draft SASL base spec
John Gardiner Myers <jgmyers@netscape.com> Wed, 21 March 2001 03:36 UTC
Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id TAA05458 for ietf-sasl-bks; Tue, 20 Mar 2001 19:36:15 -0800 (PST)
Received: from netscape.com (c3po.netscape.com [205.217.237.46]) by above.proper.com (8.9.3/8.9.3) with ESMTP id TAA05454 for <ietf-sasl@imc.org>; Tue, 20 Mar 2001 19:36:14 -0800 (PST)
Received: from continuity.mcom.com (continuity.mcom.com [205.217.237.112]) by netscape.com (8.10.0/8.10.0) with ESMTP id f2L3aJf07849 for <ietf-sasl@imc.org>; Tue, 20 Mar 2001 19:36:19 -0800 (PST)
Received: from continuity.mcom.com (localhost [127.0.0.1]) by continuity.mcom.com (980427.SGI.8.8.8/8.8.5) with SMTP id TAA26870 for <ietf-sasl@imc.org>; Tue, 20 Mar 2001 19:36:21 -0800 (PST)
To: ietf-sasl@imc.org
Path: not-for-mail
From: John Gardiner Myers <jgmyers@netscape.com>
Newsgroups: mcom.list.ietf-sasl
Subject: draft SASL base spec
Date: Tue, 20 Mar 2001 19:36:20 -0800
Organization: Netscape Communications Corporation
Lines: 726
Message-ID: <3AB821B4.3146BC30@netscape.com>
NNTP-Posting-Host: 205.217.228.111
Mime-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha1"; boundary="------------msC55EE4501A074326084C5735"
X-Mailer: Mozilla 4.74 [en] (WinNT; U)
X-Accept-Language: en
Sender: owner-ietf-sasl@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-ID: <ietf-sasl.imc.org>
List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
Network Working Group J. Myers
Internet Draft March 2001
Document: draft-myers-saslrev-XX.txt
Simple Authentication and Security Layer (SASL)
Status of this Memo
This document is an Internet Draft and is in full conformance with
all provisions of Section 10 of RFC 2026.
Internet Drafts are working documents of the Internet Engineering
Task Force (IETF), its Areas, and its Working Groups. Note that
other groups may also distribute working documents as Internet
Drafts. Internet Drafts are draft documents valid for a maximum of
six months. Internet Drafts may be updated, replaced, or obsoleted
by other documents at any time. It is not appropriate to use
Internet Drafts as reference material or to cite them other than as
``work in progress''.
To learn the current status of any Internet-Draft, please check the
1id-abstracts.txt listing contained in the Internet-Drafts Shadow
Directories on ds.internic.net, nic.nordu.net, ftp.isi.edu, or
munnari.oz.au.
A revised version of this draft document will be submitted to the RFC
editor as a Draft Standard for the Internet Community. Discussion
and suggestions for improvement are requested. Distribution of this
draft is unlimited.
J. Myers [Page i]
Internet DRAFT SASL March 19, 2001
1. Abstract
This document describes a method for adding authentication support to
connection-based protocols. To use this specification, a protocol
includes a command for identifying and authenticating a user to a
server and for optionally negotiating protection of subsequent
protocol interactions. If its use is negotiated, a security layer is
inserted between the protocol and the connection. This document
describes how a protocol specifies such a command, defines several
mechanisms for use by the command, and defines the protocol used for
carrying a negotiated security layer over the connection.
2. Organization of this document
2.1. How to read this document
This document is written to serve two different audiences, protocol
designers using this specification to support authentication in their
protocol, and implementors of clients or servers for those protocols
using this specification.
The sections "Overview", "Authentication Mechanisms", "Protocol
Profile Requirements", "Specific Issues", and "Security
Considerations" cover issues that protocol designers need to
understand and address in profiling this specification for use in a
specific protocol.
Implementors of a protocol using this specification need the
protocol-specific profiling information in addition to the
information in this document.
2.2. Conventions used in this document
In examples, "C:" and "S:" indicate lines sent by the client and
server respectively.
The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY"
in this document are to be interpreted as defined in "Key words for
use in RFCs to Indicate Requirement Levels" [KEYWORDS].
2.3. Examples
Examples in this document are for the IMAP profile [IMAP4] of this
specification. The base64 encoding of challenges and responses, as
well as the "+ " preceding the responses are part of the IMAP4
profile, not part of the SASL specification itself.
J. Myers [Page 2]
Internet DRAFT SASL March 19, 2001
3. Overview
The Simple Authentication and Security Layer (SASL) is a method for
adding authentication support to connection-based protocols.
