draft-ietf-sasl-rfc2222bis-10.txt   draft-ietf-sasl-rfc2222bis-11.txt 
Network Working Group A. Melnikov INTERNET-DRAFT A. Melnikov, Ed.
Internet Draft Editor Intended Category: Standards Track ISODE Limited
Document: draft-ietf-sasl-rfc2222bis-10.txt February 2005 Expires in six months K. Zeilenga, Ed.
Obsoletes: RFC 2222 Expires in six months Obsoletes: RFC 2222 OpenLDAP Project
1 June 2005
Simple Authentication and Security Layer (SASL) Simple Authentication and Security Layer (SASL)
<draft-ietf-sasl-rfc2222bis-11.txt>
Status of this Memo Status of this Memo
By submitting this Internet-Draft, I certify that any applicable By submitting this Internet-Draft, I accept the provisions of Section
patent or other IPR claims of which I am aware have been disclosed, 3 of BCP 78. By submitting this Internet-Draft, each author
and any of which I become aware will be disclosed, in accordance with represents that any applicable patent or other IPR claims of which he
RFC 3668. or she is aware have been or will be disclosed, and any of which he or
she becomes aware will be disclosed, in accordance with Section 6 of
BCP 79.
Internet Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering Task
Task Force (IETF), its Areas, and its Working Groups. Note that Force (IETF), its areas, and its working groups. Note that other
other groups may also distribute working documents as Internet groups may also distribute working documents as Internet-Drafts.
Drafts. Internet Drafts are draft documents valid for a maximum of
six months. Internet Drafts may be updated, replaced, or obsoleted Internet-Drafts are draft documents valid for a maximum of six months
by other documents at any time. It is not appropriate to use and may be updated, replaced, or obsoleted by other documents at any
Internet Drafts as reference material or to cite them other than as time. It is inappropriate to use Internet-Drafts as reference material
``work in progress''. or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/1id-abstracts.html
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html
A revised version of this draft document will be submitted to the RFC
editor as a Standards Track RFC for the Internet Community.
Discussion and suggestions for improvement are requested.
Distribution of this draft is unlimited.
When published as an RFC this document will obsolete RFC 2222. Copyright (C) The Internet Society (2005). All Rights Reserved.
Internet DRAFT SASL 16 February 2005 Please see the Full Copyright section near the end of this document
for more information.
Abstract Abstract
The Simple Authentication and Security Layer (SASL) is a framework The Simple Authentication and Security Layer (SASL) is a framework for
for providing authentication and data security services in providing authentication and data security services in
connection-oriented protocols via replaceable mechanisms. It provides connection-oriented protocols via replaceable mechanisms. It provides
a structured interface between protocols and mechanisms. The a structured interface between protocols and mechanisms. The
resulting framework allows new protocols to reuse existing mechanisms resulting framework allows new protocols to reuse existing mechanisms
and allows old protocols to make use of new mechanisms. The and allows old protocols to make use of new mechanisms. The framework
framework also provides a protocol for securing subsequent protocol also provides a protocol for securing subsequent protocol exchanges
exchanges within a data security layer. within a data security layer.
This document describes how a SASL mechanism is structured, describes This document describes how a SASL mechanism is structured, describes
how protocols add support for SASL, and defines the protocol for how protocols include support for SASL, and defines the protocol for
carrying a data security layer over a connection. Additionally, this carrying a data security layer over a connection. Additionally, this
document defines one SASL mechanism, the EXTERNAL mechanism. document defines one SASL mechanism, the EXTERNAL mechanism.
1. Conventions used in this document This document obsoletes RFC 2222.
In examples, "C:" and "S:" indicate lines sent by the client and
server respectively.
The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY" Table of Contents
in this document are to be interpreted as defined in "Key words for
use in RFCs to Indicate Requirement Levels" [KEYWORDS].
Character names in this document use the notation for code points and [[Page numbers to be filled in by RFC-Editor]]
names from the Unicode Standard [Unicode]. For example, the letter
"a" may be represented as either <U+0061> or <LATIN SMALL LETTER A>.
This document uses terms "integrity protection" and "confidentiality Status of this Memo
protection". The former refers to a security layer (see Section Abstract
"Introduction" below for the definition) designed to provide "data 1. Introduction
integrity service" as defined in [Sec-Glossary]. Confidentiality 1.1. Document Audiences
protection is a security layer that provides "data confidentiality 1.2. Relationship to Other Documents
service" as defined in [Sec-Glossary]. The term "confidentiality 1.3. Conventions
protection" implies "integrity protection". Security layers may offer 2. Identity Concepts
other kinds of security services, for example re-keying, truncation 3. The Authentication Exchange
detection, as well as other services, e.g. compression. 3.1. Mechanism Naming
3.2. Mechanism Negotiation
3.3. Request Authentication Exchange
3.4. Challenges and Responses
3.4.1. Authorization Identity String
3.5. Aborting Authentication Exchanges
3.6. Authentication Outcome
3.7. Security Layers
3.8. Multiple Authentications
4. Protocol Requirements
5. Mechanism Requirements
6. Security Considerations
6.1. Active Attacks
6.1.1. Man-in-the-middle Attacks
6.1.2. Replay Attacks
6.1.3. Truncation Attacks
6.2. Passive Attacks
6.3. Re-keying
6.4. Other considerations
7. IANA Considerations
8. References
9. Editors' Address
10. Acknowledgments
A. The SASL EXTERNAL Mechanism
B. Changes since RFC 2222
2. Introduction 1. Introduction
The Simple Authentication and Security Layer (SASL) is a framework The Simple Authentication and Security Layer (SASL) is a framework for
for providing authentication and data security services in providing authentication and data security services in
connection-oriented protocols via replaceable mechanisms. SASL connection-oriented protocols via replaceable mechanisms. SASL
provides a structured interface between protocols and mechanisms. provides a structured interface between protocols and mechanisms.
SASL also provides a protocol for securing subsequent protocol SASL also provides a protocol for securing subsequent protocol
exchanges within a data security layer. The data security layer can
Internet DRAFT SASL 16 February 2005 provide data integrity, data confidentiality, and other services.
exchanges within a data security layer.
SASL's design is intended to allow new protocols to reuse existing SASL's design is intended to allow new protocols to reuse existing
mechanisms without requiring redesign of the mechanisms and allows mechanisms without requiring redesign of the mechanisms and allows
existing protocols to make use of new mechanisms without redesign of existing protocols to make use of new mechanisms without redesign of
protocols. protocols.
The SASL is conceptually a framework which provides a layer between SASL is conceptually a framework which provides an abstraction layer
protocols and mechanisms, as illustrated in the following diagram. between protocols and mechanisms as illustrated in the following
diagram.
SMTP Protocol LDAP Protocol Other Protocols SMTP LDAP XMPP Other protocols ...
Profile Profile . . . \ | | /
\----- | -----/ \ | | /
\ | / SASL abstraction layer
SASL framework / | | \
/ | \ / | | \
/----- | -----\ EXTERNAL GSSAPI PLAIN Other mechanisms ...
DIGEST-MD5 EXTERNAL Other Mechanisms
SASL mechanism SASL mechanism . . .
It is through the interfaces of this layer that the framework allows It is through the interfaces of this abstraction layer that the
any protocol to be utilized with any mechanism. While the layer does framework allows any protocol to utilize any mechanism. While this
generally hide the particulars of protocols from mechanisms and the layer does generally hide the particulars of protocols from mechanisms
particulars of mechanisms from protocols, the layer does not and the particulars of mechanisms from protocols, this layer does not
generally hide the particulars of mechanisms from protocol generally hide the particulars of mechanisms from protocol
implementations. For example, different mechanisms require different implementations. For example, different mechanisms require different
information to operate, some of them use password based information to operate, some of them use password-based
authentication, some of then require realm information, others make authentication, some of then require realm information, others make
use of Kerberos tickets, certificates, etc. Also, in order to use of Kerberos tickets, certificates, etc.. Also, in order to
perform authorization, server implementations have to implement a perform authorization, server implementations generally have to
mapping from a mechanism-specific authentication identity format to a implement identity mapping between authentication identities, whose
protocol-specific format. form is mechanism-specific, and authorization identities, whose form
is application protocol specific. Section 2 discusses identity
concepts.
It is possible to design and implement this framework in ways which It is possible to design and implement this framework in ways which do
do abstract away particulars of similar mechanisms. Such abstract away particulars of similar mechanisms. Such a framework
implementation could also be designed to be shared by multiple implementation, as well as mechanisms implementations, could be
implementations of various protocols. designed not only to be shared by multiple implementations of a
particular protocol, but be shared by implementations of multiple
protocols.
As illustrated above, the SASL framework interfaces with both The framework incorporates interfaces with both protocols and
protocols and mechanisms. mechanisms in which authentication exchanges are carried out. Section
3 discusses SASL authentication exchanges.
To use SASL, a protocol includes a command for identifying and To use SASL, each protocol (amongst other items) provides a method for
authenticating a user to a server and for optionally negotiating a identifying which mechanism is to be used, provides a method for
security layer for subsequent protocol interactions. If the use of a exchange of mechanism-specific server-challenges and client-responses,
security layer is negotiated, that security layer is inserted between and a method for communicating the outcome of the authentication
the protocol and the connection. Section 4 ("Protocol profile exchange. Section 4 discusses SASL protocol requirements.
requirements") profiles the requirements that a protocol
Internet DRAFT SASL 16 February 2005 Each SASL mechanism defines (amongst other items) a series of server
challenges and client responses which provide authentication services
and negotiate data security services. Section 5 discusses SASL
mechanism requirements.
specification must fulfill to make use of SASL. A SASL protocol Section 6 discusses security considerations. Section 7 discusses IANA
profile is a part of the protocol specification that satisfies the considerations. Appendix A defines the SASL EXTERNAL mechanism.
requirements of Section 4.
A SASL mechanism is a series of server challenges and client 1.1. Document Audiences
responses specific to the mechanism. Each SASL mechanism is
identified by a registered name. Section 5 ("Mechanism profile
guidelines") profiles the requirements that a mechanism specification
must fulfill to define a SASL mechanism.
This document is written to serve several different audiences: This document is written to serve several different audiences:
- protocol designers using this specification to support - protocol designers using this specification to support
authentication in their protocol, authentication in their protocol,
- mechanism designers that define new SASL mechanisms, and - mechanism designers that define new SASL mechanisms, and
- implementors of clients or servers for those protocols using this - implementors of clients or servers for those protocols which
specification. support SASL.
The sections "Authentication mechanisms", "Protocol profile
requirements", "Specific issues", and "Security considerations" cover
issues that protocol designers need to understand and address in
profiling this specification for use in a specific protocol.
The sections "Authentication mechanisms", "Mechanism profile
guidelines", "Security considerations" and "Registration procedure"
cover issues that mechanism designers need to understand and address
in designing new SASL mechanisms.
The sections "Authentication mechanisms", "Protocol profile While the document organization is intended to allow readers to focus
requirements", "Specific issues" and "Security considerations" cover on details relevant to their engineering, readers are encouraged to
issues that implementors of a protocol that uses SASL framework need read and understand all aspects of this document.
to understand. The implementors will also need to understand a
specification of a SASL profile specific to the protocol, as well as
aspects of mechanism specifications they intend to use (regardless of
whether they are implementing the mechanisms themselves or using an
existing implementation) to understand, for instance, the mechanism-
specific authentication identity forms, the offered services, and
security and other considerations.
