draft-ietf-sasl-rfc2222bis-07.txt   draft-ietf-sasl-rfc2222bis-08.txt 
Network Working Group A. Melnikov Network Working Group A. Melnikov
Internet Draft Editor Internet Draft Editor
Document: draft-ietf-sasl-rfc2222bis-07.txt March 2004 Document: draft-ietf-sasl-rfc2222bis-08.txt June 2004
Obsoletes: RFC 2222 Expires in six months Obsoletes: RFC 2222 Expires in six months
Simple Authentication and Security Layer (SASL) Simple Authentication and Security Layer (SASL)
Status of this Memo Status of this Memo
This document is an Internet Draft and is in full conformance with This document is an Internet Draft and is in full conformance with
all provisions of Section 10 of RFC 2026. all provisions of Section 10 of RFC 2026.
Internet Drafts are working documents of the Internet Engineering Internet Drafts are working documents of the Internet Engineering
skipping to change at page 2, line ? skipping to change at page 2, line ?
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
A revised version of this draft document will be submitted to the RFC A revised version of this draft document will be submitted to the RFC
editor as a Standards Track RFC for the Internet Community. editor as a Standards Track RFC for the Internet Community.
Discussion and suggestions for improvement are requested. Discussion and suggestions for improvement are requested.
Distribution of this draft is unlimited. Distribution of this draft is unlimited.
When published as an RFC this document will obsolete RFC 2222. When published as an RFC this document will obsolete RFC 2222.
Internet DRAFT SASL 31 March 2004 Internet DRAFT SASL 28 June 2004
Abstract Abstract
The Simple Authentication and Security Layer (SASL) is a framework The Simple Authentication and Security Layer (SASL) is a framework
for providing authentication and data security services in for providing authentication and data security services in
connection-based protocols. It also describes a structure for connection-oriented protocols via replaceable mechanisms. It
authentication mechanisms. The result is an abstraction layer provides structured interface between protocols and mechanisms. The
between protocols and authentication mechanisms such that any SASL- resulting framework allows new protocols to reuse existing mechanisms
compatible authentication mechanism can be used with any SASL- and allows old protocols to make use of new mechanisms. The
compatible protocol. framework also provides a protocol for securing subsequent protocol
exchanges within a data security layer.
This document describes how a SASL authentication mechanism is
structured, describes how a protocol adds support for SASL, defines
the protocol for carrying a security layer over a connection, and
defines the SASL EXTERNAL authentication mechanism.
1. Organization of this document
1.1. How to read this document
This document is written to serve several different audiences
o) protocol designers using this specification to support
authentication in their protocol
o) mechanism designers that define new SASL mechanisms
o) implementors of clients or servers for those protocols using this
specification.
The sections "Overview", "Authentication Mechanisms", "Protocol
Profile Requirements", "Specific Issues", and "Security
Considerations" cover issues that protocol designers need to
understand and address in profiling this specification for use in a
specific protocol.
The sections "Overview", "Authentication Mechanisms", "Mechanism
Profile Requirements", "Security Considerations" and "Registration
procedure" cover issues that mechanism designers need to understand
and address in designing new SASL mechanisms.
The sections "Overview", "Authentication Mechanisms", "Protocol
profile requirements", "Specific issues" and "Security
Considerations" cover issues that implementors of a protocol that
uses SASL framework need to understand. The implementors will also
need to understand a specification of a profile specific to the
protocol, as well as aspects of mechanism specifications they intend
to use (regardless of whether they are implementing the mechanisms
themselves or using an existing implementation) to understand, for
Internet DRAFT SASL 31 March 2004
instance, the mechanism specific authentication identity forms, the This document describes how a SASL mechanism is structured, describes
offered services, and security and other considerations. how protocols add support for SASL, and defines the protocol for
carrying a data security layer over a connection. Additionally, this
document defines one SASL mechanism, the EXTERNAL mechanism.
1.2. Conventions used in this document 1. Conventions used in this document
In examples, "C:" and "S:" indicate lines sent by the client and In examples, "C:" and "S:" indicate lines sent by the client and
server respectively. server respectively.
The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY" The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY"
in this document are to be interpreted as defined in "Key words for in this document are to be interpreted as defined in "Key words for
use in RFCs to Indicate Requirement Levels" [KEYWORDS]. use in RFCs to Indicate Requirement Levels" [KEYWORDS].
Character names in this document use the notation for code points and Character names in this document use the notation for code points and
names from the Unicode Standard [Unicode]. For example, the letter names from the Unicode Standard [Unicode]. For example, the letter
"a" may be represented as either <U+0061> or <LATIN SMALL LETTER A>. "a" may be represented as either <U+0061> or <LATIN SMALL LETTER A>.
This document uses terms "integrity protection" and "confidentiality This document uses terms "integrity protection" and "confidentiality
protection". The former refers to a security layer designed to detect protection". The former refers to a security layer (see Section
unauthorized data modification. However, integrity protection "Introduction" below for the definition) designed to provide "data
doesn't make the data unreadable to an attacker. Confidentiality integrity service" as defined in [Sec-Glossary]. Confidentiality
protection is a security layer that is able to make the data protection is a security layer that provides "data confidentiality
unreadable to an attacker by using encryption. Confidentiality service" as defined in [Sec-Glossary]. The term "confidentiality
protection usually implies integrity protection. Security layers may protection" usually implies "integrity protection". Security layers
offer other kinds of security services. may offer other kinds of security services.
2. Overview 2. Introduction
The Simple Authentication and Security Layer (SASL) is a method for The Simple Authentication and Security Layer (SASL) is a framework
adding authentication support to connection-based protocols. for providing authentication and data security services in
connection-oriented protocols via replaceable mechanisms. SASL
provides a structured interface between protocols and mechanisms.
SASL also provides a protocol for securing subsequent protocol
exchanges within a data security layer.
The SASL specification has three layers, as indicated in the diagram Internet DRAFT SASL 28 June 2004
below. At the top, a protocol definition using SASL specifies a
profile, including a command for identifying and authenticating a
user to a server and for optionally negotiating a security layer for
subsequent protocol interactions. At the bottom, a SASL mechanism
definition specifies an authentication mechanism. The SASL
framework, specified by this document, constrains the behavior of
protocol profiles and mechanisms, separating protocol from mechanism
and defining how they interact.
SMTP Protocol LDAP Protocol Etc SASL design is intended to allow new protocols to reuse existing
mechanisms without requiring redesign of the mechanisms and allows
existing protocols to make use of new mechanisms without redesign of
protocols.
The SASL is conceptually a framework which provides a layer between
protocols and mechanisms, as illustrated in the following diagram.
SMTP Protocol LDAP Protocol Other Protocols
Profile Profile . . . Profile Profile . . .
\----- | -----/ \----- | -----/
\ | / \ | /
SASL framework SASL framework
/ | \ / | \
/----- | -----\ /----- | -----\
DIGEST-MD5 EXTERNAL Other Mechanisms
SASL mechanism SASL mechanism . . .
Internet DRAFT SASL 31 March 2004 It is through the interfaces of this layer that the framework allows
any protocol to be utilized with any mechanism. While the layer does
generally hide the particulars of protocols from mechanisms, the
layer does not generally hide the particulars of mechanisms from
protocols. For example, different mechanisms require different
information to operate, some of them use password based
authentication, other make use of Kerberos tickets, certificates,
etc. Also, in order to perform authorization step server
implementations have to implement mapping from a mechanism specific
authentication identity format to a protocol specific format.
EXTERNAL DIGEST-MD5 Etc It is noted that it is possible to design and implement this
SASL mechanism SASL mechanism . . . framework in ways which do abstract away particulars of similar
mechanisms. Such implementation could also be designed to be shared
by multiple implementations of various protocols.
This separation between the definition of protocols and the As illustrated above, the SASL framework interfaces with both
definition of authentication mechanisms is crucial. It permits an protocols and mechanisms.
authentication mechanism to be defined once, making it usable by any
SASL protocol profile. In many implementations, the same SASL To use SASL, a protocol includes a command for identifying and
mechanism code is used for multiple protocols. authenticating a user to a server and for optionally negotiating a
security layer for subsequent protocol interactions. If the use of a
security layer is negotiated, that security layer is inserted between
the protocol and the connection. Section 4 ("Protocol profile
requirements") profiles the requirements that a protocol
specification must fulfill to make use of SASL.