The SASL specification has three layers, as indicated in the diagram
below. At the top, a protocol definition using SASL specifies a
profile, including a command for identifying and authenticating a
user to a server and for optionally negotiating a security layer for
subsequent protocol interactions. At the bottom, a SASL mechanism
definition specifies an authentication mechanism. The SASL
framework, specified by this document, constrains the behavior of
protocol profiles and mechanisms, separating protocol from mechanism
and defining how they interact.
SMTP Protocol LDAP Protocol Etc
Profile Profile . . .
\----- | -----/
\ | /
SASL framework
/ | \
/----- | -----\
EXTERNAL DIGEST-MD5 Etc
SASL mechanism SASL mechanism . . .
This separation between the definition of protocols and the
definition of authentication mechanisms is crucial. It permits an
authentication mechanism to be defined once, making it usable by any
SASL protocol profiles. In many implementations, the same SASL
mechanism code is used for multiple protocols.
4. Authentication mechanisms
SASL mechanisms are named by strings, from 1 to 20 characters in
length, consisting of upper-case letters, digits, hyphens, and/or
underscores. SASL mechanism names must be registered with the IANA.
Procedures for registering new SASL mechanisms are given in the
section "Registration procedures"
4.1. Authentication protocol exchange
A SASL mechanism is responsible for conducting an authentication
protocol exchange. This consists of a series of server challenges
and client responses, the contents of which are specific to and
defined by the mechanism. To the protocol, the challenges and
responses are opaque binary tokens of arbitrary length. The
protocol's profile then specifies how these binary tokens are then
encoded for transfer over the connection.
J. Myers [Page 3]
Internet DRAFT SASL March 19, 2001
After receiving an authentication command or any client response, a
server mechanism may issue a challenge, indicate failure, or indicate
completion. The protocol's profile specifies how each of these is
then represented over the connection.
After receiving a challenge, a client mechanism may issue a response
or abort the exchange. The protocol's profile specifies how each of
these is then represented over the connection.
During the authentication protocol exchange, the mechanism performs
authentication, transmits an authorization identity (frequently known
as a userid) from the client to server, and negotiates the use of a
mechanism-specific security layer. If the use of a security layer is
agreed upon, then the mechanism must also define or negotiate the
maximum security layer buffer size that each side is able to receive.
4.2. Proxy authentication
The authorization identity transmitted during the authentication
protocol exchange may be different than the identity derived from the
client's authentication credentials. When the two are different,
this is typically referred to as "proxy authentication". The
identity derived from the client's authentication credentials is
known as the "authentication identity".
This feature permits agents such as proxy servers to authenticate
using their own credentials, yet request the access privileges of the
identity for which they are proxying. With any mechanism,
transmitting an authorization identity of the empty string directs
the server to derive an authorization identity from the client's
authentication identity.
4.3. Security layers
If use of a security layer is negotiated by the authentication
protocol exchange, the security layer is applied to all subsequent
data sent over the connection. The security layer takes effect
immediately following the last response of the authentication
exchange for data sent by the client and the completion indication
for data sent by the server.
Once the security layer is in effect, the protocol stream is
processed by the security layer into buffers of security encoded
data. Each buffer of security encoded data is transferred over the
connection as a stream of octets prepended with a four octet field in
network byte order that represents the length of the following
buffer. The length of the security encoded data buffer must be no
larger than the maximum size that was either defined in the mechanism
J. Myers [Page 4]
Internet DRAFT SASL March 19, 2001
specification or negotiated by the other side during the
authentication protocol exchange.
5. Protocol profile requirements
In order to use this specification, a protocol definition must supply
the following information:
1. A service name, to be selected from the IANA registry of "service"
elements for the GSSAPI host-based service name form. [GSSAPI]
This service name is made available to the authentication
mechanism.
2. A definition of the command to initiate the authentication
protocol exchange. This command must have as a parameter the name
of the mechanism being selected by the client.
The command SHOULD have an optional parameter giving an initial
response. This optional parameter allows the client to avoid a
round trip when using a mechanism which is defined to have the
client send data first. When this initial response is sent by the
client and the selected mechanism is defined to have the server
start with an initial challenge, the command fails. See section
6.1 of this document for further information.
3. A definition of the method by which the authentication protocol
exchange is carried out, including how the challenges and
responses are encoded, how the server indicates completion or
failure of the exchange, how the client aborts an exchange, and
how the exchange method interacts with any line length limits in
the protocol.
4. Identification of the octet where any negotiated security layer
starts to take effect, in both directions.
5. A specification of how the authorization identity passed from the
client to the server is to be interpreted.
6. Specific issues
6.1. Client sends data first
Some mechanisms specify that the first data sent in the
authentication protocol exchange is from the client to the server.
If a protocol's profile permits the command which initiates an
authentication protocol exchange to contain an initial client
J. Myers [Page 5]
Internet DRAFT SASL March 19, 2001
response, this parameter SHOULD be used with such mechanisms.