2.1. Relationship to other documents 1.2. Relationship to other documents
This document obsoletes RFC 2222. It replaces all portions of RFC This document obsoletes RFC 2222. It replaces all portions of RFC
2222 excepting sections 7.1 (Kerberos version 4 mechanism), 7.2 2222 excepting sections 7.1 (the KERBEROS_IV mechanism), 7.2 (the
(GSSAPI mechanism), 7.3 (S/Key mechanism). The Kerberos version 4 GSSAPI mechanism), 7.3 (the SKEY mechanism). The KERBEROS_IV and SKEY
(KERBEROS_IV) and S/Key (SKEY) mechanisms are now viewed as obsolete. mechanisms are now viewed as obsolete and their specifications
The GSSAPI mechanism is now separately specified [SASL-GSSAPI]. provided in RFC 2222 are Historic. The GSSAPI mechanism is now
separately specified [SASL-GSSAPI].
Internet DRAFT SASL 16 February 2005
3. Authentication mechanisms
SASL mechanisms are named by strings, from 1 to 20 characters in
length, consisting of ASCII [ASCII] upper-case letters, digits,
hyphens, and/or underscores. Names of SASL mechanisms or families of
mechanisms must be registered with the Internet Assigned Numbers
Authority (IANA) as described in section 8.2.
The "sasl-mech" ABNF production below defines the syntax of a SASL
mechanism name. This uses the Augmented Backus-Naur Form (ABNF)
notation as specified in [ABNF].
sasl-mech = 1*20mech-char
mech-char = UPPER-ALPHA / DIGIT / HYPHEN / UNDERSCORE
; mech-char is restricted to "A"-"Z", "0"-"9", "-",
; and "_" from ASCII character set.
UPPER-ALPHA = %x41-5A
; "A"-"Z"
DIGIT = %x30-39
; "0"-"9"
HYPHEN = %x2D
; "-"
UNDERSCORE = %x5F
; "_"
3.1. Authentication Exchange Appendix B provides a summary of changes since RFC 2222.
A SASL mechanism is responsible for conducting an authentication 1.3. Conventions
exchange. This consists of a series of server challenges and client
responses, the contents of which are specific to and defined by the
mechanism. To the application protocol, the challenges and responses
are opaque binary tokens of arbitrary length (including 0-length).
The protocol's profile then specifies how these binary tokens are
encoded for transfer over the connection.
After receiving an authentication command or any client response, a The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
server mechanism may issue a challenge, indicate failure, or indicate "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
completion. The server mechanism may return additional data with a document are to be interpreted as described in BCP 14 [RFC2119].
completion indication. The protocol's profile specifies how each of
these is then represented over the connection.
After receiving a challenge, a client mechanism may issue a response Character names in this document use the notation for code points and
or abort the exchange. The protocol's profile specifies how each of names from the Unicode Standard [Unicode]. For example, the letter
"a" may be represented as either <U+0061> or <LATIN SMALL LETTER A>.
Internet DRAFT SASL 16 February 2005 Note: a glossary of terms used in Unicode can be found in [Glossary].
Information on the Unicode character encoding model can be found in
[CharModel].
these are then represented over the connection. In examples, "C:" and "S:" indicate lines of data to be sent by the
client and server respectively. Lines have been wrapped for improved
readability.
During the authentication exchange, the mechanism performs 2. Identity Concepts
authentication, transmits an authorization identity (sometimes known
as a username) from the client to server, and may negotiate the use
of a mechanism-specific security layer. If the use of a security
layer is agreed upon, then the mechanism must also define or
negotiate the maximum security layer buffer size that each side is
able to receive.
3.2. Identity Concepts In practice, authentication and authorization may involve multiple
identities, possibly in different forms (simple username, Kerberos
principal, X.500 Distinguished Name, etc.), possibly with different
representations (e.g.: ABNF-described UTF-8 encoded Unicode character
string, BER-encoded Distinguished Name). While technical
specifications often prescribe both the identity form and
representation used on the network, different identity forms and/or
representations may (and often are) used within implementations. How
identities of different forms relate to each other is, generally, a
local matter. Additionally, the forms and representations used within
an implementation is a local matter.
Conceptually, SASL framework involves two identities: However, conceptually, SASL framework involves two identities:
1) an identity associated with the authentication 1) an identity associated with the authentication credentials
credentials (termed the authentication identity), and (termed the authentication identity), and
2) an identity to act as (termed the authorization 2) an identity to act as (termed the authorization identity).
identity).
The client provides its credentials and, optionally, a string The client provides its credentials and, optionally, a character
representing the requested authorization identity as part of the SASL string representing the requested authorization identity as part of
exchange. When this string is omitted or empty, the client is the SASL exchange. When this string is omitted or empty, the client
requesting to act as the identity associated with the credentials is requesting to act as the identity associated with the credentials
(e.g., the user is requesting to act as the authentication identity). (e.g., the user is requesting to act as the authentication identity).
The server is responsible for verifying the client's credentials and The server is responsible for verifying the client's credentials and
verifying that the client is allowed to act as the authorization verifying that the client is allowed to act as the authorization
identity. A SASL exchange fails if either (or both) of these identity. A SASL exchange fails if either (or both) of these
verifications fails. verifications fails. (The SASL exchange may fail for other reasons,
such as service authorization failure.)
SASL mechanism specifications describe the form of credentials used
to authenticate clients, and SASL application profiles describe the
form of authorization identities transferred as part of
authentication exchange. However, the precise form(s) of the
authentication identities (used within the server in its
verifications, or otherwise) and the precise form(s) of the
authorization identities (used in making authorization decisions, or
otherwise) is beyond the scope of the SASL and this specification.
In some circumstances, the precise identity forms used outside of the
SASL exchange may be dictated by other specifications. For instance,
the authorization policy specification for an application protocol
may dictate the precise form that an authorization identity is to be
represented in the authorization policy.
<<Need to address few issues in the two remaining paragraphs>> Any
normalization of the authentication identity (for the purposes of
conducting authentication exchange) is defined by a particular SASL
mechanism, the protocol profile doesn't influence it. Note, that the
Internet DRAFT SASL 16 February 2005
mechanism specification doesn't control how authentication identity
information is represented elsewhere <<need to add few examples>>.
The mechanism MUST preserve Unicode codepoints when transferring
authorization identity (e.g. the mechanism can't apply any form of
normalization).
3.2.1. Authorization identities and proxy authentication
A mechanism which is incapable of transmitting an authorization
identity must be treated as if it always transmits an authorization
identity of an empty string.
If the authorization identity transmitted during the authentication
exchange is not the empty string, this is typically referred to as
"proxy authentication". This feature permits agents such as proxy
servers to authenticate using their own credentials, yet request the
access privileges of the identity for which they are proxying.
The server makes an implementation-defined policy decision as to
whether the authentication identity is permitted to have the access
privileges of the authorization identity and whether the
authorization identity is permitted to receive service. If it is
not, the server indicates failure of the authentication exchange.
As a client might not have the same information as the server,
clients SHOULD NOT derive authorization identities from
authentication identities. Instead, clients SHOULD provide no (or
empty) authorization identity when the user has not provided an
authorization identity.
The server SHOULD verify that a received authorization identity is in
the correct form. Protocol profiles whose authorization identities
are simple user names (e.g. IMAP [RFC 3501]) SHOULD use "SASLprep"
profile [SASLprep] of the "stringprep" algorithm [StringPrep] to
prepare these names for matching. The profiles MAY use a stringprep
profile that is more strict than "SASLprep". If the preparation of
the authorization identity fails or results in an empty string, the
server MUST fail the authentication exchange. The only exception to
this rule is when the received authorization identity is already the
empty string.
3.2.2. Authorization Identity Format
An authorization identity is a string of zero or more Unicode
[Unicode] coded characters. The NUL <U+0000> character is prohibited
Internet DRAFT SASL 16 February 2005
in authorization identities.
The character encoding scheme used for transmitting an authorization
identity over the protocol is specified in each authentication
mechanism. All IETF-defined mechanisms MUST, and all other
mechanisms SHOULD, use UTF-8 [UTF-8]. (See [CHARSET-POLICY] for IETF
policy regarding character sets and encoding schemes.)
Mechanisms are expected to be capable of carrying the entire Unicode
repertoire (with the exception of the NUL character). An
authorization identity of the empty string and an absent
authorization identity MUST be treated as equivalent. A mechanism
which provides an optional field for an authorization identity,
SHOULD NOT allow that field, when present, to be empty. The meaning
of the empty string as an authorization identity is described in
Section 3.2.
3.3. Security layers
SASL mechanisms may offer a wide range of services in "security
layers". Typical examples of such services are data integrity, data
confidentiality, re-keying, truncation detection and compression.
If use of a security layer is negotiated by the authentication
protocol exchange, the security layer is applied to all subsequent
data sent over the connection (until another security layer is
negotiated ( see also section 6.3) or underlying connection is
closed). The security layer takes effect immediately following the
last response of the authentication exchange for data sent by the
client and the completion indication for data sent by the server. The
exact position MUST be defined by the protocol profile (see section 4
part 5).
Once the security layer is in effect the protocol stream is processed
by the security layer into buffers of protected data. If the
security layer is not able to produce a buffer, the connection MUST
be closed. If the security layer is not able to decode a received
buffer, the connection MUST be closed. In both cases the underlying
connection SHOULD be closed gracefully.
Each buffer of protected data is transferred over the connection as a
stream of octets prepended with a four octet field in network byte
order that represents the length of the buffer. The length of the
protected data buffer MUST be no larger than the maximum size that
was either defined in the mechanism specification or negotiated by
the other side during the authentication exchange. Upon the receipt
of a data buffer which is larger than the defined/negotiated maximal
Internet DRAFT SASL 16 February 2005
buffer size the receiver SHOULD close the connection, as this might
be a sign of an attack.
SASL mechanisms which are unable to negotiate a security layer are SASL mechanism specifications describe the credential form(s) (e.g.,
treated as selecting no security layer. X.509 certificates, Kerberos tickets, simple username/password) used
to authenticate the client, including (where appropriate) the syntax
and semantics of associated identities. SASL protocol specifications
describe the identity form(s) used in authorization and, in
particular, prescribe the syntax and semantics of the authorization
identity character string to be transferred by mechanisms.
4. Protocol profile requirements However, the precise form(s) of the authentication identities (used
within the server in its verifications, or otherwise) and the precise
form(s) of the authorization identities (used in making authorization
decisions, or otherwise) is beyond the scope of SASL and this
specification. In some circumstances, the precise identity forms used
in some context outside of the SASL exchange may be dictated by other
specifications. For instance, an identity assumption authorization
(proxy authorization) policy specification may dictate how
authentication and authorization identities are represented in the
policy statement.
In order to use this specification, a protocol definition MUST supply 3. The Authentication Exchange
the following information:
1) A service name, to be selected from the IANA registry of Each authentication exchange consists of a message from the client to
"service" elements for the GSSAPI host-based service name form the server requesting authentication via a particular mechanism,
[GSSAPI]. This service name is made available to the authentication followed by pairs of challenges from servers and responses from
mechanism. clients, followed by a message from the server indicating the outcome
of the authentication exchange. (Note: exchanges may also be aborted
as discussed in Section 3.5.)
The registry is available at the URL The following illustration provides a high-level overview of an
<http://www.iana.org/assignments/gssapi-service-names>. authentication exchange.
2) A definition of the command to initiate the authentication C: Request authentication exchange
protocol exchange. This command must have as a parameter the name S: Initial challenge
of the mechanism being selected by the client. C: Initial response
<additional challenge/response messages>
S: Outcome of authentication exchange
The command SHOULD have an optional parameter giving an initial If the outcome is successful and a data layer was negotiated, this
response. If the protocol allows for the initial response, the layer is then installed. Protocols may allow this data to be carried
protocol profile MUST also describe how an empty initial response in the request message. This applies as well to the following
is encoded. This optional parameter allows the client to avoid a illustrations.
round trip when using a mechanism which is defined to have the
client send data first. When this initial response is sent by the
client and the selected mechanism is defined to have the server
start with an initial challenge, the command fails. See section
6.1 of this document for further information.