A SASL mechanism is a series of server challenges and client
responses specific to the mechanism. Each SASL mechanism are
Internet DRAFT SASL 28 June 2004
identity by a registered name. Section 5. ("Mechanism profile
guidelines") profiles the requirements that a mechanism specification
must fulfill to define a SASL mechanism.
This document is written to serve several different audiences:
o) protocol designers using this specification to support
authentication in their protocol
o) mechanism designers that define new SASL mechanisms
o) implementors of clients or servers for those protocols using this
specification.
The sections "Authentication Mechanisms", "Protocol Profile
Requirements", "Specific Issues", and "Security Considerations" cover
issues that protocol designers need to understand and address in
profiling this specification for use in a specific protocol.
The sections "Authentication Mechanisms", "Mechanism Profile
Requirements", "Security Considerations" and "Registration procedure"
cover issues that mechanism designers need to understand and address
in designing new SASL mechanisms.
The sections "Authentication Mechanisms", "Protocol profile
requirements", "Specific issues" and "Security Considerations" cover
issues that implementors of a protocol that uses SASL framework need
to understand. The implementors will also need to understand a
specification of a profile specific to the protocol, as well as
aspects of mechanism specifications they intend to use (regardless of
whether they are implementing the mechanisms themselves or using an
existing implementation) to understand, for instance, the mechanism
specific authentication identity forms, the offered services, and
security and other considerations.
3. Authentication mechanisms 3. Authentication mechanisms
SASL mechanisms are named by strings, from 1 to 20 characters in SASL mechanisms are named by strings, from 1 to 20 characters in
length, consisting of ASCII [ASCII] upper-case letters, digits, length, consisting of ASCII [ASCII] upper-case letters, digits,
hyphens, and/or underscores. Names of SASL mechanisms or families of hyphens, and/or underscores. Names of SASL mechanisms or families of
mechanisms must be registered with the Internet Assigned Numbers mechanisms must be registered with the Internet Assigned Numbers
Authority (IANA) as described in section 8.2. Authority (IANA) as described in section 8.2.
The "sasl-mech" ABNF production below defines the syntax of a SASL The "sasl-mech" ABNF production below defines the syntax of a SASL
mechanism name. This uses the Augmented Backus-Naur Form (ABNF) mechanism name. This uses the Augmented Backus-Naur Form (ABNF)
notation as specified in [ABNF]. notation as specified in [ABNF].
Internet DRAFT SASL 28 June 2004
sasl-mech = 1*20mech-char sasl-mech = 1*20mech-char
mech-char = UPPER-ALPHA / DIGIT / HYPHEN / UNDERSCORE mech-char = UPPER-ALPHA / DIGIT / HYPHEN / UNDERSCORE
; mech-char is restricted to "A"-"Z", "0"-"9", "-", ; mech-char is restricted to "A"-"Z", "0"-"9", "-",
; and "_" from ASCII character set. ; and "_" from ASCII character set.
UPPER-ALPHA = %x41-5A UPPER-ALPHA = %x41-5A
; "A"-"Z" ; "A"-"Z"
DIGIT = %x30-39 DIGIT = %x30-39
; "0"-"9" ; "0"-"9"
skipping to change at page 5, line 5 skipping to change at page 5, line 34
3.1. Authentication protocol exchange 3.1. Authentication protocol exchange
A SASL mechanism is responsible for conducting an authentication A SASL mechanism is responsible for conducting an authentication
protocol exchange. This consists of a series of server challenges protocol exchange. This consists of a series of server challenges
and client responses, the contents of which are specific to and and client responses, the contents of which are specific to and
defined by the mechanism. To the protocol, the challenges and defined by the mechanism. To the protocol, the challenges and
responses are opaque binary tokens of arbitrary length. The responses are opaque binary tokens of arbitrary length. The
protocol's profile then specifies how these binary tokens are then protocol's profile then specifies how these binary tokens are then
encoded for transfer over the connection. encoded for transfer over the connection.
Internet DRAFT SASL 31 March 2004
After receiving an authentication command or any client response, a After receiving an authentication command or any client response, a
server mechanism may issue a challenge, indicate failure, or indicate server mechanism may issue a challenge, indicate failure, or indicate
completion. The server mechanism may return additional data with a completion. The server mechanism may return additional data with a
completion indication. The protocol's profile specifies how each of completion indication. The protocol's profile specifies how each of
these is then represented over the connection. these is then represented over the connection.
After receiving a challenge, a client mechanism may issue a response After receiving a challenge, a client mechanism may issue a response
or abort the exchange. The protocol's profile specifies how each of or abort the exchange. The protocol's profile specifies how each of
these are then represented over the connection. these are then represented over the connection.
During the authentication protocol exchange, the mechanism performs During the authentication protocol exchange, the mechanism performs
authentication, transmits an authorization identity (frequently known authentication, transmits an authorization identity (frequently known
as a userid) from the client to server, and negotiates the use of a as a userid) from the client to server, and negotiates the use of a
mechanism-specific security layer. If the use of a security layer is mechanism-specific security layer. If the use of a security layer is
agreed upon, then the mechanism must also define or negotiate the agreed upon, then the mechanism must also define or negotiate the
maximum security layer buffer size that each side is able to receive. maximum security layer buffer size that each side is able to receive.
Internet DRAFT SASL 28 June 2004
3.2. Authorization and authentication identities 3.2. Authorization and authentication identities
SASL authentication deals with two identities: the authentication SASL authentication deals with two identities: the authentication
identity, derived from the client's authentication credentials; and identity, derived from the client's authentication credentials; and
the authorization identity, which is the result of SASL processing the authorization identity, which is the result of SASL processing
and is used by the server as the primary identity for making access and is used by the server as the primary identity for making access
policy decisions. policy decisions.
The processing model is as follows. A server, upon completion of the The processing model is as follows. A server, upon completion of the
authentication mechanism, uses the results produced by the authentication mechanism, uses the results produced by the
skipping to change at page 6, line 5 skipping to change at page 6, line 39
identity must be treated as if it always transmits an authorization identity must be treated as if it always transmits an authorization
identity of an empty string. identity of an empty string.
Any normalization of the authentication identity is defined by a Any normalization of the authentication identity is defined by a
particular SASL mechanism, the protocol profile doesn't influence it. particular SASL mechanism, the protocol profile doesn't influence it.
The mechanism MUST preserve Unicode codepoint when transferring The mechanism MUST preserve Unicode codepoint when transferring
authorization identity (e.g. the mechanism cann't apply any form of authorization identity (e.g. the mechanism cann't apply any form of
normalization). normalization).
Internet DRAFT SASL 31 March 2004
3.2.1. Authorization identities and proxy authentication 3.2.1. Authorization identities and proxy authentication
If the authorization identity transmitted during the authentication If the authorization identity transmitted during the authentication
protocol exchange is not the empty string, this is typically referred protocol exchange is not the empty string, this is typically referred
to as "proxy authentication". This feature permits agents such as to as "proxy authentication". This feature permits agents such as
proxy servers to authenticate using their own credentials, yet proxy servers to authenticate using their own credentials, yet
request the access privileges of the identity for which they are request the access privileges of the identity for which they are
proxying. proxying.
The server makes an implementation defined policy decision as to The server makes an implementation defined policy decision as to
whether the authentication identity is permitted to have the access whether the authentication identity is permitted to have the access
privileges of the authorization identity and whether the privileges of the authorization identity and whether the
authorization identity is permitted to receive service. If it is authorization identity is permitted to receive service. If it is
not, the server indicates failure of the authentication protocol not, the server indicates failure of the authentication protocol
exchange. exchange.
Internet DRAFT SASL 28 June 2004
As a client might not have the same information as the server, As a client might not have the same information as the server,
clients SHOULD NOT derive authorization identities from clients SHOULD NOT derive authorization identities from
authentication identities. Instead, clients SHOULD provide no (or authentication identities. Instead, clients SHOULD provide no (or
empty) authorization identity when the user has not provided an empty) authorization identity when the user has not provided an
authorization identity. authorization identity.
The server SHOULD verify that a received authorization identity is in The server SHOULD verify that a received authorization identity is in
the correct form. Protocol profiles whose authorization identities the correct form. Protocol profiles whose authorization identities
are simple user names (e.g. IMAP [RFC 3501]) SHOULD use "SASLprep" are simple user names (e.g. IMAP [RFC 3501]) SHOULD use "SASLprep"
profile [SASLprep] of the "stringprep" algorithm [StringPrep] to profile [SASLprep] of the "stringprep" algorithm [StringPrep] to
skipping to change at page 7, line 4 skipping to change at page 7, line 39
The character encoding scheme used for transmitting an authorization The character encoding scheme used for transmitting an authorization
identity over the protocol is specified in each authentication identity over the protocol is specified in each authentication
mechanism. All IETF-defined mechanisms MUST, and all other mechanism. All IETF-defined mechanisms MUST, and all other
mechanisms SHOULD, use UTF-8 [UTF-8]. (See [CHARSET-POLICY] for IETF mechanisms SHOULD, use UTF-8 [UTF-8]. (See [CHARSET-POLICY] for IETF
policy regarding character sets and encoding schemes.) policy regarding character sets and encoding schemes.)
