their own Mentioned that standards track documents may carve out their own
portions of the SASL mechanism namespace and may amend registration portions of the SASL mechanism namespace and may amend registration
rules for the portion. However registration of individual SASL rules for the portion. However registration of individual SASL
mechanisms is still required. mechanisms is still required.
Internet DRAFT SASL 14 February 2004
Specified that the authorization identity in the EXTERNAL mechanism Specified that the authorization identity in the EXTERNAL mechanism
is encoded in UTF-8. is encoded in UTF-8.
Added a statement that a protocol profile SHOULD allow challenge data Added a statement that a protocol profile SHOULD allow challenge data
to be sent with a success indication. to be sent with a success indication.
Added a security consideration for the EXTERNAL mechansim. Added a security consideration for the EXTERNAL mechanism.
Clarified sections concerning success with additional data. Clarified sections concerning success with additional data.
Cleaned up IANA considerations/registrations and assembled them in Cleaned up IANA considerations/registrations and assembled them in
one place. one place.
Updated references and split them into Informative and Normative. Updated references and split them into Informative and Normative.
Added text to the Security Considerations section regarding handling Added text to the Security Considerations section regarding handling
of extremely large SASL blocks. of extremely large SASL blocks.
Replaced UTF-8 ABNF with the reference to the UTF-8 document. Replaced UTF-8 ABNF with the reference to the UTF-8 document.
Added text about SASLPrep for authentication identities and Added text about SASLprep for authentication identities and
passwords. Described where SASLPrep preparation should take place. passwords. Described where SASLprep preparation should take place.
Added paragraph about verifying authorization identities. Added paragraph about verifying authorization identities.
Added a protocol profile requirement to specify interaction between Added a protocol profile requirement to specify interaction between
SASL and TLS security layers. SASL and TLS security layers.
Added a protocol profile requirement to specify if it supports Added a protocol profile requirement to specify if it supports
reauthentication. reauthentication.
Removed the text that seemed to suggest that SASL security layer must Removed the text that seemed to suggest that SASL security layer must
not be used when TLS is available. not be used when TLS is available.
Created two subsections in 4.2 to talk separately about proxy Created two subsections in 4.2 to talk separately about proxy
authorization and format of the authorization identities. authorization and format of the authorization identities.
Internet DRAFT SASL 25 January 2004
Made requirement to verify that an authorization identity is correct Made requirement to verify that an authorization identity is correct
by performing SASLPrep a SHOULD, instead of a MUST. by performing SASLprep a SHOULD, instead of a MUST.
Clarified that each SASL mechanism must decide where SASLPrep is Clarified that each SASL mechanism must decide where SASLprep is
taking place. taking place.
Added 4 new examples for initial response and additional data with Added 4 new examples for initial response and additional data with
success. success.
Added text on checking the list of available SASL mechanisms after Added text on checking the list of available SASL mechanisms after
negotiating a security layer. negotiating a security layer.
Internet DRAFT SASL 14 February 2004
Added definition of "integrity protection" and "confidentiality Added definition of "integrity protection" and "confidentiality
protection". protection".
Added text about preventing password cracking/username harvesting
attacks.
Added warning about negotiating no layer once a security layer is Added warning about negotiating no layer once a security layer is
negotiated. negotiated.
Internet DRAFT SASL 25 January 2004 Added new section with guidelines to a SASL mechanism designer.
Added a requirement to specify how an empty initial challenge is
encoded if initial response is supported by a protocol.
Internet DRAFT SASL 14 February 2004
Status of this Memo .......................................... i Status of this Memo .......................................... i
1. Abstract ............................................... 2 1. Abstract ............................................... 2
2. Organization of this document .......................... 2 2. Organization of this document .......................... 2
2.1. How to read this document .............................. 2 2.1. How to read this document .............................. 2
2.2. Conventions used in this document ...................... 2 2.2. Conventions used in this document ...................... 2
3. Overview ............................................... 3 3. Overview ............................................... 3
4. Authentication mechanisms .............................. 3 4. Authentication mechanisms .............................. 3
4.1. Authentication protocol exchange ....................... 4 4.1. Authentication protocol exchange ....................... 4
4.2. Authorization and authentication identities ............ 4 4.2. Authorization and authentication identities ............ 4
4.2.1. Authorization identities and proxy authentication .... 5 4.2.1. Authorization identities and proxy authentication .... 5
4.2.2. Authorization Identity Format ........................ 6 4.2.2. Authorization Identity Format ........................ 6
4.3. Security layers ........................................ 6 4.3. Security layers ........................................ 6
4.4. Character string issues ................................ 7 4.4. Character string issues ................................ 7
5. Protocol profile requirements .......................... 7 5. Protocol profile requirements .......................... 7
5. Protocol and mechanism profiles ........................ 7
5.1. Protocol profile requirements .......................... 7
5.2. Mechanism profile guidelines ........................... 8
6. Specific issues ........................................ 9 6. Specific issues ........................................ 9
6.1. Client sends data first ................................ 9 6.1. Client sends data first ................................ 9
6.1.1. Examples ............................................. 9 6.1.1. Examples ............................................. 9
6.2. Server returns success with additional data ........... 10 6.2. Server returns success with additional data ........... 10
6.2.1. Examples ............................................ 10 6.2.1. Examples ............................................ 10
6.3. Multiple authentications .............................. 12 6.3. Multiple authentications .............................. 12
6.3.1. Description of Multiple Authentication attack ....... 13 6.3.1. Description of Multiple Authentication attack ....... 13
7. The EXTERNAL mechanism ................................ 14 7. The EXTERNAL mechanism ................................ 14
7.1. Formal syntax ......................................... 15 7.1. Formal syntax ......................................... 15
7.2. Example ............................................... 15 7.2. Example ............................................... 15
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/