3) A definition of the method by which the authentication protocol Some mechanisms specify that the first data sent in the authentication
exchange is carried out, including how the challenges and responses exchange is from the client to the server. Protocols may provide an
are encoded, how the server indicates completion or failure of the optional initial response field in the request message to carry this
exchange, how the client aborts an exchange, and how the exchange data. Where the mechanism specifies the first data data sent in the
method interacts with any line length limits in the protocol. exchange is from the client to the server, the protocol provides an
optional initial response field, and the client uses this field, the
exchange is shortened by one round-trip:
The exchange method SHOULD allow the server to include an optional C: Request authentication exchange + Initial response
data ("optional challenge") with a success notification. This <additional challenge/response messages>
allows the server to avoid a round trip when using a mechanism S: Outcome of authentication exchange
which is defined to have the server send additional data along with
the indication of successful completion. Note that if additional
data is sent with success, it can not be empty. See section 6.2 of
this document for further information.
4) A protocol profile SHOULD specify a mechanism through which a Where the mechanism specifies the first data sent in the exchange is
from the client to the server and this field is unavailable or unused,
the client request is followed by an empty challenge.
Internet DRAFT SASL 16 February 2005 C: Request authentication exchange
S: Empty Challenge
C: Initial Response
<additional challenge/response messages>
S: Outcome of authentication exchange
client may obtain the names of the SASL mechanisms available to it. Should a client include an initial response in its request where the
This is typically done through the protocol's extensions or mechanism does not allow the client to send data first, the
capabilities mechanism. authentication exchange fails.
5) Identification of the octet where any negotiated security layer Some mechanisms specify that the server is to send additional data to
starts to take effect, in both directions. the client when indicating a successful outcome. Protocols may
provide an optional additional data field in the outcome message to
carry this data. Where the mechanism specifies the server is to
return additional data with the successful outcome, the protocol
provides an optional additional data field in the outcome message, and
the server uses this field, the exchange is shortened by one
round-trip:
6) Specify if the protocol profile supports "multiple C: Request authentication exchange
authentications" (see section 6.3). S: Initial challenge
C: Initial response
<additional challenge/response messages>
S: Outcome of authentication exchange with
additional data with success
7) If both a Transport Layer Security [TLS] and a SASL security Where the mechanism specifies the server is to return additional data
layer are allowed to be negotiated by the protocol, the protocol to the client with a successful outcome and and this field is
profile MUST define in which order they are applied to a cleartext unavailable or unused, the additional data is sent as a challenge
data sent over the connection. whose response is empty. After receiving this response, the server
then indicates the successful outcome.
8) A protocol profile MAY further refine the definition of an C: Request authentication exchange
authorization identity by adding additional syntactic restrictions S: Initial challenge
and protocol-specific semantics. A protocol profile MUST specify C: Initial response
the form of the authorization identity (since it is protocol- <additional challenge/response messages>
specific, as opposed to the authentication identity, which is S: Additional data challenge
mechanism-specific) and how authorization identities are to be C: Empty Response
compared. Profiles whose authorization identities are simple user S: Outcome of authentication exchange
names (e.g. IMAP [RFC 3501]) SHOULD use "SASLprep" profile
[SASLprep] of the "stringprep" algorithm [StringPrep] to prepare
these names for matching. The profiles MAY use a stringprep profile
that is more strict than SASLprep.
9) Where the application-layer protocol does not precisely state Where mechanisms specify the first data sent in the exchange is from
how identities established through SASL relate to identities used the client to the server and additional data is sent to the client
elsewhere (e.g., access controls) in the application-layer along with indicating a successful outcome, and the protocol provides
protocol, it may be useful for the application-layer protocol to fields supporting both, the exchange can be shorted by two
provide a facility which the client may use to discover the round-trips:
identity used.
A protocol profile SHOULD NOT attempt to amend the definition of C: Request authentication exchange + Initial response
mechanisms or create mechanism-specific encodings. This breaks the <additional challenge/response messages>
separation between protocol and mechanism that is fundamental to the S: Outcome of authentication exchange
design of SASL. (Likewise, SASL mechanisms are intended to be profile with additional data with success
neutral.)
5. Mechanism profile guidelines instead of:
Designers of new SASL mechanism should be aware of the following C: Request authentication exchange
issues: S: Empty Challenge
C: Initial Response
<additional challenge/response messages>
S: Additional data challenge
C: Empty Response
S: Outcome of authentication exchange
1) Authorization identity 3.1. Mechanism Naming
Internet DRAFT SASL 16 February 2005 SASL mechanisms are named by character strings, from 1 to 20
characters in length, consisting of ASCII [ASCII] uppercase letters,
digits, hyphens, and/or underscores. In the following Augmented
Backus-Naur Form (ABNF) [ABNF] grammar, the <sasl-mech> production
defines the syntax of a SASL mechanism name.
While some legacy mechanisms are incapable of transmitting an sasl-mech = 1*20mech-char
authorization identity (which means that for these mechanisms the mech-char = UPPER-ALPHA / DIGIT / HYPHEN / UNDERSCORE
authorization identity is always the empty string), newly defined ; mech-char is restricted to A-Z (uppercase only), 0-9, -, and _
mechanisms SHOULD be capable of transmitting a non-empty ; from ASCII character set.
authorization identity. See also section 3.2.
2) Character string issues UPPER-ALPHA = %x41-5A ; A-Z (uppercase only)
DIGIT = %x30-39 ; 0-9
HYPHEN = %x2D ; hyphen (-)
UNDERSCORE = %x5F ; underscore (_)
SASL mechanisms names are registered as discussed in Section 7.1.
Authentication mechanisms SHOULD encode character strings in UTF-8 3.2. Mechanism Negotiation
[UTF-8] (see [CHARSET-POLICY] for IETF policy regarding character
sets in IETF protocols). In order to avoid interoperability problems
due to differing normalizations, when a mechanism specifies that
character data is to be used as input to a cryptographic and/or
comparison function, the mechanism specification MUST detail how the
data is to be represented, including any normalizations or other
preparations, to ensure proper function. Designers of mechanisms
SHOULD use the "SASLprep" profile [SASLprep] of the "stringprep"
algorithm [StringPrep] where applicable. This recommendation does
not apply to authorization identities as their handling is protocol-
specific.
The preparation can be potentially performed on the client side (upon Mechanism negotiation is protocol-specific.
getting user input or retrieving a value from configuration) or on
the server side (upon receiving the value from the client, retrieving
a value from its authentication database or generating a new value in
order to store in in the authentication database). SASL mechanisms
MUST define which entity (or entities) must perform the preparation.
If preparation fails or turns a non-empty string into the empty
string, the entity doing the preparation MUST fail the authentication
exchange.
Implementation note: A server side can be represented by multiple Commonly, a protocol will specify that the server advertises supported
processes. For example, the server side may consist of the server and available mechanisms to the client via some facility provided by
process itself that communicated with a client and a utility (a the protocol and the client will then select the "best" mechanism from
server agent) that is able to store passwords/hashes (or derivitives) this list which its supports and finds suitable.
in a database that can be later used by the server. For the server
agent the requirement to "fail the authentication exchange" should be
interpreted as a requirement to refuse to store the data in the
database.
3) The mechanism specification MUST detail whether or not it offers a It is noted that the mechanism negotiation is not protected by the
security layer. If it does, it MUST detail the security and other subsequent authentication exchange and hence is subject to downgrade
services offered in the layer as well as how these services are to be attacks if not protected by other means.
implemented.
4) If the underlying cryptographic technology used by a mechanism To detect downgrade attacks, a protocol may allow the client to
supports data integrity, then the mechanism specification MUST discover available mechanism subsequent to the authentication exchange
integrity protect the transmission of an authorization identity and (and, hence, protected by any data security layer provided by
mechanism) so that downgrade attacks can be detected.
Internet DRAFT SASL 16 February 2005 3.3. Request Authentication Exchange
the negotiation of the security layer. The authentication exchange is initiated by the client by requesting
authentication via a mechanism it specifies. The client sends a
message that contains the name of the mechanism to the server. The
particulars of the message are protocol specific.
5) The mechanism SHOULD NOT use the authorization identity in It is noted that the name of the mechanism is not protected by the
generation of any long-term cryptographic keys/hashes. The reason is mechanism, and hence subject to alteration by an attacker if not
that different protocols (and sometimes even different integrity protected by other means.
implementations of the same protocol) may use multiple forms of an
authorization identity that are semantically equivalent and some
clients may use one form while other clients use a different form.
6) SASL mechanisms should be designed to minimize the number of round Where the mechanism is defined to allow the client to send data first,
trips required, because SASL can be used with protocols where and the protocol's request message includes an optional initial
connections are short-lived. response field, the client may include the response to the initial
challenge in the authentication request message.
7) SASL mechanisms SHOULD be profile neutral. 3.4. Challenges and Responses
6. Specific issues The authentication exchange involves pairs of server-challenges and
client-responses, the particulars of which are mechanism specific.
These challenges and responses are enclosed in protocol messages, the
particulars of which are protocol specific.
6.1. Client sends data first Through these challenges and responses, the mechanism may:
- authenticate the client to the server,
- authenticate the server to the client,
- transfer an authorization identity string,
- negotiate a security layer, and
- provide other services.
Some mechanisms specify that the first data sent in the The negotiation of the security layer may involve negotiation of the
authentication exchange is from the client to the server. security services to be provided in the layer, how these services will
be provided, and negotiation of a maximum cipher-text buffer size each
size is able to receive in the layer (see Section 3.6).
If a protocol's profile permits the command which initiates an After receiving an authentication request or any client response, the
authentication exchange to contain an initial client response, this server may issue a challenge, abort the exchange, or indicate the
parameter SHOULD be used with such mechanisms. outcome of an exchange. After receiving a challenge, a client
mechanism may issue a response or abort the exchange.
If the initial client response parameter is not given, or if a 3.4.1. Authorization Identity String
protocol's profile does not permit the command which initiates an
authentication exchange to contain an initial client response, then
the server issues a challenge with no data. The client's response to
this challenge is then used as the initial client response. (The
server then proceeds to send the next challenge, indicates
completion, or indicates failure.)
6.1.1. Client sends data first examples The authorization identity string is a sequence of zero or more
Unicode [Unicode] characters, excluding the NUL (U+0000) character,
representing the identity to act as.
The following are two examples of the SECURID authentication [SASL- If the authorization identity string is absent, the client is
SECURID] in the SMTP protocol [SMTP]. In the first example below, requesting to act as the identity the server associates with the
the client is trying fast reauthentication by sending the initial client's credentials. An empty string is equivalent to an absent
response: authorization identity.
S: 220-smtp.example.com ESMTP Server Non-empty authorization identity string indicates the client wishes to
C: EHLO client.example.com act as the identity represented by the string. In this case, the form
S: 250-smtp.example.com Welcome client.example.com of identity represented by the string, as well as the precise syntax
S: 250-AUTH GSSAPI SECURID and semantics of the string, is protocol specific.
S: 250 DSN
C: AUTH SECURID AG1hZ251cwAxMjM0NTY3OAA=
Internet DRAFT SASL 16 February 2005 While character encoding schema used to transfer the authorization
identity string in the authentication exchange is mechanism specific,
mechanisms are expected to be capable of carrying the entire Unicode
repertoire (with the exception of the NUL character).