Mechanisms are expected to be capable of carrying the entire Unicode Mechanisms are expected to be capable of carrying the entire Unicode
repertoire (with the exception of the NUL character). An repertoire (with the exception of the NUL character). An
authorization identity of the empty string and an absent authorization identity of the empty string and an absent
Internet DRAFT SASL 31 March 2004
authorization identity MUST be treated as equivalent. A mechanism authorization identity MUST be treated as equivalent. A mechanism
which provides an optional field for an authorization identity, which provides an optional field for an authorization identity,
SHOULD NOT allow that field, when present, to be empty. The meaning SHOULD NOT allow that field, when present, to be empty. The meaning
of the empty string as an authorization identity is described in the of the empty string as an authorization identity is described in the
previous section. previous section.
3.3. Security layers 3.3. Security layers
If use of a security layer is negotiated by the authentication If use of a security layer is negotiated by the authentication
protocol exchange, the security layer is applied to all subsequent protocol exchange, the security layer is applied to all subsequent
data sent over the connection (until another security layer is data sent over the connection (until another security layer is
negotiated; see also section 6.3). The security layer takes effect negotiated; see also section 6.3). The security layer takes effect
immediately following the last response of the authentication immediately following the last response of the authentication
exchange for data sent by the client and the completion indication exchange for data sent by the client and the completion indication
for data sent by the server. The exact position MUST be defined by for data sent by the server. The exact position MUST be defined by
the protocol profile (see section 4 part 5). the protocol profile (see section 4 part 5).
Internet DRAFT SASL 28 June 2004
Note that all SASL mechanisms that are unable to negotiate a security Note that all SASL mechanisms that are unable to negotiate a security
layer automatically select no security layer. layer automatically select no security layer.
Once the security layer is in effect the protocol stream is processed Once the security layer is in effect the protocol stream is processed
by the security layer into buffers of security encoded data. Each by the security layer into buffers of protected data. Each buffer of
buffer of security encoded data is transferred over the connection as protected data is transferred over the connection as a stream of
a stream of octets prepended with a four octet field in network byte octets prepended with a four octet field in network byte order that
order that represents the length of the following buffer. The length represents the length of the following buffer. The length of the
of the security encoded data buffer MUST be no larger than the protected data buffer MUST be no larger than the maximum size that
maximum size that was either defined in the mechanism specification was either defined in the mechanism specification or negotiated by
or negotiated by the other side during the authentication protocol the other side during the authentication protocol exchange. Upon the
exchange. Upon the receipt of a data buffer which is larger than the receipt of a data buffer which is larger than the defined/negotiated
defined/negotiated maximal buffer size the receiver SHOULD close the maximal buffer size the receiver SHOULD close the connection. This
connection. This might be a sign of an attack or a buggy might be a sign of an attack or a buggy implementation.
implementation.
4. Protocol profile requirements 4. Protocol profile requirements
In order to use this specification, a protocol definition MUST supply In order to use this specification, a protocol definition MUST supply
the following information: the following information:
1) A service name, to be selected from the IANA registry of "service" 1) A service name, to be selected from the IANA registry of "service"
elements for the GSSAPI host-based service name form [GSSAPI]. This elements for the GSSAPI host-based service name form [GSSAPI]. This
service name is made available to the authentication mechanism. service name is made available to the authentication mechanism.
The registry is available at the URL The registry is available at the URL
<http://www.iana.org/assignments/gssapi-service-names>. <http://www.iana.org/assignments/gssapi-service-names>.
2) A definition of the command to initiate the authentication 2) A definition of the command to initiate the authentication
protocol exchange. This command must have as a parameter the name of protocol exchange. This command must have as a parameter the name of
the mechanism being selected by the client. the mechanism being selected by the client.
Internet DRAFT SASL 31 March 2004
The command SHOULD have an optional parameter giving an initial The command SHOULD have an optional parameter giving an initial
response. If the protocol allows for the initial response, the response. If the protocol allows for the initial response, the
protocol profile SHOULD also describe how an empty initial response protocol profile SHOULD also describe how an empty initial response
is encoded. This optional parameter allows the client to avoid a is encoded. This optional parameter allows the client to avoid a
round trip when using a mechanism which is defined to have the client round trip when using a mechanism which is defined to have the client
send data first. When this initial response is sent by the client send data first. When this initial response is sent by the client
and the selected mechanism is defined to have the server start with and the selected mechanism is defined to have the server start with
an initial challenge, the command fails. See section 6.1 of this an initial challenge, the command fails. See section 6.1 of this
document for further information. document for further information.
3) A definition of the method by which the authentication protocol 3) A definition of the method by which the authentication protocol
exchange is carried out, including how the challenges and responses exchange is carried out, including how the challenges and responses
are encoded, how the server indicates completion or failure of the are encoded, how the server indicates completion or failure of the
exchange, how the client aborts an exchange, and how the exchange exchange, how the client aborts an exchange, and how the exchange
method interacts with any line length limits in the protocol. method interacts with any line length limits in the protocol.
The exchange method SHOULD allow the server to include an optional The exchange method SHOULD allow the server to include an optional
Internet DRAFT SASL 28 June 2004
data ("optional challenge") with a success notification. This allows data ("optional challenge") with a success notification. This allows
the server to avoid a round trip when using a mechanism which is the server to avoid a round trip when using a mechanism which is
defined to have the server send additional data along with the defined to have the server send additional data along with the
indication of successful completion. See section 6.2 of this indication of successful completion. Note that an additional data
document for further information. with success can't be empty. See section 6.2 of this document for
further information.
4) A protocol profile SHOULD specify a mechanism through which a 4) A protocol profile SHOULD specify a mechanism through which a
client may obtain the names of the SASL mechanisms available to it. client may obtain the names of the SASL mechanisms available to it.
This is typically done through the protocol's extensions or This is typically done through the protocol's extensions or
capabilities mechanism. capabilities mechanism.
5) Identification of the octet where any negotiated security layer 5) Identification of the octet where any negotiated security layer
starts to take effect, in both directions. starts to take effect, in both directions.
6) Specify if the protocol profile supports "multiple 6) Specify if the protocol profile supports "multiple
skipping to change at page 9, line 4 skipping to change at page 9, line 39
8) A protocol profile MAY further refine the definition of an 8) A protocol profile MAY further refine the definition of an
authorization identity by adding additional syntactic restrictions authorization identity by adding additional syntactic restrictions
and protocol-specific semantics. A protocol profile MUST specify the and protocol-specific semantics. A protocol profile MUST specify the
form of the authorization identity (since it is protocol specific, as form of the authorization identity (since it is protocol specific, as
opposed to the authentication identity, which is mechanism specific) opposed to the authentication identity, which is mechanism specific)
and how authorization identities are to be compared. Profiles whose and how authorization identities are to be compared. Profiles whose
authorization identities are simple user names (e.g. IMAP [RFC 3501]) authorization identities are simple user names (e.g. IMAP [RFC 3501])
SHOULD use "SASLprep" profile [SASLprep] of the "stringprep" SHOULD use "SASLprep" profile [SASLprep] of the "stringprep"
algorithm [StringPrep] to prepare these names for matching. The algorithm [StringPrep] to prepare these names for matching. The
Internet DRAFT SASL 31 March 2004
profiles MAY use a stringprep profile that is more strict than profiles MAY use a stringprep profile that is more strict than
SASLprep. SASLprep.
9) Where the application-layer protocol does not precisely state how
identities established through SASL relate to identities used
elsewhere (e.g., access controls) in the application-layer protocol,
it may be useful for the application-layer protocol to provide a
facility which the client may use to discover the identity used.
A protocol profile SHOULD NOT attempt to amend the definition of A protocol profile SHOULD NOT attempt to amend the definition of
mechanisms or make mechanism-specific encodings. This breaks the mechanisms or make mechanism-specific encodings. This breaks the
separation between protocol and mechanism that is fundamental to the separation between protocol and mechanism that is fundamental to the
design of SASL. Likewise, SASL mechanisms SHOULD be profile neutral. design of SASL. Likewise, SASL mechanisms SHOULD be profile neutral.