S: 235 Authentication successful 3.5. Aborting Authentication Exchanges
The example below is almost identical to the previous, but here the A client or server may desire to abort an authentication exchange if
client chooses not to use the initial response parameter. it is unwilling or unable to continue (or enter into).
S: 220-smtp.example.com ESMTP Server A client may abort the authentication exchange by sending a message,
C: EHLO client.example.com the particulars of which are protocol-specific, to the server,
S: 250-smtp.example.com Welcome client.example.com indicating the exchange is aborted. The server may be required by the
S: 250-AUTH GSSAPI SECURID protocol to return a message in response to the client's abort
S: 250 DSN message.
C: AUTH SECURID
S: 334
C: AG1hZ251cwAxMjM0NTY3OAA=
S: 235 Authentication successful
Additonal examples that show usage of initial response can be found Likewise, a server may abort the authentication exchange by sending a
in section 7.2. message, the particulars of which are protocol-specific, to the
client, indicating the exchange is aborted.
6.2. Server returns success with additional data 3.6. Authentication Outcome
Some mechanisms may specify that additional data be sent to the At the conclusion of the authentication exchange, the server sends a
client along with an indication of successful completion of the message, the particulars of which are protocol specific, to the client
exchange. This data would, for example, authenticate the server to indicating the outcome of the exchange.
the client.
If a protocol's profile does not permit this additional data to be The outcome is not successful if
returned with a success indication, then the server issues the data - the authentication exchange failed for any reason,
as a server challenge, without an indication of successful - the clients credentials could not be verified,
completion. The client then responds with no data. After receiving - the server cannot associate an identity with the client's
this empty response, the server then indicates successful completion credentials,
(with no additional data). - the client-provided authorization identity string is malformed,
- the identity associated with the client's credentials are not
authorized to act as the requested authorization identity,
- the negotiated security layer (or lack thereof) is not suitable,
or
- the server is not willing to provide service to the client for any
reason.
Client implementors should be aware of an additional failure case The protocol may include an optional additional data field in this
that might occur when the profile supports sending the additional outcome message.
data with success. Imagine that an active attacker is trying to
impersonate the server and sends faked data, which should be used to
authenticate the server to the client, with success. (A similar
situation can happen when either the server and/or the client has a
bug and they calculate different responses.) After checking the data,
the client will think that the authentication exchange has failed,
however the server will think that the authentication exchange has
completed successfully. At this point the client can not abort the
authentication exchange; it SHOULD close the connection instead.
However, if the profile did not support sending of additional data
with success, the client could have aborted the exchange at the very
last step of the authentication exchange.
Internet DRAFT SASL 16 February 2005 If the outcome is successful and a security layer was negotiated, this
layer is then installed. If the outcome is unsuccessful, or a
security layer was not negotiated, any existing security is left in
place.
6.2.1. Server returns success with additional data examples 3.7. Security Layers
The following are two examples of a DIGEST-MD5 authentication [SASL- SASL mechanisms may offer a wide range of services in security layers.
DIGEST] in the Extensible Messaging and Presence Protocol [XMPP]. In Typical services include data integrity and data confidentiality.
the first example below, the server is sending mutual authentication SASL mechanisms which do not provide a security layer are treated as
data with success. negotiating no security layer.
C: <stream:stream If use of a security layer is negotiated in the authentication
xmlns='jabber:client' protocol exchange, the layer is installed by the server after
xmlns:stream='http://etherx.jabber.org/streams' indicating the outcome of the authentication exchange and installed by
to='example.com' the client upon receipt the outcome indication. In both cases, the
version='1.0'> layer is installed before transfer of further protocol data. The
S: <stream:stream precise position that the layer takes effect in the protocol data
xmlns='jabber:client' stream is protocol specific.
xmlns:stream='http://etherx.jabber.org/streams'
id='c2s_234'
from='example.com'
version='1.0'>
S: <stream:features>
<mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
<mechanism>DIGEST-MD5</mechanism>
<mechanism>CRAM-MD5</mechanism>
</mechanisms>
</stream:features>
C: <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl'
mechanism='DIGEST-MD5'/>
S: <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
cmVhbG09InNvbWVyZWFsbSIsbm9uY2U9Ik9BNk1HOXRFUUdtMmhoIixxb3A9
ImF1dGgiLGNoYXJzZXQ9dXRmLTgsYWxnb3JpdGhtPW1kNS1zZXNzCg==
</challenge>
C: <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
dXNlcm5hbWU9InNvbWVub2RlIixyZWFsbT0ic29tZXJlYWxtIixub25jZT0i
T0E2TUc5dEVRR20yaGgiLGNub25jZT0iT0E2TUhYaDZWcVRyUmsiLG5jPTAw
MDAwMDAxLHFvcD1hdXRoLGRpZ2VzdC11cmk9InhtcHAvZXhhbXBsZS5jb20i
LHJlc3BvbnNlPWQzODhkYWQ5MGQ0YmJkNzYwYTE1MjMyMWYyMTQzYWY3LGNo
YXJzZXQ9dXRmLTgK
</response>
S: <success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
cnNwYXV0aD1lYTQwZjYwMzM1YzQyN2I1NTI3Yjg0ZGJhYmNkZmZmZAo=
</success>
The example below is almost identical to the previous, but here Once the security layer is in effect in the protocol data stream, it
the server chooses not to use the additional data with success. remains in effect until either a subsequently negotiated security
layer is installed, or the underlying transport connection is closed.
C: <stream:stream When in effect, the security layer processes protocol data into
xmlns='jabber:client' buffers of protected data. If at any time the security layer is
xmlns:stream='http://etherx.jabber.org/streams' unable to continue producing buffers protecting protocol data, the
underlying transport connection MUST be closed. If the security layer
is not able to decode a received buffer, the underlying connection
MUST be closed. In both cases the underlying transport connection
SHOULD be closed gracefully.
Internet DRAFT SASL 16 February 2005 Each buffer of protected data is transferred over the underlying
transport connection as a sequence of octets prepended with a four
octet field in network byte order that represents the length of the
buffer. The length of the protected data buffer MUST be no larger
than the maximum size the other side expects. Upon the receipt of a
length field whose value is greater than maximum size, the receiver
SHOULD close the connection, as this might be a sign of an attack.
to='example.com' The maximum size for each side expects is fixed by the mechanism,
version='1.0'> either through negotiation or by its specification.
S: <stream:stream
xmlns='jabber:client'
xmlns:stream='http://etherx.jabber.org/streams'
id='c2s_234'
from='example.com'
version='1.0'>
S: <stream:features>
<mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
<mechanism>DIGEST-MD5</mechanism>
<mechanism>CRAM-MD5</mechanism>
</mechanisms>
</stream:features>
C: <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl'
mechanism='DIGEST-MD5'/>
S: <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
cmVhbG09InNvbWVyZWFsbSIsbm9uY2U9Ik9BNk1HOXRFUUdtMmhoIixxb3A9
ImF1dGgiLGNoYXJzZXQ9dXRmLTgsYWxnb3JpdGhtPW1kNS1zZXNzCg==
</challenge>
C: <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
dXNlcm5hbWU9InNvbWVub2RlIixyZWFsbT0ic29tZXJlYWxtIixub25jZT0i
T0E2TUc5dEVRR20yaGgiLGNub25jZT0iT0E2TUhYaDZWcVRyUmsiLG5jPTAw
MDAwMDAxLHFvcD1hdXRoLGRpZ2VzdC11cmk9InhtcHAvZXhhbXBsZS5jb20i
LHJlc3BvbnNlPWQzODhkYWQ5MGQ0YmJkNzYwYTE1MjMyMWYyMTQzYWY3LGNo
YXJzZXQ9dXRmLTgK
</response>
S: <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
cnNwYXV0aD1lYTQwZjYwMzM1YzQyN2I1NTI3Yjg0ZGJhYmNkZmZmZAo=
</challenge>
C: <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>
S: <success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>
6.3. Multiple authentications 3.8. Multiple Authentications
Unless otherwise stated by the protocol's profile, only one Unless explicitly permitted in the protocol (as stated in the
successful SASL negotiation may occur in a protocol session. In this protocol's technical specification), only one successful SASL
authentication exchange may occur in a protocol session. In this
case, once an authentication exchange has successfully completed, case, once an authentication exchange has successfully completed,
further attempts to initiate an authentication exchange fail. further attempts to initiate an authentication exchange fail.
If a profile explicitly permits multiple successful SASL negotiations Where multiple successful SASL authentication exchanges are permitted
to occur, then in no case may multiple security layers be in the protocol, then in no case may multiple SASL security layers be
simultaneously in effect. If a security layer is in effect and a simultaneously in effect. If a security layer is in effect and a
subsequent SASL negotiation selects a second security layer, then the subsequent SASL negotiation selects a second security layer, then the
second security layer replaces the first. If a security layer is in second security layer replaces the first. If a security layer is in
effect and a subsequent SASL negotiation selects no security layer, effect and a subsequent SASL negotiation selects no security layer,
the original security layer remains in effect. the original security layer remains in effect.
Internet DRAFT SASL 16 February 2005 Where multiple successful SASL negotiations are permitted in the
protocol, the effect of a failed SASL authentication exchange upon the
Where a protocol profile permits multiple successful SASL previously established authentication and authorization state is
negotiations, the profile MUST detail the effect of a failed SASL protocol specific. The protocol's technical specification should be
negotiation upon the previously established authentication state. consulted to determine whether the previous authentication and
In particular, it MUST state whether the previously established authorization state remains in force, or changed to an anonymous
authenticated state remains in force or whether the connection is to state, or otherwise effected. Regardless of the protocol-specific
revert to an non-authenticated state. Regardless of the specified effect upon previously established authentication and authorization
effect upon authentication state, the previously negotiated security state, the previously negotiated security layer remains in effect.
layer remains in effect.
7. The EXTERNAL mechanism
The mechanism name associated with external authentication is
"EXTERNAL".
The client sends a single message containing the UTF-8 encoding of
the requested authorization identity. The message may be empty. The
form of the authorization identity may be restricted by the
application protocol's SASL profile.
Some system external to SASL must authenticate the client. If that
succeeds, the server determines the authentication identity from
information from this system. If the requested authorization
identity is empty, the authorization identity is derived from the
authentication identity. The server determines if the authentication
identity is allowed to act as the authorization identity. If all
that succeeds, the server indicates successful completion of the
authentication exchange; otherwise it indicates failure.
The system providing this external information may be, for example,
IPSec [IPSec] or TLS [TLS]. However, the client can make no
assumptions as to what information the server can use in determining
client authorization. For example, just because TLS was established,
doesn't mean that the server will use the information provided by
TLS.
7.1. Formal syntax
The following syntax specification uses the augmented Backus-Naur
Form (BNF) notation as specified in [ABNF]. Non-terminals referenced
but not defined below are as defined by [UTF-8].
The "extern-resp" rule below defines the message sent from client to
server.
extern-resp = *( UTF8-char-no-nul )
UTF8-char-no-nul = UTF8-1-no-nul / UTF8-2 / UTF8-3 / UTF8-4
Internet DRAFT SASL 16 February 2005
UTF8-1-no-nul = %x01-7F
7.2. Examples of SASL EXTERNAL
The following is an example of an EXTERNAL authentication in the SMTP
protocol [SMTP]. In this example, the client is proxy authenticating,
sending the authorization identity "fred@example.com" in the
(optional) initial response. The server has obtained the client's
(authentication) identity from an external service, such as IPsec,
and has a security policy that permits that identity to assume the
identity of the asserted authorization identity.
To the protocol profile, the sequence "fred@example.com" is an opaque
binary data. The SASL protocol profile for SMTP [SMTP-AUTH] specifies
that server challenges and client responses are encoded in BASE64
[BASE64, section 3]; the BASE64 encoding of "fred@example.com" is
"ZnJlZEBleGFtcGxlLmNvbQ==".