Internet DRAFT SASL 28 June 2004
5. Mechanism profile guidelines 5. Mechanism profile guidelines
Designers of new SASL mechanism should be aware of the following Designers of new SASL mechanism should be aware of the following
issues: issues:
1) Authorization identity 1) Authorization identity
While some legacy mechanisms are incapable of transmitting an While some legacy mechanisms are incapable of transmitting an
authorization identity (which means that for these mechanisms the authorization identity (which means that for these mechanisms the
authorization identity is always the empty string), newly defined authorization identity is always the empty string), newly defined
skipping to change at page 10, line 4 skipping to change at page 10, line 46
getting user input or retrieving a value from configuration) or on getting user input or retrieving a value from configuration) or on
the server end (upon receiving the value from the client, retrieving the server end (upon receiving the value from the client, retrieving
a value from its authentication database or generating a new value in a value from its authentication database or generating a new value in
order to store in in the authentication database). SASL mechanisms order to store in in the authentication database). SASL mechanisms
must define which entity (or entities) must perform the preparation. must define which entity (or entities) must perform the preparation.
If preparation fails or results in an empty string, the entity doing If preparation fails or results in an empty string, the entity doing
the preparation MUST fail the authentication exchange. the preparation MUST fail the authentication exchange.
Implementation note: A server end can be represented by multiple Implementation note: A server end can be represented by multiple
processes. For example, it may consist of the server process itself processes. For example, it may consist of the server process itself
Internet DRAFT SASL 31 March 2004
that communicated with a client, and a command line utility (a server that communicated with a client, and a command line utility (a server
agent) that is able to store passwords/hashes in a database that can agent) that is able to store passwords/hashes in a database that can
be later used by the server. For the server agent the requirement to be later used by the server. For the server agent the requirement to
"fail the authentication exchange" should be interpreted as a "fail the authentication exchange" should be interpreted as a
requirement to refuse to store the data in the database. requirement to refuse to store the data in the database.
3) If the underlying cryptographic technology used by a mechanism 3) If the underlying cryptographic technology used by a mechanism
supports data integrity than the mechanism specification MUST supports data integrity than the mechanism specification MUST
Internet DRAFT SASL 28 June 2004
integrity protect the transmission of an authorization identity and integrity protect the transmission of an authorization identity and
the negotiation of the security layer. the negotiation of the security layer.
4) <<The mechanism should not use the authorization identity in any 4) The mechanism should not use the authorization identity in
long-term cryptographic keys/hashes. For example, it would be wrong generation of any long-term cryptographic keys/hashes. The reason is
to change the digest-md5 spec to include the authz id in the a1 hash. that different protocols (and sometimes even different
implementations of the same protocol) may use multiple forms of an
authorization identity that are semantically equivalent and some
clients may use one form while other clients use a different form.
The reason is that there may be multiple forms of the authz id that 5) SASL mechanisms should be designed to minimize the number of round
compare the same and some clients may use one form while other trips required because SASL can be used with protocols where
clients use a different form.>> connections are short-lived.
6. Specific issues 6. Specific issues
6.1. Client sends data first 6.1. Client sends data first
Some mechanisms specify that the first data sent in the Some mechanisms specify that the first data sent in the
authentication protocol exchange is from the client to the server. authentication protocol exchange is from the client to the server.
If a protocol's profile permits the command which initiates an If a protocol's profile permits the command which initiates an
authentication protocol exchange to contain an initial client authentication protocol exchange to contain an initial client
skipping to change at page 11, line 4 skipping to change at page 11, line 48
challenge, indicates completion, or indicates failure.) challenge, indicates completion, or indicates failure.)
6.1.1. Client sends data first examples 6.1.1. Client sends data first examples
The following are two examples of an SECURID authentication [SASL- The following are two examples of an SECURID authentication [SASL-
SECURID] in the SMTP protocol [SMTP]. In the first example below, SECURID] in the SMTP protocol [SMTP]. In the first example below,
the client is trying fast reauthentication by sending the initial the client is trying fast reauthentication by sending the initial
response: response:
S: 220-smtp.example.com ESMTP Server S: 220-smtp.example.com ESMTP Server
Internet DRAFT SASL 31 March 2004
C: EHLO client.example.com C: EHLO client.example.com
S: 250-smtp.example.com Welcome client.example.com S: 250-smtp.example.com Welcome client.example.com
S: 250-AUTH GSSAPI SECURID S: 250-AUTH GSSAPI SECURID
S: 250 DSN S: 250 DSN
C: AUTH SECURID AG1hZ251cwAxMjM0NTY3OAA= C: AUTH SECURID AG1hZ251cwAxMjM0NTY3OAA=
S: 235 Authentication successful S: 235 Authentication successful
Internet DRAFT SASL 28 June 2004
The example below is almost identical to the previous, but here the The example below is almost identical to the previous, but here the
client chooses not to use the initial response parameter. client chooses not to use the initial response parameter.
S: 220-smtp.example.com ESMTP Server S: 220-smtp.example.com ESMTP Server
C: EHLO client.example.com C: EHLO client.example.com
S: 250-smtp.example.com Welcome client.example.com S: 250-smtp.example.com Welcome client.example.com
S: 250-AUTH GSSAPI SECURID S: 250-AUTH GSSAPI SECURID
S: 250 DSN S: 250 DSN
C: AUTH SECURID C: AUTH SECURID
S: 334 S: 334
skipping to change at page 12, line 4 skipping to change at page 12, line 47
Client implementors should be aware of an additional failure case Client implementors should be aware of an additional failure case
that might occur when the profile supports sending the additional that might occur when the profile supports sending the additional
data with success. Imagine that an active attacker is trying to data with success. Imagine that an active attacker is trying to
impersonate the server and sends faked data, which should be used to impersonate the server and sends faked data, which should be used to
authenticate the server to the client, with success. (A similar authenticate the server to the client, with success. (A similar
situation can happen when either the server and/or the client has a situation can happen when either the server and/or the client has a
bug and they calculate different responses.) After checking the data, bug and they calculate different responses.) After checking the data,
the client will think that the authentication exchange has failed, the client will think that the authentication exchange has failed,
however the server will think that the authentication exchange has however the server will think that the authentication exchange has
completed successfully. At this point the client can not abort the completed successfully. At this point the client can not abort the
Internet DRAFT SASL 31 March 2004
authentication exchange; it SHOULD close the connection instead. authentication exchange; it SHOULD close the connection instead.
However, if the profile did not support sending of additional data However, if the profile did not support sending of additional data
with success, the client could have aborted the exchange at the very with success, the client could have aborted the exchange at the very
last step of the authentication exchange. last step of the authentication exchange.
Internet DRAFT SASL 28 June 2004
6.2.1. Server returns success with additional data examples 6.2.1. Server returns success with additional data examples
The following are two examples of a DIGEST-MD5 authentication [SASL- The following are two examples of a DIGEST-MD5 authentication [SASL-
DIGEST] in the Extensible Messaging and Presence Protocol [XMPP]. In DIGEST] in the Extensible Messaging and Presence Protocol [XMPP]. In
the first example below, the server is sending mutual authentication the first example below, the server is sending mutual authentication
data with success. data with success.
C: <stream:stream C: <stream:stream
xmlns='jabber:client' xmlns='jabber:client'
xmlns:stream='http://etherx.jabber.org/streams' xmlns:stream='http://etherx.jabber.org/streams'
skipping to change at page 13, line 4 skipping to change at page 13, line 49
T0E2TUc5dEVRR20yaGgiLGNub25jZT0iT0E2TUhYaDZWcVRyUmsiLG5jPTAw T0E2TUc5dEVRR20yaGgiLGNub25jZT0iT0E2TUhYaDZWcVRyUmsiLG5jPTAw
MDAwMDAxLHFvcD1hdXRoLGRpZ2VzdC11cmk9InhtcHAvZXhhbXBsZS5jb20i MDAwMDAxLHFvcD1hdXRoLGRpZ2VzdC11cmk9InhtcHAvZXhhbXBsZS5jb20i
LHJlc3BvbnNlPWQzODhkYWQ5MGQ0YmJkNzYwYTE1MjMyMWYyMTQzYWY3LGNo LHJlc3BvbnNlPWQzODhkYWQ5MGQ0YmJkNzYwYTE1MjMyMWYyMTQzYWY3LGNo
YXJzZXQ9dXRmLTgK YXJzZXQ9dXRmLTgK
</response> </response>
S: <success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> S: <success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
cnNwYXV0aD1lYTQwZjYwMzM1YzQyN2I1NTI3Yjg0ZGJhYmNkZmZmZAo= cnNwYXV0aD1lYTQwZjYwMzM1YzQyN2I1NTI3Yjg0ZGJhYmNkZmZmZAo=
</success> </success>
The example below is almost identical to the previous, but here The example below is almost identical to the previous, but here
Internet DRAFT SASL 31 March 2004
the server chooses not to use the additional data with success. the server chooses not to use the additional data with success.