S: 220 smtp.example.com ESMTP server ready
C: EHLO jgm.example.com
S: 250-smtp.example.com
S: 250 AUTH DIGEST-MD5 EXTERNAL
C: AUTH EXTERNAL ZnJlZEBleGFtcGxlLmNvbQ==
S: 235 Authentication successful.
The following example is almost identical to the one above, but the
client doesn't request proxy authentication.
S: 220 smtp.example.com ESMTP server ready 4. Protocol Requirements
C: EHLO jgm.example.com
S: 250-smtp.example.com
S: 250 AUTH DIGEST-MD5 EXTERNAL
C: AUTH EXTERNAL
S: 235 Authentication successful.
The following is an example of an EXTERNAL authentication in the In order for a protocol to offer SASL services, its specification MUST
IMAP4 protocol [IMAP]. IMAP4 doesn't support the initial response supply the following information:
feature of SASL. As in the previous example, the client doesn't
request proxy authentication.
S: * OK IMAP4rev1 Server 1) A service name, to be selected from the IANA registry of "service"
C: C01 CAPABILITY elements for the GSSAPI host-based service name form [RFC2743].
S: * CAPABILITY IMAP4 IMAP4rev1 AUTH=DIGEST-MD5 AUTH=EXTERNAL
[...]
C: A01 AUTHENTICATE EXTERNAL
(note that there is a space following the "+" in the following line)
S: +
Internet DRAFT SASL 16 February 2005 2) Detail any mechanism negotiation facility the protocol provides
(see Section 3.2).
C: A protocol SHOULD specify a facility through which the client may
S: A01 OK Success discover, both before initiation of the SASL exchange and after
installing security layers negotiated by the exchange, the names of
the SASL mechanisms the server makes available to the client. The
latter is important to allow the client to detect downgrade
attacks. This facility is typically provided through the
protocol's extensions or capabilities discovery facility.
8. IANA Considerations 3) Definition of the messages necessary for authentication exchange,
including:
8.1. Guidelines for IANA a) A message to initiate the authentication exchange (see Section
3.3).
It is requested that IANA updates the SASL mechanisms registry as This message MUST contain a field for carrying the name of the
follows: mechanism selected by the client.
Change the "Intended usage" of the KERBEROS_V4 and SKEY mechanism This message SHOULD contain an optional field for carrying an
registrations to OBSOLETE. Change the "Published specification" initial response. If the message is defined with this field,
of the EXTERNAL mechanism to this document. Updated registration the specification MUST describe how messages with an empty
information is provided in Section 8.6. initial response are distinguished from messages with no initial
response. This field MUST be capable of carrying arbitrary
sequences of octets (including zero length sequences and
sequences containing zero-valued octets).
8.2. Registration procedure b) Messages to transfer server challenges and client responses.
(see Section 3.4).
Registration of a SASL mechanism is done by filling in the template Each of these messages MUST be capable of carrying arbitrary
in section 8.5 and sending it via electronic mail to <iana@iana.org>. sequences of octets (including zero length sequences and
IANA has the right to reject obviously bogus registrations, but will sequences containing zero-valued octets).
perform no review of claims made in the registration form. SASL
mechanism registrations are currently available at the URL
<http://www.iana.org/assignments/sasl-mechanisms>.
There is no naming convention for SASL mechanisms; any name that c) A message to indicate the outcome of the authentication exchange
conforms to the syntax of a SASL mechanism name can be registered. (see Section 3.6).
However an IETF Standards Track document may reserve a portion of the
SASL mechanism namespace ("family of SASL mechanisms") for its own
use, amending the registration rules for that portion of the
namespace. Each family of SASL mechanisms MUST be identified by a
prefix.
While the registration procedures do not require expert review, This message SHOULD contain an optional field for carrying
authors of SASL mechanisms are encouraged to seek community review additional data with a successful outcome. If the message is
and comment whenever that is feasible. Authors may seek community defined with this field, the specification MUST describe how
review by posting a specification of their proposed mechanism as an messages with an empty additional data are distinguished from
Internet-Draft. SASL mechanisms intended for widespread use should messages with no additional data. This field MUST be capable of
be standardized through the normal IETF process, when appropriate. carrying arbitrary sequences of octets (including zero length
sequences and sequences containing zero-valued octets).
8.3. Comments on SASL mechanism registrations 4) Prescribe the syntax and semantics of non-empty authorization
identity strings (see Section 3.4.1).
Comments on registered SASL mechanisms should first be sent to the Specifications are encouraged to prescribe use of existing
"owner" of the mechanism and/or to the SASL WG mailing list. authorization identity forms as well as existing string
representations, such as simple user names [RFC4013]. Protocols
whose authorization identities are simple user names SHOULD use of
SASLprep [RFC4013] (a profile of the StringPrep [RFC3454]
preparation algorithm) as their preparation algorithm.
Internet DRAFT SASL 16 February 2005 Where the specification does not precisely prescribe how identities
in SASL relate to identities used elsewhere in the protocol, for
instance in access control policy statements, it may be appropriate
for the protocol to provide a facility by which the client may
discover information (such as the representation of the
authentication identity used in making access control decisions)
about established identities for these uses.
Submitters of comments may, after a reasonable attempt to contact the 5) Detail any facility the protocol provides that allows the client
owner, request IANA to attach their comment to the SASL mechanism and/or server to abort authentication exchange (see Section 3.5).
registration itself. If IANA approves of this, the comment will be
made accessible in conjunction with the SASL mechanism registration
itself.
8.4. Change control Protocols which support multiple authentications typically allow a
client to abort an on-going authentication exchange by initiating a
new authentication exchange. Protocols which do not support
multiple authentications may require the client to close the
connection and start over to abort an on-going authentication
exchange.
Once a SASL mechanism registration has been published by IANA, the Protocols typically allow the server to abort on-going
author may request a change to its definition. The change request authentication exchanges by returning a non-successful outcome
follows the same procedure as the registration request. message.
The owner of a SASL mechanism may pass responsibility for the SASL 6) Identify precisely where newly negotiated security layers starts to
mechanism to another person or agency by informing IANA; this can be take effect, in both directions (see Section 3.7).
done without discussion or review.
The IESG may reassign responsibility for a SASL mechanism. The most Typically, specifications require security layer to start taking
common case of this will be to enable changes to be made to effect, in data being sent by the server, on the first octet
mechanisms where the author of the registration has died, moved out following the outcome message and, in data being sent by the
of contact or is otherwise unable to make changes that are important client, on the first octet sent after receipt of the outcome
to the community. message.
SASL mechanism registrations may not be deleted; mechanisms which are 7) If the protocol supports other layered security services, such as
no longer believed appropriate for use can be declared OBSOLETE by a Transport Layer Security (TLS) [RFC2246], the specification MUST
change to their "intended usage" field; such SASL mechanisms will be prescribe the order in which security layers are applied to
clearly marked in the lists published by IANA. protocol data.
The IESG is considered to be the owner of all SASL mechanisms which For instance, where a protocol supports both TLS and SASL security
are on the IETF standards track. layers, the specification could prescribe any of the following:
a) SASL security layer is always applied first to data being sent
and, hence, applied last to received data,
b) SASL security layer is always applied last to data being sent
and, hence, applied first to received data,
c) Layers are applied in the order in which they were installed,
d) Layers are applied in the reverse order in which they were
installed, or
e) Both TLS and SASL security layers cannot be installed.
8.5. Registration template 8) Indicate whether the protocol supports multiple authentications
(see Section 3.8). If so, the protocol MUST detail the effect a
failed SASL authentication exchange will have upon previously
established authentication and authorization state.
Subject: Registration of SASL mechanism X Protocol specifications SHOULD avoid stating implementation
requirements which would hinder replacement of applicable mechanisms.
In general, protocol specification SHOULD be mechanism neutral. There
are a number reasonable exceptions to this recommendation, including:
- detailing how credentials (which are mechanism-specific) are
managed in the protocol,
- detailing how authentication identities (which are
mechanism-specific) and authorization identities (which are
protocol-specific) relate to each other, and
- detailing which mechanisms are applicable to the protocol.
Family of SASL mechanisms: (YES or NO) 5. Mechanism Requirements
SASL mechanism name (or prefix for the family): SASL mechanism specifications MUST supply the following information:
Security considerations: 1) The name of the mechanism (see Section 3.1). This name MUST be
registered as discussed in Section 8.1.
Published specification (optional, recommended): 2) A definition of the server-challenges and client-responses of the
authentication exchange, as well as:
Person & email address to contact for further information: a) An indication whether the client is expected to send data first.
If so, when the client does not send data first, the initial
challenge MUST be specified as being an empty challenge.
Intended usage: b) An indication whether the server is expected to provide
additional data when indicating a successful outcome. If so, if
the server sends the additional data as a challenge, the
specification MUST indicate the response to this challenge is an
empty response.
(One of COMMON, LIMITED USE or OBSOLETE) SASL mechanisms SHOULD be designed to minimize the number of
challenges and responses necessary to complete the exchange.
Internet DRAFT SASL 16 February 2005 3) An indication of whether the mechanism is capable of transferring
authorization identity strings (see Section 3.4.1). While some
legacy mechanisms are incapable of transmitting an authorization
identity (which means that for these mechanisms the authorization
identity is always the empty string), newly defined mechanisms
SHOULD be capable of transferring authorization identity strings.
The mechanism SHOULD NOT be capable of transferring both no
authorization identity string and an empty authorization identity.
Owner/Change controller: Mechanisms which are capable of transferring an authorization
identity string MUST be capable of transferring arbitrary non-empty
sequences of Unicode characters, excluding those which contain the
NUL (U+0000) character. Mechanisms SHOULD use the UTF-8 [RFC3629]
transformation format. The specification MUST detail how any
Unicode code points special to the mechanism which might appear in
the authorization identity string are escaped to avoid ambiguity
during decoding of the authorization identity string. Typically,
mechanisms which have special characters require these special
characters to be escaped or encoded in the character string (after
encoding it a particular Unicode transformation format) using a
data encoding scheme such as Base64 [RFC3548].
(Any other information that the author deems interesting may be 4) The specification MUST detail whether or not the mechanism offers a
added below this line.) security layer. If the mechanism does, the specification MUST
detail the security and other services offered in the layer as well
as how these services are to be implemented.
8.6. The EXTERNAL mechanism registration 5) If the underlying cryptographic technology used by a mechanism
supports data integrity, then the mechanism specification MUST
integrity protect the transmission of an authorization identity and
the negotiation of the security layer.
It is requested that the SASL Mechanism registry [IANA-SASL] entry SASL mechanisms SHOULD be protocol neutral.
for the EXTERNAL mechanism be updated to reflect that this document
now provides its technical specification.
Subject: Updated Registration of SASL mechanism EXTERNAL SASL mechanisms SHOULD reuse existing credential and identity forms,
as well as associated syntaxes and semantics.
Family of SASL mechanisms: NO SASL mechanisms SHOULD use UTF-8 transformation format [RFC3629] for
encoding Unicode [Unicode] code points for transfer.
SASL mechanism name: EXTERNAL In order to avoid interoperability problems due to differing
normalizations, when a mechanism calls for character data is to be
used as input to a cryptographic and/or comparison function, the
specification MUST detail precisely how and where (client or server)
the character data is to be prepared, including all normalizations,
for input into the function to ensure proper operation.
Security considerations: See RFC XXXX, section 9. For simple user names and/or passwords in authentication credentials,
SASLprep [RFC4013] (a profile of the StringPrep [RFC3454] preparation
algorithm), SHOULD be specified as the preparation algorithm.
Published specification (optional, recommended): RFC XXXX The mechanism SHOULD NOT use the authorization identity string in
generation of any long-term cryptographic keys or hashes as there is
no requirement that the authorization identity string be be
non-canonical. Long-term, here, means a term longer than the duration
of the authentication exchange in which they were generated in. That
is, as different clients (of the same or different protocol) may
provide different authorization identity strings which are
semantically equivalent, use of authorization identity strings in
generation of cryptographic keys and hashes will likely lead to
interoperability and other problems.
Person & email address to contact for further information: 6. Security Considerations
Alexey Melnikov <Alexey.Melnikov@isode.com>
Intended usage: COMMON Security issues are discussed throughout this memo.
Owner/Change controller: IESG <iesg@ietf.org> Many existing SASL mechanisms do not provide adequate protection
against passive attacks, let alone active attacks, against the
authentication exchange. Many existing SASL mechanisms do not offer
any security layers. It is hoped that future SASL mechanisms will
provide strong protection against passive and active attacks in the
authentication exchange, as well as security layers with strong basis
data security features (e.g., data integrity and data confidentiality)
services. It is also hoped that future mechanisms will provide more
advance data security services like re-keying (see Section 6.1).
Note: Updates existing entry for EXTERNAL Regardless, the SASL framework is suspectable to downgrade attacks.
Section 6.1 offers a variety of approaches for preventing or detecting
these attacks. In some cases, it is appropriate to use data integrity
protective services (e.g., TLS) external to SASL to protect against
downgrade attacks in SASL. This is especially true when the
mechanisms available to the client do not themselves offer adequate
integrity or confidentiality protection of the authentication exchange
and/or protocol data.
9. Security considerations 6.1. Active Attacks
Security issues are discussed throughout this memo. 6.1.1. Man-in-the-middle Attacks
When the client selects a security layer with at least integrity When the client selects a security layer with at least integrity
protection, this protects against an active attacker hijacking the protection, this protects against an active attacker hijacking the
connection and modifying the authentication exchange to negotiate a connection and modifying the authentication exchange to negotiate a
plaintext connection. plain-text connection. In this case, it is important that any
When a server or client supports multiple authentication mechanisms,
each of which has a different security strength, it is possible for
an active attacker to cause a party to use the least secure mechanism
supported. To protect against this sort of attack, a client or
server which supports mechanisms of different strengths should have a
configurable minimum strength that it will use. It is not sufficient
for this minimum strength check to only be on the server, since an
Internet DRAFT SASL 16 February 2005
active attacker can change which mechanisms the client sees as being
supported, causing the client to send authentication credentials for
its weakest supported mechanism.
The client's selection of a SASL mechanism is done in the clear and
may be modified by an active attacker. It is important for any new
SASL mechanisms to be designed such that an active attacker cannot
obtain an authentication with weaker security properties by modifying
the SASL mechanism name and/or the challenges and responses.
In order to detect Man-in-the-middle (MITM) attacks the client MAY
list available SASL mechanisms both before and after the SASL
security layer is negotiated. This allows the client to detect
active attacks that remove mechanisms from the server's list of
supported mechanisms, and allows the client to ensure that it is
using the best mechanism supported by both client and server. New
protocol profiles SHOULD require servers to make the list of SASL
mechanisms available for the initial authentication available to the
client after security layers are established. Some older protocols
do not require this (or don't support listing of SASL mechanisms once
authentication is complete); for these protocols clients MUST NOT
treat an empty list of SASL mechanisms after authentication as a MITM
attack.
Any protocol interactions prior to authentication are performed in
the clear and may be modified by an active attacker. In the case
where a client selects integrity protection, it is important that any
security-sensitive protocol negotiations be performed after security-sensitive protocol negotiations be performed after
authentication is complete. Protocols should be designed such that authentication is complete. Protocols should be designed such that
negotiations performed prior to authentication should be either negotiations performed prior to authentication should be either
ignored or revalidated once authentication is complete. ignored or revalidated once authentication is complete.
Clients should be admonished to validate TLS server IDs to prevent Negotiation of the SASL mechanism, initiation of the SASL exchange,
MITM attacks when using SASL-over-TLS. The same recommendation and portions of the SASL authentication exchange itself are
applies to other protocols providing security services. security-sensitive negotiations.
When use of a security layer is negotiated by the authentication When a server or client allows negotiation of authentication
protocol exchange, the receiver should handle gracefully any mechanisms and/or other security features, it is possible for an
protected data buffer larger than the defined/negotiated maximal active attacker to cause a party to use the least secure services
size. In particular, it must not blindly allocate the amount of supported. For instance, an attacker can modify the server-advertised
memory specified in the buffer size field, as this might cause the mechanism list or can modify client-advertised security feature list
"out of memory" condition. If the receiver detects a large block, it within a mechanism response. To protect against this sort of attack,
SHOULD close the connection. implementations should not advertise mechanisms and/or features which
cannot meet their minimum security requirements, should not enter into
or continue authentication exchanges which cannot meet their minimum
security requirements, and should verify that completed authentication
exchanges meets their minimum security requirements. Note that each
endpoint needs to independently verify that its security requirements
are met.
Most of the currently available mechanisms that provide security In order to detect downgrade attacks to the least (or less) secure
layers only provide basic data security services, such as data mechanism supported, the client may discover the SASL mechanisms the
integrity and data privacy services. It is hoped that future server makes available both before the SASL authentication exchange
mechanisms will provide more advance data security services like re- and after the negotiated SASL security layer (with at least integrity
protection) has been installed through the protocol's mechanism
discovery facility. If the client finds that the integrity protected
list (the list obtained after the security layer was installed)
contains a stronger mechanism than those in the previously obtained
list, the client should assume the previously obtained list was
modified by an attacker.
Internet DRAFT SASL 16 February 2005 The client's initiation of the SASL exchange, including the the
selection of a SASL mechanism, is done in the clear and may be
modified by an active attacker. It is important for any new SASL
mechanisms to be designed such that an active attacker cannot obtain
an authentication with weaker security properties by modifying the
SASL mechanism name and/or the challenges and responses.
keying and truncation attack detection. When use of a security layer is negotiated by the authentication
protocol exchange, the receiver should handle gracefully any protected
data buffer larger than the defined/negotiated maximal size. In
particular, it must not blindly allocate the amount of memory
specified in the buffer size field, as this might cause the "out of
memory" condition. If the receiver detects a large block, it SHOULD
close the connection.
Distributed server implementations need to be careful in how they Distributed server implementations need to be careful in how they
trust other parties. In particular, authentication secrets should trust other parties. In particular, authentication secrets should
only be disclosed to other parties that are trusted to manage and use only be disclosed to other parties that are trusted to manage and use
those secrets in manner acceptable to disclosing party. Applications those secrets in manner acceptable to disclosing party. Applications
using SASL assume that SASL security layers providing data using SASL assume that SASL security layers providing data
confidentiality are secure even when an attacker chooses the text to confidentiality are secure even when an attacker chooses the text to
be protected by the security layer. Similarly applications assume be protected by the security layer. Similarly applications assume
that the SASL security layer is secure even if the attacker can that the SASL security layer is secure even if the attacker can
manipulate the ciphertext output of the security layer. New SASL manipulate the cipher-text output of the security layer. New SASL
mechanisms MUST meet these assumptions. mechanisms are expected to meet these assumptions.
"stringprep" and Unicode security considerations apply to 6.1.2. Replay Attacks
authentication identities, authorization identities and passwords.
The EXTERNAL mechanism provides no security protection; it is Some mechanisms may be subject to replay attacks unless protected by
vulnerable to spoofing by either client or server, active attack, and external data security services (e.g., TLS).
eavesdropping. It should only be used when external security
mechanisms are present and have sufficient strength.
9.1. Re-keying 6.1.3. Truncation Attacks
The secure or administratively permitted lifetimes of SASL Most existing SASL security layers to not, themselves, offer
mechanisms' security layers are finite. Cryptographic keys weaken as protection against truncation attack. In a truncation attack, the
they are used and as time passes; the more time and/or ciphertext active attacker causes the protocol session to be closed, causing a
that a cryptanalyst has after the first use of the a key, the easier truncation of the possibly integrity protected data stream that leads
it is for the cryptanalyst to mount attacks on the key. to behavior of one or both the protocol peers that inappropriately
benefits the attacker. Truncation attacks are fairly easy to defend
against in connection-oriented application-level protocols. A
protocol can defend against these attacks simply by ensuring that each
information exchange has a clear final result and that each protocol
session has a graceful closure mechanism, and that these are integrity
protected.
Administrative limits on security layers lifetime may take the form 6.2. Passive Attacks
of time limits expressed in x.509 certificates, Kerberos V tickets,
or in directories, and are often desired. In practice one likely Many mechanisms are subject to various passive attacks, including
effect of administrative security layers lifetime limits is that simple eavesdropping of unprotected credential information in
applications may find that security layers stop working in the middle mechanisms, such as PLAIN, to online and offline dictionary attacks.
of application protocol operation, such as, perhaps, during large
data transfers. As the result of this the connection will be closed 6.3. Re-keying
(see section 3.3), which will result in unpleasant user experience.
The secure or administratively permitted lifetimes of SASL mechanisms'
security layers are finite. Cryptographic keys weaken as they are
used and as time passes; the more time and/or cipher-text that a
cryptanalyst has after the first use of the a key, the easier it is
for the cryptanalyst to mount attacks on the key.
Administrative limits on security layers lifetime may take the form of
time limits expressed in X.509 certificates, Kerberos V tickets, or in
directories, and are often desired. In practice one likely effect of
administrative security layers lifetime limits is that applications
may find that security layers stop working in the middle of
application protocol operation, such as, perhaps, during large data
transfers. As the result of this the connection will be closed (see
Section 3.7), which will result in unpleasant user experience.
Re-keying (key renegotiation process) is a way of addressing the Re-keying (key renegotiation process) is a way of addressing the
weakening of cryptographic keys. SASL framework does not itself weakening of cryptographic keys. SASL framework does not itself
provide for re-keying. SASL mechanisms may. Designers of future SASL provide for re-keying. SASL mechanisms may. Designers of future SASL
mechanisms should consider providing re-keying services. mechanisms should consider providing re-keying services.
Applications that wish to re-key SASL security layers where the Applications that wish to re-key SASL security layers where the
mechanism does not provide for re-keying should reauthenticate the mechanism does not provide for re-keying should reauthenticate the
same IDs and replace the expired or soon-to-expire security layers. same IDs and replace the expired or soon-to-expire security layers.
This approach requires support for reauthentication in the application
protocols (see Section 3.8).
Internet DRAFT SASL 16 February 2005 6.5. Other Considerations
This approach requires support for reauthentication in the
application protocols. See section 6.3.
10. References
10.1. Normative References Unicode security considerations [UTR36] apply to authorization
identity strings, and well as UTF-8 [RFC3629] security considerations
where UTF-8 is used. SASLprep [RFC4013] and StringPrep [RFC3454]
security considerations also apply where used.
[ABNF] Crocker, D. (Ed.), Overell, P., "Augmented BNF for Syntax Protocol designers and implementors should understand the security
Specifications: ABNF", RFC 2234, November 1997 considerations of mechanisms so they may select mechanisms which are
applicable to their needs.
[ASCII] American National Standards Institute, "Code Extension Multi-level negotiation of security features is prone to downgrade
Techniques for Use with the 7-bit Coded Character Set of American attack. Protocol designers should avoid offering higher level
National Standard Code (ASCII) for Information Interchange", FIPS PUB negotiation of security features in protocols (e.g., above SASL
35, 1974 mechanism negotiation) and mechanism designers should avoid lower
level negotiation of security features in mechanisms (e.g., below SASL
mechanism negotiation).