C: <stream:stream C: <stream:stream
xmlns='jabber:client' xmlns='jabber:client'
xmlns:stream='http://etherx.jabber.org/streams' xmlns:stream='http://etherx.jabber.org/streams'
Internet DRAFT SASL 28 June 2004
to='example.com' to='example.com'
version='1.0'> version='1.0'>
S: <stream:stream S: <stream:stream
xmlns='jabber:client' xmlns='jabber:client'
xmlns:stream='http://etherx.jabber.org/streams' xmlns:stream='http://etherx.jabber.org/streams'
id='c2s_234' id='c2s_234'
from='example.com' from='example.com'
version='1.0'> version='1.0'>
S: <stream:features> S: <stream:features>
<mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
skipping to change at page 14, line 4 skipping to change at page 14, line 50
6.3. Multiple authentications 6.3. Multiple authentications
Unless otherwise stated by the protocol's profile, only one Unless otherwise stated by the protocol's profile, only one
successful SASL negotiation may occur in a protocol session. In this successful SASL negotiation may occur in a protocol session. In this
case, once an authentication protocol exchange has successfully case, once an authentication protocol exchange has successfully
completed, further attempts to initiate an authentication protocol completed, further attempts to initiate an authentication protocol
exchange fail. exchange fail.
If a profile explicitly permits multiple successful SASL negotiations If a profile explicitly permits multiple successful SASL negotiations
to occur, then in no case may multiple security layers be to occur, then in no case may multiple security layers be
Internet DRAFT SASL 31 March 2004
simultaneously in effect. If a security layer is in effect and a simultaneously in effect. If a security layer is in effect and a
subsequent SASL negotiation selects a second security layer, then the subsequent SASL negotiation selects a second security layer, then the
second security layer replaces the first. If a security layer is in second security layer replaces the first. If a security layer is in
effect and a subsequent SASL negotiation selects no security layer, effect and a subsequent SASL negotiation selects no security layer,
the original security layer remains in effect. the original security layer remains in effect.
Internet DRAFT SASL 28 June 2004
Where a protocol profile permits multiple successful SASL Where a protocol profile permits multiple successful SASL
negotiations, the profile MUST detail the effect of a failed SASL negotiations, the profile MUST detail the effect of a failed SASL
negotiation upon the previously established authentication state. negotiation upon the previously established authentication state.
In particular, it MUST state whether the previously established In particular, it MUST state whether the previously established
authenticated state remain in force or whether the connection is to authenticated state remain in force or whether the connection is to
revert to an non-authenticated state. Regardless of the specified revert to an non-authenticated state. Regardless of the specified
effect upon authentication state, the previously negotiated security effect upon authentication state, the previously negotiated security
layer remains in effect. layer remains in effect.
7. The EXTERNAL mechanism 7. The EXTERNAL mechanism
The mechanism name associated with external authentication is The mechanism name associated with external authentication is
"EXTERNAL". "EXTERNAL".
The client sends an initial response with the UTF-8 encoding of the The client sends a single message containing the UTF-8 encoding of
authorization identity. The form of the authorization identity is the authorization identity. The message may be empty. The form of the
further restricted by the application-level protocol's SASL profile. authorization identity is further restricted by the application-level
protocol's SASL profile.
The server uses information, external to SASL, to determine whether The server uses information, external to SASL, to determine whether
the client is permitted to authenticate as the authorization the client is permitted to authenticate as the authorization
identity. If the client is so authorized, the server indicates identity. If the client is so authorized, the server indicates
successful completion of the authentication exchange; otherwise the successful completion of the authentication exchange; otherwise the
server indicates failure. server indicates failure.
The system providing this external information may be, for example, The system providing this external information may be, for example,
IPSec [IPSec] or TLS [TLS]. However, the client can make no IPSec [IPSec] or TLS [TLS]. However, the client can make no
assumptions as to what information the server can use in determining assumptions as to what information the server can use in determining
skipping to change at page 15, line 5 skipping to change at page 15, line 50
the authorization identity is to be derived from authentication the authorization identity is to be derived from authentication
credentials which exist in the system that is providing the external credentials which exist in the system that is providing the external
authentication. authentication.
7.1. Formal syntax 7.1. Formal syntax
The following syntax specification uses the augmented Backus-Naur The following syntax specification uses the augmented Backus-Naur
Form (BNF) notation as specified in [ABNF]. Non-terminals referenced Form (BNF) notation as specified in [ABNF]. Non-terminals referenced
but not defined below are as defined by [UTF-8]. but not defined below are as defined by [UTF-8].
Internet DRAFT SASL 31 March 2004 The "extern-resp" rule below defines the message sent from client to
server.
The "extern-init-resp" rule below defines the initial response sent extern-resp = *( UTF8-char-no-nul )
from client to server.
extern-init-resp = *( UTF8-char-no-nul ) Internet DRAFT SASL 28 June 2004
UTF8-char-no-nul = UTF8-1-no-nul / UTF8-2 / UTF8-3 / UTF8-4 UTF8-char-no-nul = UTF8-1-no-nul / UTF8-2 / UTF8-3 / UTF8-4
UTF8-1-no-nul = %x01-7F UTF8-1-no-nul = %x01-7F
7.2. Examples of SASL EXTERNAL 7.2. Examples of SASL EXTERNAL
The following is an example of an EXTERNAL authentication in the SMTP The following is an example of an EXTERNAL authentication in the SMTP
protocol [SMTP]. In this example, the client is proxy authenticating, protocol [SMTP]. In this example, the client is proxy authenticating,
sending the authorization identity "fred" using in the (optional) sending the authorization identity "fred" using in the (optional)
skipping to change at page 15, line 48 skipping to change at page 16, line 43
The following example is almost identical to the one above, but the The following example is almost identical to the one above, but the
client doesn't request proxy authentication. client doesn't request proxy authentication.
S: 220 smtp.example.com ESMTP server ready S: 220 smtp.example.com ESMTP server ready
C: EHLO jgm.example.com C: EHLO jgm.example.com
S: 250-smtp.example.com S: 250-smtp.example.com
S: 250 AUTH DIGEST-MD5 EXTERNAL S: 250 AUTH DIGEST-MD5 EXTERNAL
C: AUTH EXTERNAL C: AUTH EXTERNAL
S: 235 Authentication successful. S: 235 Authentication successful.
8. IANA Considerations The following is an example of an EXTERNAL authentication in the
IMAP4 protocol [IMAP]. IMAP4 doesn't support the initial response
feature of SASL. As in the previous example, the client doesn't
request proxy authentication.
Internet DRAFT SASL 31 March 2004 S: * OK IMAP4rev1 Server
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 AUTH=DIGEST-MD5 AUTH=EXTERNAL
[...]
C: A01 AUTHENTICATE EXTERNAL
(note that there is a space following the "+" in the following line)
Internet DRAFT SASL 28 June 2004
S: +
C:
S: A01 OK Success
8. IANA Considerations
8.1. Guidelines for IANA 8.1. Guidelines for IANA
It is requested that IANA updates the SASL mechanisms registry as It is requested that IANA updates the SASL mechanisms registry as
follows: follows:
Change the "Intended usage" of the KERBEROS_V4 and SKEY mechanism Change the "Intended usage" of the KERBEROS_V4 and SKEY mechanism
registrations to OBSOLETE. Change the "Published specification" registrations to OBSOLETE. Change the "Published specification"
of the EXTERNAL mechanism to this document. Updated registration of the EXTERNAL mechanism to this document. Updated registration
information is provided in Section 8.6. information is provided in Section 8.6.
skipping to change at page 16, line 41 skipping to change at page 18, line 5
namespace. Each family of SASL mechanisms MUST be identified by a namespace. Each family of SASL mechanisms MUST be identified by a
prefix. prefix.
While the registration procedures do not require it, authors of SASL While the registration procedures do not require it, authors of SASL
mechanisms are encouraged to seek community review and comment mechanisms are encouraged to seek community review and comment
whenever that is feasible. Authors may seek community review by whenever that is feasible. Authors may seek community review by
posting a specification of their proposed mechanism as an Internet- posting a specification of their proposed mechanism as an Internet-
Draft. SASL mechanisms intended for widespread use should be Draft. SASL mechanisms intended for widespread use should be
standardized through the normal IETF process, when appropriate. standardized through the normal IETF process, when appropriate.
Internet DRAFT SASL 28 June 2004
8.3. Comments on SASL mechanism registrations 8.3. Comments on SASL mechanism registrations
Comments on registered SASL mechanisms should first be sent to the Comments on registered SASL mechanisms should first be sent to the
"owner" of the mechanism and/or to the SASL WG mailing list. "owner" of the mechanism and/or to the SASL WG mailing list.
Submitters of comments may, after a reasonable attempt to contact the Submitters of comments may, after a reasonable attempt to contact the
owner, request IANA to attach their comment to the SASL mechanism owner, request IANA to attach their comment to the SASL mechanism
registration itself. If IANA approves of this, the comment will be registration itself. If IANA approves of this, the comment will be
made accessible in conjunction with the SASL mechanism registration made accessible in conjunction with the SASL mechanism registration
itself. itself.
Internet DRAFT SASL 31 March 2004
8.4. Change control 8.4. Change control
Once a SASL mechanism registration has been published by IANA, the Once a SASL mechanism registration has been published by IANA, the
author may request a change to its definition. The change request author may request a change to its definition. The change request
follows the same procedure as the registration request. follows the same procedure as the registration request.
The owner of a SASL mechanism may pass responsibility for the SASL The owner of a SASL mechanism may pass responsibility for the SASL
mechanism to another person or agency by informing IANA; this can be mechanism to another person or agency by informing IANA; this can be
done without discussion or review. done without discussion or review.
The IESG may reassign responsibility for a SASL mechanism. The most The IESG may reassign responsibility for a SASL mechanism. The most
common case of this will be to enable changes to be made to common case of this will be to enable changes to be made to
mechanisms where the author of the registration has died, moved out mechanisms where the author of the registration has died, moved out
of contact or is otherwise unable to make changes that are important of contact or is otherwise unable to make changes that are important
to the community. to the community.
SASL mechanism registrations may not be deleted; mechanisms which are SASL mechanism registrations may not be deleted; mechanisms which are
no longer believed appropriate for use can be declared OBSOLETE by a no longer believed appropriate for use can be declared OBSOLETE by a
change to their "intended use" field; such SASL mechanisms will be change to their "intended usage" field; such SASL mechanisms will be
clearly marked in the lists published by IANA. clearly marked in the lists published by IANA.
The IESG is considered to be the owner of all SASL mechanisms which The IESG is considered to be the owner of all SASL mechanisms which
are on the IETF standards track. are on the IETF standards track.
8.5. Registration template 8.5. Registration template
Subject: Registration of SASL mechanism X Subject: Registration of SASL mechanism X
Family of SASL mechanisms: (YES or NO) Family of SASL mechanisms: (YES or NO)
SASL mechanism name (or prefix for the family): SASL mechanism name (or prefix for the family):
Security considerations: Security considerations:
Published specification (optional, recommended): Published specification (optional, recommended):
Person & email address to contact for further information: Person & email address to contact for further information:
Internet DRAFT SASL 28 June 2004
Intended usage: Intended usage:
(One of COMMON, LIMITED USE or OBSOLETE) (One of COMMON, LIMITED USE or OBSOLETE)
Owner/Change controller: Owner/Change controller:
(Any other information that the author deems interesting may be (Any other information that the author deems interesting may be
added below this line.) added below this line.)
Internet DRAFT SASL 31 March 2004
8.6. The EXTERNAL mechanism registration 8.6. The EXTERNAL mechanism registration
It is requested that the SASL Mechanism registry [IANA-SASL] entry It is requested that the SASL Mechanism registry [IANA-SASL] entry
for the EXTERNAL mechanism be updated to reflect that this document for the EXTERNAL mechanism be updated to reflect that this document
now provides its technical specification. now provides its technical specification.
Subject: Updated Registration of SASL mechanism EXTERNAL Subject: Updated Registration of SASL mechanism EXTERNAL
Family of SASL mechanisms: NO Family of SASL mechanisms: NO
skipping to change at page 18, line 44 skipping to change at page 20, line 4
Security issues are discussed throughout this memo. Security issues are discussed throughout this memo.
When the client selects a security layer with at least integrity When the client selects a security layer with at least integrity
protection, this protects against an active attacker hijacking the protection, this protects against an active attacker hijacking the
connection and modifying the authentication exchange to negotiate a connection and modifying the authentication exchange to negotiate a
plaintext connection. plaintext connection.
When a server or client supports multiple authentication mechanisms, When a server or client supports multiple authentication mechanisms,
each of which has a different security strength, it is possible for each of which has a different security strength, it is possible for
an active attacker to cause a party to use the least secure mechanism an active attacker to cause a party to use the least secure mechanism
Internet DRAFT SASL 28 June 2004
supported. To protect against this sort of attack, a client or supported. To protect against this sort of attack, a client or
server which supports mechanisms of different strengths should have a server which supports mechanisms of different strengths should have a
configurable minimum strength that it will use. It is not sufficient configurable minimum strength that it will use. It is not sufficient
for this minimum strength check to only be on the server, since an for this minimum strength check to only be on the server, since an
active attacker can change which mechanisms the client sees as being active attacker can change which mechanisms the client sees as being
supported, causing the client to send authentication credentials for supported, causing the client to send authentication credentials for
its weakest supported mechanism. its weakest supported mechanism.
The client's selection of a SASL mechanism is done in the clear and The client's selection of a SASL mechanism is done in the clear and
may be modified by an active attacker. It is important for any new may be modified by an active attacker. It is important for any new
Internet DRAFT SASL 31 March 2004
SASL mechanisms to be designed such that an active attacker cannot SASL mechanisms to be designed such that an active attacker cannot
obtain an authentication with weaker security properties by modifying obtain an authentication with weaker security properties by modifying
the SASL mechanism name and/or the challenges and responses. the SASL mechanism name and/or the challenges and responses.
In order to detect Man-in-the-middle (MITM) attacks the client MAY In order to detect Man-in-the-middle (MITM) attacks the client MAY
list available SASL mechanisms both before and after the SASL list available SASL mechanisms both before and after the SASL
security layer is negotiated. This allows the client to detect security layer is negotiated. This allows the client to detect
active attacks that remove mechanisms from the server's list of active attacks that remove mechanisms from the server's list of
supported mechanisms, and allows the client to ensure that it is supported mechanisms, and allows the client to ensure that it is
using the best mechanism supported by both client and server. New using the best mechanism supported by both client and server. New
skipping to change at page 19, line 34 skipping to change at page 20, line 44
Any protocol interactions prior to authentication are performed in Any protocol interactions prior to authentication are performed in
the clear and may be modified by an active attacker. In the case the clear and may be modified by an active attacker. In the case
where a client selects integrity protection, it is important that any where a client selects integrity protection, it is important that any
security-sensitive protocol negotiations be performed after security-sensitive protocol negotiations be performed after
authentication is complete. Protocols should be designed such that authentication is complete. Protocols should be designed such that
negotiations performed prior to authentication should be either negotiations performed prior to authentication should be either
ignored or revalidated once authentication is complete. ignored or revalidated once authentication is complete.
When use of a security layer is negotiated by the authentication When use of a security layer is negotiated by the authentication
protocol exchange, the receiver should handle gracefully any security protocol exchange, the receiver should handle gracefully any
encoded data buffer larger than the defined/negotiated maximal size. protected data buffer larger than the defined/negotiated maximal
In particular, it must not blindly allocate the amount of memory size. In particular, it must not blindly allocate the amount of
specified in the buffer size field, as this might cause the "out of memory specified in the buffer size field, as this might cause the
memory" condition. If the receiver detects a large block, it SHOULD "out of memory" condition. If the receiver detects a large block, it
close the connection. SHOULD close the connection.
Distributed server implementations need to be careful in how they Distributed server implementations need to be careful in how they
trust other parties and, in particular, authentication secrets should trust other parties. In particular, authentication secrets should
only be disclosed to other parties that are trusted to manage and use only be disclosed to other parties that are trusted to manage and use
those secrets in manner acceptable to disclosing party. It should be those secrets in manner acceptable to disclosing party. Applications
noted that, where those secrets are used to provide data
confidentiality protections, if a third party (other than the
discloser/disclosee) has knowledge of some portion of the protected
information, it can use this knowledge in an attack upon other
portions of the protected information.