[CHARSET-POLICY] Alvestrand, H., "IETF Policy on Character Sets and 7. IANA Considerations
Languages", RFC 2277, BCP 18, January 1998
[GSSAPI] Linn, J., "Generic Security Service Application Program 7.1. SASL Mechanism Registry
Interface, Version 2, Update 1", RFC 2743, January 2000
[KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate SASL mechanism registry is maintained by IANA. The registry is
Requirement Levels", RFC 2119, BCP 19, March 1997 currently available at
<http://www.iana.org/assignments/sasl-mechanisms>.
[Unicode] The Unicode Consortium, "The Unicode Standard, Version 7.1.1. Registration Procedure
3.2.0" is defined by "The Unicode Standard, Version 3.0" (Reading,
MA, Addison-Wesley, 2000. ISBN 0-201-61633-5), as amended by the
"Unicode Standard Annex #27: Unicode 3.1"
(http://www.unicode.org/reports/tr27/) and by the "Unicode Standard
Annex #28: Unicode 3.2" (http://www.unicode.org/reports/tr28/).
[Stringprep] Hoffman, P., Blanchet, M., "Preparation of Registration of a SASL mechanism is requested by filling in the
Internationalized Strings ("stringprep")", RFC 3454, December 2002. following template:
[SASLprep] Zeilenga, K., "SASLprep: Stringprep profile for user names Subject: Registration of SASL mechanism X
and passwords", Work in progress, draft-ietf-sasl-saslprep-XX.txt.
[UTF-8] Yergeau, F., "UTF-8, a transformation format of ISO 10646", Family of SASL mechanisms: (YES or NO)
RFC 3629, STD 63, November 2003.
10.2. Informative References SASL mechanism name (or prefix for the family):
[SASL-GSSAPI] Melnikov, A., "SASL GSSAPI mechanisms", work in Security considerations:
progress, draft-ietf-sasl-gssapi-XX.txt, November 2003
[SASL-DIGEST] Leach, P., Newman, C., Melnikov, A., "Using Digest Published specification (recommended):
Internet DRAFT SASL 16 February 2005 Person & email address to contact for further information:
Authentication as a SASL Mechanism", work in progress, draft-ietf- Intended usage: (One of COMMON, LIMITED USE or OBSOLETE)
sasl-rfc2831bis-XX.txt, replaces RFC 2831
[SASL-OTP] Newman, C., "The One-Time-Password SASL Mechanism", RFC Owner/Change controller:
2444, October 1998.
[SASL-SECURID] Nystrom, M., "The SecurID(r) SASL Mechanism", RFC Note: (Any other information that the author deems interesting may
2808, April 2000. be added here .)
[SMTP] Klensin, J., "Simple Mail Transfer Protocol", RFC 2821, April and sending it via electronic mail to <iana@iana.org>.
2001.
[SMTP-AUTH] Myers, J., "SMTP Service Extension for Authentication", IANA has the right to reject obviously bogus registrations, but will
RFC 2554, March 1999. perform no review of claims made in the registration form. IANA will
register new values on a First Come First Served basis, as defined in
BCP 64 [RFC2434].
Being revised by Siemborski, R., "SMTP Service Extension for There is no naming convention for SASL mechanisms; any name that
Authentication", work in progress, draft-siemborski-rfc2554bis- conforms to the syntax of a SASL mechanism name can be registered.
XX.txt. However an IETF Standards Track document may reserve a portion of the
SASL mechanism namespace ("family of SASL mechanisms") for its own
use, amending the registration rules for that portion of the
namespace. Each family of SASL mechanisms MUST be identified by a
prefix.
[XMPP] Saint-Andre, P., "Extensible Messaging and Presence Protocol While the registration procedures do not require expert review,
(XMPP): Core", work in progress, draft-ietf-xmpp-core-XX.txt. authors of SASL mechanisms are encouraged to seek community review and
comment whenever that is feasible. Authors may seek community review
by posting a specification of their proposed mechanism as an
Internet-Draft. SASL mechanisms intended for widespread use should be
standardized through the normal IETF process, when appropriate.
[BASE64] Josefsson, S., "The Base16, Base32, and Base64 Data 7.1.2. Comments on SASL Mechanism Registrations
Encodings", RFC 3548, July 2003.
[RFC-INSTRUCTIONS] Postel, J., Reynolds, J., "Instructions to RFC Comments on registered SASL mechanisms should first be sent to the
Authors", RFC 2223, October 1997. "owner" of the mechanism and/or to the SASL WG mailing list.
[IANA-SASL] IANA, "SIMPLE AUTHENTICATION AND SECURITY LAYER (SASL) Submitters of comments may, after a reasonable attempt to contact the
MECHANISMS", http://www.iana.org/assignments/sasl-mechanisms. owner, request IANA to attach their comment to the SASL mechanism
registration itself by sending mail to <iana@iana.org>. At IANA sole
discretion, IANA may attach the comment to the registration SASL
mechanism.
[TLS] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC 7.1.3. Change Control
2246, January 1999.
[IPSec] Kent, S., and R. Atkinson, "Security Architecture for the Once a SASL mechanism registration has been published by IANA, the
Internet Protocol", RFC 2401, November 1998. author may request a change to its definition. The change request
follows the same procedure as the registration request.
[Sec-Glossary] Shirey, R., "Internet Security Glossary", RFC 2828, The owner of a SASL mechanism may pass responsibility for the SASL
May 2000. mechanism to another person or agency by informing IANA; this can be
done without discussion or review.
11. Editor's Address The IESG may reassign responsibility for a SASL mechanism. The most
common case of this will be to enable changes to be made to mechanisms
where the author of the registration has died, moved out of contact or
is otherwise unable to make changes that are important to the
community.
Alexey Melnikov SASL mechanism registrations may not be deleted; mechanisms which are
Isode Limited no longer believed appropriate for use can be declared OBSOLETE by a
5 Castle Business Village change to their "intended usage" field; such SASL mechanisms will be
36 Station Road clearly marked in the lists published by IANA.
Hampton, Middlesex,
Internet DRAFT SASL 16 February 2005 The IESG is considered to be the owner of all SASL mechanisms which
are on the IETF standards track.
TW12 2BX, United Kingdom 7.2. Registration Changes
Email: Alexey.Melnikov@isode.com It is requested that IANA updates the SASL mechanisms registry as
URI: http://www.melnikov.ca/ follows:
12. Acknowledgments 1) Change the "Intended usage" of the KERBEROS_V4 and SKEY mechanism
registrations to OBSOLETE.
This document is a revision of RFC 2222 written by John G. Myers. He 2) Change the "Published specification" of the EXTERNAL mechanism to
also contributed significantly to this revision. this document as indicated below:
Contributions of many members of the SASL mailing list are gratefully Subject: Updated Registration of SASL mechanism EXTERNAL
acknowledged, in particular that of Kurt Zeilenga, Peter Saint-Andre, Family of SASL mechanisms: NO
Rob Siemborski, Magnus Nystrom, Jeffrey Hutzelman, Hallvard B SASL mechanism name: EXTERNAL
Furuseth, Tony Hansen, Simon Josefsson, Abhijit Menon-Sen, RL 'Bob' Security considerations: See RFC XXXX, section 9.
Morgan, Sam Hartman, Nicolas Williams, Tim Alsop and Luke Howard. Published specification (optional, recommended): RFC XXXX
Person & email address to contact for further information:
Alexey Melnikov <Alexey.Melnikov@isode.com>
Intended usage: COMMON
Owner/Change controller: IESG <iesg@ietf.org>
Note: Updates existing entry for EXTERNAL
Appendix A. Relation of SASL to transport security 8. References
Questions have been raised about the relationship between SASL and [[Note to the RFC Editor: please replace the citation tags used in
various services (such as IPsec and TLS) which provide a secured referencing Internet-Drafts with tags of the form RFCnnnn where
connection. possible.]]
Two of the key features of SASL are: 8.1. Normative References
The separation of the authorization identity from the identity in [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
the client's credentials. This permits agents such as proxy Requirement Levels", BCP 14 (also RFC 2119), March 1997.
servers to authenticate using their own credentials, yet request
the access privileges of the identity for which they are proxying.
Upon successful completion of an authentication exchange, the [RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an
server knows the authorization identity the client wishes to use. IANA Considerations Section in RFCs", BCP 26 (also RFC
This allows servers to move to a "user is authenticated" state in 2434), October 1998.
the protocol.
These features are extremely important to some application protocols, [RFC2743] Linn, J., "Generic Security Service
yet Transport Security services do not always provide them. To Application Program Interface, Version 2, Update 1", RFC
define SASL mechanisms based on these services would be a very messy 2743, January 2000.
task, as the framing of these services would be redundant with the
framing of SASL and some method of providing these important SASL
features would have to be devised.
Sometimes it is desired to enable within an existing connection the [RFC3454] Hoffman, P. and M. Blanchet, "Preparation of
use of a security service which does not fit the SASL model. (TLS is Internationalized Strings ('stringprep')", RFC 3454,
an example of such a service.) This can be done by adding a command, December 2002.
for example "STARTTLS", to the protocol. Such a command is outside
the scope of SASL, and should be different from the command which
starts a SASL authentication protocol exchange.
Internet DRAFT SASL 16 February 2005 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", RFC 3629 (also STD 63), November 2003.
In certain situations, it is reasonable to use SASL underneath one of [RFC4013] Zeilenga, K., "SASLprep: Stringprep Profile for User
these Transport Security services. The transport service would Names and Passwords", RFC 4013, February 2005.
secure the connection, either service would authenticate the client,
and SASL would negotiate the authorization identity. The SASL
negotiation would be what moves the protocol from "unauthenticated"
to "authenticated" state. The "EXTERNAL" SASL mechanism is
explicitly intended to handle the case where the transport service
secures the connection and authenticates the client and SASL
negotiates the authorization identity.
Appendix B. Changes since RFC 2222 [ABNF] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", draft-crocker-abnf-rfc2234bis, a
work in progress.
The GSSAPI mechanism was removed. It is now specified in a separate [ASCII] Coded Character Set--7-bit American Standard Code for
document [SASL-GSSAPI]. Information Interchange, ANSI X3.4-1986.
The "KERBEROS_V4" mechanism defined in RFC 2222 is obsolete and has [Unicode] The Unicode Consortium, "The Unicode Standard, Version
been removed. 3.2.0" is defined by "The Unicode Standard, Version 3.0"
(Reading, MA, Addison-Wesley, 2000. ISBN 0-201-61633-5),
as amended by the "Unicode Standard Annex #27: Unicode
3.1" (http://www.unicode.org/reports/tr27/) and by the
"Unicode Standard Annex #28: Unicode 3.2"
(http://www.unicode.org/reports/tr28/).
The "SKEY" mechanism described in RFC 2222 is obsolete and has been [CharModel] Whistler, K. and M. Davis, "Unicode Technical Report
removed. It has been replaced by the OTP mechanism [SASL-OTP]. #17, Character Encoding Model", UTR17,
<http://www.unicode.org/unicode/reports/tr17/>, August
2000.
The introduction has been substantially reorganized and clarified. [Glossary] The Unicode Consortium, "Unicode Glossary",
<http://www.unicode.org/glossary/>.
Clarified the definition and semantics of the authorization identity. 8.2. Informative References
Prohibited the NUL character in authorization identities. [RFC2244] Newman, C. and J. Myers, "ACAP -- Application
Configuration Access Protocol", RFC 2244, November 1997.
[RFC2246] Dierks, T. and, C. Allen, "The TLS Protocol Version
1.0", RFC 2246, January 1999.
Added a section on character string issues. [RFC3548] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 3548, July 2003.