<<Section 6.3.1 contains a description of a potential class of attack Internet DRAFT SASL 28 June 2004
on a distributed server implementation. The section also gives some
recommendations about mitigating such attacks.>>
Internet DRAFT SASL 31 March 2004 using SASL assume that SASL security layers providing data
confidentiality are secure even when an attacker chooses the text to
be protected by the security layer. Similarly applications assume
that the SASL security layer is secure even if the attacker can
manipulate the ciphertext output of the security layer. New SASL
mechanisms MUST meet these assumptions.
"stringprep" and Unicode security considerations apply to "stringprep" and Unicode security considerations apply to
authentication identities, authorization identities and passwords. authentication identities, authorization identities and passwords.
The EXTERNAL mechanism provides no security protection; it is The EXTERNAL mechanism provides no security protection; it is
vulnerable to spoofing by either client or server, active attack, and vulnerable to spoofing by either client or server, active attack, and
eavesdropping. It should only be used when external security eavesdropping. It should only be used when external security
mechanisms are present and have sufficient strength. mechanisms are present and have sufficient strength.
10. References 10. References
skipping to change at page 20, line 49 skipping to change at page 22, line 5
"Unicode Standard Annex #27: Unicode 3.1" "Unicode Standard Annex #27: Unicode 3.1"
(http://www.unicode.org/reports/tr27/) and by the "Unicode Standard (http://www.unicode.org/reports/tr27/) and by the "Unicode Standard
Annex #28: Unicode 3.2" (http://www.unicode.org/reports/tr28/). Annex #28: Unicode 3.2" (http://www.unicode.org/reports/tr28/).
[Stringprep] Hoffman, P., Blanchet, M., "Preparation of [Stringprep] Hoffman, P., Blanchet, M., "Preparation of
Internationalized Strings ("stringprep")", RFC 3454, December 2002. Internationalized Strings ("stringprep")", RFC 3454, December 2002.
[SASLprep] Zeilenga, K., "SASLprep: Stringprep profile for user names [SASLprep] Zeilenga, K., "SASLprep: Stringprep profile for user names
and passwords", Work in progress, draft-ietf-sasl-saslprep-XX.txt. and passwords", Work in progress, draft-ietf-sasl-saslprep-XX.txt.
Internet DRAFT SASL 28 June 2004
[UTF-8] Yergeau, F., "UTF-8, a transformation format of ISO 10646", [UTF-8] Yergeau, F., "UTF-8, a transformation format of ISO 10646",
RFC 3629, STD 63, November 2003. RFC 3629, STD 63, November 2003.
Internet DRAFT SASL 31 March 2004
10.2. Informative References 10.2. Informative References
[SASL-GSSAPI] Melnikov, A., "SASL GSSAPI mechanisms", work in [SASL-GSSAPI] Melnikov, A., "SASL GSSAPI mechanisms", work in
progress, draft-ietf-sasl-gssapi-XX.txt, November 2003 progress, draft-ietf-sasl-gssapi-XX.txt, November 2003
[SASL-DIGEST] Leach, P., Newman, C., Melnikov, A., "Using Digest [SASL-DIGEST] Leach, P., Newman, C., Melnikov, A., "Using Digest
Authentication as a SASL Mechanism", work in progress, draft-ietf- Authentication as a SASL Mechanism", work in progress, draft-ietf-
sasl-rfc2831bis-XX.txt, replaces RFC 2831 sasl-rfc2831bis-XX.txt, replaces RFC 2831
[SASL-OTP] Newman, C., "The One-Time-Password SASL Mechanism", RFC [SASL-OTP] Newman, C., "The One-Time-Password SASL Mechanism", RFC
skipping to change at page 22, line 5 skipping to change at page 22, line 53
[IANA-SASL] IANA, "SIMPLE AUTHENTICATION AND SECURITY LAYER (SASL) [IANA-SASL] IANA, "SIMPLE AUTHENTICATION AND SECURITY LAYER (SASL)
MECHANISMS", http://www.iana.org/assignments/sasl-mechanisms. MECHANISMS", http://www.iana.org/assignments/sasl-mechanisms.
[TLS] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC [TLS] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC
2246, January 1999. 2246, January 1999.
[IPSec] Kent, S., and R. Atkinson, "Security Architecture for the [IPSec] Kent, S., and R. Atkinson, "Security Architecture for the
Internet Protocol", RFC 2401, November 1998. Internet Protocol", RFC 2401, November 1998.
Internet DRAFT SASL 31 March 2004 [Sec-Glossary] Shirey, R., "Internet Security Glossary", RFC 2828,
Internet DRAFT SASL 28 June 2004
May 2000.
11. Editor's Address 11. Editor's Address
Alexey Melnikov Alexey Melnikov
Isode Limited Isode Limited
5 Castle Business Village 5 Castle Business Village
36 Station Road 36 Station Road
Hampton, Middlesex, Hampton, Middlesex,
TW12 2BX, United Kingdom TW12 2BX, United Kingdom
Email: Alexey.Melnikov@isode.com Email: Alexey.Melnikov@isode.com
URI: http://www.melnikov.ca/ URI: http://www.melnikov.ca/
12. Acknowledgments 12. Acknowledgments
This document is a revision of RFC 2222 written by John G. Myers. He This document is a revision of RFC 2222 written by John G. Myers. He
also contributed significantly to this revision. also contributed significantly to this revision.
<<The multiple authentication attack described in Section 6.3 was
originally described by Magnus Nystrom.>>
Contributions of many members of the SASL mailing list are gratefully Contributions of many members of the SASL mailing list are gratefully
acknowledged, in particular Kurt Zeilenga, Peter Saint-Andre, Rob acknowledged, in particular Kurt Zeilenga, Peter Saint-Andre, Rob
Siemborski, Jeffrey Hutzelman, Hallvard B Furuseth, Tony Hansen, Siemborski, Magnus Nystrom, Jeffrey Hutzelman, Hallvard B Furuseth,
Simon Josefsson, Abhijit Menon-Sen, RL 'Bob' Morgan and Tim Alsop for Tony Hansen, Simon Josefsson, Abhijit Menon-Sen, RL 'Bob' Morgan, Sam
proofreading the document and various editorial suggestions. Hartman, Tim Alsop and Luke Howard for proofreading the document and
various editorial suggestions.
13. Full Copyright Statement 13. Full Copyright Statement
Copyright (C) The Internet Society (2004). All Rights Reserved. Copyright (C) The Internet Society (2004). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
This document and translations of it may be copied and furnished to This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than followed, or as required to translate it into languages other than
English. English.
Internet DRAFT SASL 28 June 2004
The limited permissions granted above are perpetual and will not be The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns. revoked by the Internet Society or its successors or assigns.
Internet DRAFT SASL 31 March 2004 This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
This document and the information contained herein is provided on an OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement Acknowledgement
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is currently provided by the
Internet Society. Internet Society.
14. Intellectual Property 14. Intellectual Property
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to Intellectual Property Rights or other rights that might be claimed to
skipping to change at page 23, line 51 skipping to change at page 25, line 5
ipr@ietf.org. ipr@ietf.org.
Appendix A. Relation of SASL to transport security Appendix A. Relation of SASL to transport security
Questions have been raised about the relationship between SASL and Questions have been raised about the relationship between SASL and
various services (such as IPsec and TLS) which provide a secured various services (such as IPsec and TLS) which provide a secured
connection. connection.
Two of the key features of SASL are: Two of the key features of SASL are:
Internet DRAFT SASL 28 June 2004
The separation of the authorization identity from the identity in The separation of the authorization identity from the identity in
the client's credentials. This permits agents such as proxy the client's credentials. This permits agents such as proxy
servers to authenticate using their own credentials, yet request servers to authenticate using their own credentials, yet request
the access privileges of the identity for which they are proxying. the access privileges of the identity for which they are proxying.
Internet DRAFT SASL 31 March 2004
Upon successful completion of an authentication exchange, the Upon successful completion of an authentication exchange, the
server knows the authorization identity the client wishes to use. server knows the authorization identity the client wishes to use.
This allows servers to move to a "user is authenticated" state in This allows servers to move to a "user is authenticated" state in
the protocol. the protocol.
These features are extremely important to some application protocols, These features are extremely important to some application protocols,
yet Transport Security services do not always provide them. To yet Transport Security services do not always provide them. To
define SASL mechanisms based on these services would be a very messy define SASL mechanisms based on these services would be a very messy
task, as the framing of these services would be redundant with the task, as the framing of these services would be redundant with the
framing of SASL and some method of providing these important SASL framing of SASL and some method of providing these important SASL
skipping to change at page 24, line 50 skipping to change at page 26, line 4
(GSSAPI mechanism), 7.3 (S/Key mechanism). The Kerberos version 4 (GSSAPI mechanism), 7.3 (S/Key mechanism). The Kerberos version 4
(KERBEROS_IV) and S/Key (SKEY) mechanisms are now viewed as obsolete. (KERBEROS_IV) and S/Key (SKEY) mechanisms are now viewed as obsolete.
The GSSAPI mechanism is now separately specified [SASL-GSSAPI]. The GSSAPI mechanism is now separately specified [SASL-GSSAPI].
Appendix C. Changes since RFC 2222 Appendix C. Changes since RFC 2222
The GSSAPI mechanism was removed. It is now specified in a separate The GSSAPI mechanism was removed. It is now specified in a separate
document [SASL-GSSAPI]. document [SASL-GSSAPI].
The "KERBEROS_V4" mechanism defined in RFC 2222 is obsolete and has The "KERBEROS_V4" mechanism defined in RFC 2222 is obsolete and has
Internet DRAFT SASL 28 June 2004
been removed. been removed.
The "SKEY" mechanism described in RFC 2222 is obsolete and has been The "SKEY" mechanism described in RFC 2222 is obsolete and has been
removed. It has been replaced by the OTP mechanism [SASL-OTP]. removed. It has been replaced by the OTP mechanism [SASL-OTP].
Internet DRAFT SASL 31 March 2004 The introduction has been substantially reorganized and clarified.
The overview has been substantially reorganized and clarified.
Clarified the definition and semantics of the authorization identity. Clarified the definition and semantics of the authorization identity.
Prohibited the NUL character in authorization identities. Prohibited the NUL character in authorization identities.
Added a section on character string issues. Added a section on character string issues.
The word "must" in the first paragraph of the "Protocol profile The word "must" in the first paragraph of the "Protocol profile
requirements" section was changed to "MUST". requirements" section was changed to "MUST".
skipping to change at page 25, line 50 skipping to change at page 27, line 4
Added a security consideration for the EXTERNAL mechanism. Added a security consideration for the EXTERNAL mechanism.
Clarified sections concerning success with additional data. Clarified sections concerning success with additional data.
Cleaned up IANA considerations/registrations and assembled them in Cleaned up IANA considerations/registrations and assembled them in
one place. one place.
Updated references and split them into Informative and Normative. Updated references and split them into Informative and Normative.
Added text to the Security Considerations section regarding handling Added text to the Security Considerations section regarding handling
Internet DRAFT SASL 28 June 2004
of extremely large SASL blocks. of extremely large SASL blocks.
Replaced UTF-8 ABNF with the reference to the UTF-8 document. Replaced UTF-8 ABNF with the reference to the UTF-8 document.
Added text about SASLprep for authentication identities and Added text about SASLprep for authentication identities and
Internet DRAFT SASL 31 March 2004
passwords. Described where SASLprep preparation should take place. passwords. Described where SASLprep preparation should take place.
Added paragraph about verifying authorization identities. Added paragraph about verifying authorization identities.
Added a protocol profile requirement to specify interaction between Added a protocol profile requirement to specify interaction between
SASL and TLS security layers. SASL and TLS security layers.
Added a protocol profile requirement to specify if it supports Added a protocol profile requirement to specify if it supports
reauthentication. reauthentication.
skipping to change at page 26, line 46 skipping to change at page 27, line 51
protection". protection".
Added warning about negotiating no layer once a security layer is Added warning about negotiating no layer once a security layer is
negotiated. negotiated.
Added new section with guidelines to a SASL mechanism designer. Added new section with guidelines to a SASL mechanism designer.
Added a requirement to specify how an empty initial challenge is Added a requirement to specify how an empty initial challenge is
encoded if initial response is supported by a protocol. encoded if initial response is supported by a protocol.
Appendix D. ToDo Clarified that empty "additional data with success" is not allowed.
This section will be deleted before publication.
1) Clean up definition of different terms like integrity protection
and check if RFC 2828 (Security Glossary) can be used.
2) Kurt is going to do a new description of what SASL is.
Internet DRAFT SASL 31 March 2004
3) Sam is going to propose new text that replaces "multiple Replaced "buffers of security encoded data" with "buffers of
authentication" attack. protected data" for clarity.
4) Reorganize sections 1 & 2 as per recent Kurt suggestion (as Internet DRAFT SASL 28 June 2004
modified by Alexey).
5) Clarify empty versa missing "additional data with success". Clarified that SASL EXTERNAL can be used even with SASL profiles that
don't support initial data with success.
Internet DRAFT SASL 31 March 2004 Internet DRAFT SASL 28 June 2004
Status of this Memo .......................................... i Status of this Memo .......................................... i
Abstract ..................................................... 2 Abstract ..................................................... 2
1. Organization of this document .......................... 2 1. Conventions used in this document ........................ 2
1.1. How to read this document .............................. 2 2. Introduction ........................................... 2
1.2. Conventions used in this document ...................... 3
2. Overview ............................................... 3
3. Authentication mechanisms .............................. 4 3. Authentication mechanisms .............................. 4
3.1. Authentication protocol exchange ....................... 4 3.1. Authentication protocol exchange ....................... 5
3.2. Authorization and authentication identities ............ 5 3.2. Authorization and authentication identities ............ 6
3.2.1. Authorization identities and proxy authentication .... 6 3.2.1. Authorization identities and proxy authentication .... 6
3.2.2. Authorization Identity Format ........................ 6 3.2.2. Authorization Identity Format ........................ 7
3.3. Security layers ........................................ 7 3.3. Security layers ........................................ 7
4. Protocol profile requirements .......................... 7 4. Protocol profile requirements .......................... 8
5. Mechanism profile guidelines ........................... 9 5. Mechanism profile guidelines .......................... 10
6. Specific issues ....................................... 10 6. Specific issues ....................................... 11
6.1. Client sends data first ............................... 10 6.1. Client sends data first ............................... 11
6.1.1. Client sends data first examples .................... 10 6.1.1. Client sends data first examples .................... 11
6.2. Server returns success with additional data ........... 11 6.2. Server returns success with additional data ........... 12
6.2.1. Server returns success with additional data examples 12 6.2.1. Server returns success with additional data examples 13
6.3. Multiple authentications .............................. 13 6.3. Multiple authentications .............................. 14
7. The EXTERNAL mechanism ................................ 14 7. The EXTERNAL mechanism ................................ 15
7.1. Formal syntax ......................................... 14 7.1. Formal syntax ......................................... 15
7.2. Examples of SASL EXTERNAL ............................. 15 7.2. Examples of SASL EXTERNAL ............................. 16
8. IANA Considerations ................................... 15 8. IANA Considerations ................................... 17
8.1. Guidelines for IANA ................................... 16 8.1. Guidelines for IANA ................................... 17
8.2. Registration procedure ................................ 16 8.2. Registration procedure ................................ 17
8.3. Comments on SASL mechanism registrations .............. 16 8.3. Comments on SASL mechanism registrations .............. 18
8.4. Change control ........................................ 17 8.4. Change control ........................................ 18
8.5. Registration template ................................. 17 8.5. Registration template ................................. 18
8.6. The EXTERNAL mechanism registration ................... 18 8.6. The EXTERNAL mechanism registration ................... 19
9. Security considerations ................................ 18 9. Security considerations ................................ 19
10. References ........................................... 20 10. References ........................................... 21
10.1. Normative References ................................. 20 10.1. Normative References ................................. 21
10.2. Informative References ............................... 21 10.2. Informative References ............................... 22
11. Editor's Address ...................................... 22 11. Editor's Address ...................................... 23
12. Acknowledgments ....................................... 22 12. Acknowledgments ....................................... 23
13. Full Copyright Statement .............................. 22 13. Full Copyright Statement .............................. 23
14. Intellectual Property ................................. 23 14. Intellectual Property ................................. 24
Appendix A. Relation of SASL to transport security .......... 23 Appendix A. Relation of SASL to transport security .......... 24
Appendix B. Relationship to other documents ................. 24 Appendix B. Relationship to other documents ................. 25
Appendix C. Changes since RFC 2222 .......................... 24 Appendix C. Changes since RFC 2222 .......................... 25
Appendix D. ToDo ............................................ 26
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/