The word "must" in the first paragraph of the "Protocol profile [RFC2401] Kent, S., and R. Atkinson, "Security Architecture for
requirements" section was changed to "MUST". the Internet Protocol", RFC 2401, November 1998.
Specified that protocol profiles SHOULD provide a way for clients to [SASL-GSSAPI] Melnikov, A. (Editor), "SASL GSSAPI mechanisms",
discover available SASL mechanisms. draft-ietf-sasl-gssapi-XX.txt, a work in progress.
Made the requirement that protocol profiles specify the semantics of [UTR36] Davis, M., "(Draft) Unicode Technical
the authorization identity optional to the protocol profile. Report #36, Character Encoding Model", UTR17,
Clarified that such a specification is a refinement of the definition <http://www.unicode.org/unicode/reports/tr36/>, February
in the base SASL spec. 2005.
Added a requirement discouraging protocol profiles from breaking the 9. Editors' Address
separation between protocol and mechanism.
Mentioned that standards track documents may carve out their own Alexey Melnikov
portions of the SASL mechanism namespace and may amend registration Isode Limited
rules for the portion. However registration of individual SASL 5 Castle Business Village
mechanisms is still required. 36 Station Road
Hampton, Middlesex,
TW12 2BX, United Kingdom
Internet DRAFT SASL 16 February 2005 Email: Alexey.Melnikov@isode.com
URI: http://www.melnikov.ca/
Clarified that authorization identity should be encoded in UTF-8. Kurt D. Zeilenga
OpenLDAP Foundation
Specified that the authorization identity in the EXTERNAL mechanism Email: Kurt@OpenLDAP.org
is encoded in UTF-8.
Added a statement that a protocol profile SHOULD allow challenge data 10. Acknowledgments
to be sent with a success indication.
Added a security consideration for the EXTERNAL mechanism. This document is a revision of RFC 2222 written by John Myers.
Clarified sections concerning success with additional data. This revision is a product of the IETF Simple Authentication and
Security Layer (SASL) Working Group.
Cleaned up IANA considerations/registrations and assembled them in The following individuals contributed significantly to this revision:
one place. Abhijit Menon-Sen, Hallvard B Furuseth, Jeffrey Hutzelman, John Myers,
Luke Howard, Magnus Nystrom, Nicolas Williams, Peter Saint-Andre, RL
'Bob' Morgan, Rob Siemborski, Sam Hartman, Simon Josefsson, Tim Alsop,
and Tony Hansen.
Updated references and split them into Informative and Normative. Appendix A. The SASL EXTERNAL Mechanism
Added text to the Security considerations section regarding handling This appendix is normative.
of extremely large SASL blocks.
Added text about SASLprep for authentication identities and The EXTERNAL mechanism allows a client to request the server use
passwords. Described where SASLprep preparation should take place. credentials established by means external to the mechanism to
authenticate the client. The external means may be, for instance, IP
Security [RFC2401] or TLS [RFC2246] services. In absence of some
apriori agreement between the client and the server, the client cannot
make any assumption as to what external means the server has used to
obtain the client's credentials, nor make an assumption as to the form
of credentials. For example, the client cannot assume the server will
use the credentials the client has established via TLS.
Added paragraph about verifying authorization identities. A.1. EXTERNAL Technical Specification
Added a protocol profile requirement to specify interaction between The name of this mechanism is "EXTERNAL".
SASL and TLS security layers.
Added a protocol profile requirement to specify if it supports The mechanism does not provide a security layer.
reauthentication.
Removed the text that seemed to suggest that SASL security layer must The mechanism is capable of transferring an authorization identity
not be used when TLS is available. string. If empty, the client is requesting to act as the identity the
server has associated with the client's credentials. If non-empty,
the client is requesting to act as the identity represented by the
string.
Created two subsections in 3.2 to talk separately about proxy The client is expected to send data first in the authentication
authorization and format of the authorization identities. exchange. Where the client does not provide an initial response data
in its request to initiate the authentication exchange, the server is
to respond to the request with an empty initial challenge and then the
client is to provide its initial response.
Made requirement to verify that an authorization identity is correct The client sends the initial response containing the UTF-8 [RFC3629]
by performing SASLprep. encoding of the requested authorization identity string. This
response is non-empty when the client is requesting to act as identity
represented by the (non-empty) string. This response is empty when
the client is requesting to act as the identity the server associated
with its authentication credentials.
Clarified that each SASL mechanism must decide where SASLprep is The syntax of the initial response is specified as a value of the
taking place. <extern-initial-resp> production detailed below using the Augmented
Backus-Naur Form (ABNF) [RFC2234] notation.
Added 4 new examples for initial response and additional data with external-initial-resp = authz-id-string
success. authz-id-string = *( UTF8-char-no-nul )
UTF8-char-no-nul = UTF8-1-no-nul / UTF8-2 / UTF8-3 / UTF8-4
UTF8-1-no-nul = %x01-7F
Added text on checking the list of available SASL mechanisms after where the <UTF8-2>, <UTF8-3>, and <UTF8-4> productions are as defined
negotiating a security layer. in [RFC3629].
Internet DRAFT SASL 16 February 2005 There are no additional challenges and responses.
Added definition of "integrity protection" and "confidentiality Hence, the server is to return the outcome of the authentication
protection". exchange.
Added warning about negotiating no layer once a security layer is The exchange fails if
negotiated. - the client has not established its credentials via external means,
- the client's credentials are inadequate,
- The client provided an empty authorization identity string and the
server unwilling or unable to associate an authorization identity
with the clients credentials,
- The client provided a non-empty authorization identity string which
is invalid per the syntax requirements of the applicable application
protocol specification,
- The client provided a non-empty authorization identity string
representing an identity which the client is not allowed to act as,
or
- the server is unwilling or unable to provide service to the client
for any other reason.
Added new section with guidelines to a SASL mechanism designer. Otherwise the exchange is successful. When indicating a successful
outcome, additional data is not provided.
Added a requirement to specify how an empty initial challenge is A.2. SASL EXTERNAL Examples
encoded if initial response is supported by a protocol.
Clarified that empty "additional data with success" is not allowed. This section provides examples of EXTERNAL authentication exchanges.
The examples are intended to help the readers under the above text.
The examples are not definitive. The Application Configuration
Access Protocol (ACAP) [RFC2244] is used in the examples.
Replaced "buffers of cipher-text" with "buffers of protected data" The first example shows use of EXTERNAL with an empty authorization
for clarity. identity. In this example, the initial response is not sent the
client's request to initiate authentication exchange.
Clarified that SASL EXTERNAL can be used even with SASL profiles that S: * ACAP (SASL "DIGEST-MD5")
don't support initial client response. C: a001 STARTTLS
S: a001 OK "Begin TLS negotiation now"
<TLS negotiation, further commands are under TLS layer>
S: * ACAP (SASL "DIGEST-MD5" "EXTERNAL")
C: a002 AUTHENTICATE "EXTERNAL"
S: + ""
C: + ""
S: a002 OK "Authenticated"
Changed "authentication protocol exchange" to "authentication In second example shows use of EXTERNAL with an authorization identity
exchange" everywhere. of "fred@example.com". In this example, the initial response is sent
with the clients request to initiate the authentication exchange.
This saves a round-trip.
Added some text about re-keying and other services that can be S: * ACAP (SASL "DIGEST-MD5")
provided by a security layer. C: a001 STARTTLS
S: a001 OK "Begin TLS negotiation now"
<TLS negotiation, further commands are under TLS layer>
S: * ACAP (SASL "DIGEST-MD5" "EXTERNAL")
C: a002 AUTHENTICATE "EXTERNAL" {16+}
C: fred@example.com
S: a002 NO "Cannot assume requested authorization identity"
Appendix C. Full Copyright Statement and Intellectual Property Statement A.3. Security Considerations
Full Copyright Statement The EXTERNAL mechanism provides no security protection; it is
vulnerable to spoofing by either client or server, active attack, and
eavesdropping. It should only be used when adequate security services
have been established.
Copyright (C) The Internet Society (2004). This document is subject Appendix B. Changes since RFC 2222
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
This document and translations of it may be copied and furnished to This appendix is non-normative.
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
Internet DRAFT SASL 16 February 2005 The material in RFC 2222 was significantly rewritten in the production
of this document.
The limited permissions granted above are perpetual and will not be RFC 2222, by not stating the authorization identity string was a
revoked by the Internet Society or its successors or assigns. string of Unicode characters, let alone character data, implied the
authorization identity string was a string of octets.
This document and the information contained herein are provided on an - The authorization identity string is now defined as a string of
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS Unicode characters. The NUL (U+0000) is prohibited. While protocol
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET specifications are responsible for defining the authorization
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, identity form, as well as the Unicode string syntax and related
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE semantics, mechanism specifications are responsible for defining how
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED the Unicode string is carried in the authentication exchange.
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement The following technical change was made to the EXTERNAL mechanism:
Funding for the RFC Editor function is currently provided by the - The authorization identity string is to be UTF-8 encoded.
Internet Society.
Intellectual Property It is noted that protocol and mechanism specification requirements
have been significant tightened. Existing protocol and mechanism
specifications will need to be updated to meet these requirements.
Intellectual Property Rights
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be on the procedures with respect to rights in RFC documents can be found
found in BCP 78 and BCP 79. in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this such proprietary rights by implementers or users of this specification
specification can be obtained from the IETF on-line IPR repository at can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr. http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at ietf- this standard. Please address the information to the IETF at
ipr@ietf.org. ietf-ipr@ietf.org.
Internet DRAFT SASL 16 February 2005 Full Copyright
Status of this Memo .......................................... i Copyright (C) The Internet Society (2005). This document is subject
Abstract ..................................................... 2 to the rights, licenses and restrictions contained in BCP 78, and
1. Conventions used in this document ........................ 2 except as set forth therein, the authors retain all their rights.
2. Introduction ........................................... 2
2.1. Relationship to other documents ........................ 4 This document and the information contained herein are provided on an
3. Authentication mechanisms .............................. 5 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
3.1. Authentication Exchange ................................ 5 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
3.2. Identity Concepts ...................................... 6 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
3.2.1. Authorization identities and proxy authentication .... 7 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
3.2.2. Authorization Identity Format ........................ 7 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
3.3. Security layers ........................................ 8 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
4. Protocol profile requirements .......................... 9
5. Mechanism profile guidelines .......................... 10
6. Specific issues ....................................... 12
6.1. Client sends data first ............................... 12
6.1.1. Client sends data first examples .................... 12
6.2. Server returns success with additional data ........... 13
6.2.1. Server returns success with additional data examples. 14
6.3. Multiple authentications .............................. 15
7. The EXTERNAL mechanism ................................ 16
7.1. Formal syntax ......................................... 16
7.2. Examples of SASL EXTERNAL ............................. 17
8. IANA Considerations ................................... 18
8.1. Guidelines for IANA ................................... 18
8.2. Registration procedure ................................ 18
8.3. Comments on SASL mechanism registrations .............. 18
8.4. Change control ........................................ 19
8.5. Registration template ................................. 19
8.6. The EXTERNAL mechanism registration ................... 20
9. Security considerations ................................ 20
9.1. Re-keying ............................................. 22
10. References ........................................... 23
10.1. Normative References ................................. 23
10.2. Informative References ............................... 23
11. Editor's Address ...................................... 24
12. Acknowledgments ....................................... 25
Appendix A. Relation of SASL to transport security .......... 25
Appendix B. Changes since RFC 2222 .......................... 26
Appendix C. Full Copyright Statement and Intellectual
Property Statement .............................. 28
Full Copyright Statement .................................... 28
Intellectual Property ....................................... 29
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/