If the initial client response parameter is not given, or if a
protocol's profile does not permit the command which initiates an
authentication protocol exchange to contain an initial client
response, then the server issues a challenge with no data. The
client's response to this challenge is then used as the initial
client response. (The server then proceeds to send the next
challenge, indicates completion, or indicates failure.)
6.2. Server returns success with additional data
Some mechanisms may specify that server challenge data be sent to the
client along with an indication of successful completion of the
exchange. This data would, for example, authenticate the server to
the client.
If a protocol's profile does not permit this server challenge to be
returned with a success indication, then the server issues the server
challenge without an indication of successful completion. The client
then responds with no data. After receiving this empty response, the
server then indicates successful completion.
6.3. Multiple authentications
Unless otherwise stated by the protocol's profile, only one
successful SASL negotiation may occur in a protocol session. In this
case, once an authentication protocol exchange has successfully
completed, further attempts to initiate an authentication protocol
exchange fail.
In the case that a profile explicitly permits multiple successful
SASL negotiations to occur, then in no case may multiple security
layers be simultaneously in effect. If a security layer is in effect
and a subsequent SASL negotiation selects no security layer, the
original security layer remains in effect. If a security layer is in
effect and a subsequent SASL negotiation selects a second security
layer, then the second security layer replaces the first.
7. Registration procedures
Registration of a SASL mechanism is done by filling in the template
in section 7.4 and sending it in to iana@isi.edu. IANA has the right
to reject obviously bogus registrations, but will perform no review
of clams made in the registration form.
There is no naming convention for SASL mechanisms; any name that
conforms to the syntax of a SASL mechanism name can be registered.
J. Myers [Page 6]
Internet DRAFT SASL March 19, 2001
While the registration procedures do not require it, authors of SASL
mechanisms are encouraged to seek community review and comment
whenever that is feasible. Authors may seek community review by
posting a specification of their proposed mechanism as an internet-
draft. SASL mechanisms intended for widespread use should be
standardized through the normal IETF process, when appropriate.
7.1. Comments on SASL mechanism registrations
Comments on registered SASL mechanisms should first be sent to the
"owner" of the mechanism. Submitters of comments may, after a
reasonable attempt to contact the owner, request IANA to attach their
comment to the SASL mechanism registration itself. If IANA approves
of this the comment will be made accessible in conjunction with the
SASL mechanism registration itself.
7.2. Location of registered SASL mechanism list
SASL mechanism registrations will be posted in the anonymous FTP
directory
"ftp://ftp.isi.edu/in-notes/iana/assignments/sasl-mechanisms/" and
all registered SASL mechanisms will be listed in the periodically
issued "Assigned Numbers" RFC [currently RFC-1700]. The SASL
mechanism description and other supporting material may also be
published as an Informational RFC by sending it to
"rfc-editor@isi.edu" (please follow the instructions to RFC authors
[RFC-1543]).
7.3. Change control
Once a SASL mechanism registration has been published by IANA, the
author may request a change to its definition. The change request
follows the same procedure as the registration request.
The owner of a SASL mechanism may pass responsibility for the SASL
mechanism to another person or agency by informing IANA; this can be
done without discussion or review.
The IESG may reassign responsibility for a SASL mechanism. The most
common case of this will be to enable changes to be made to
mechanisms where the author of the registration has died, moved out
of contact or is otherwise unable to make changes that are important
to the community.
SASL mechanism registrations may not be deleted; mechanisms which are
no longer believed appropriate for use can be declared OBSOLETE by a
change to their "intended use" field; such SASL mechanisms will be
clearly marked in the lists published by IANA.
J. Myers [Page 7]
Internet DRAFT SASL March 19, 2001
The IESG is considered to be the owner of all SASL mechanisms which
are on the IETF standards track.
7.4. Registration template
To: iana@isi.edu
Subject: Registration of SASL mechanism X
SASL mechanism name:
Security considerations:
Published specification (optional, recommended):
Person & email address to contact for further information:
Intended usage:
(One of COMMON, LIMITED USE or OBSOLETE)
Owner/Change controller:
(Any other information that the author deems interesting may be
added below this line.)
8. The external mechanism
The mechanism name associated with external authentication is
"EXTERNAL".
The client sends an initial response with the authorization identity.
The server uses information, external to SASL, to determine whether
the client is authorized to authenticate as the authorization
identity. If the client is so authorized, the server indicates
successful completion of the authentication exchange; otherwise the
server indicates failure.
The system providing this external information may be, for example,
IPsec or TLS.
If the client sends the empty string as the authorization identity
(thus requesting the authorization identity be derived from the
client's authentication credentials), the authorization identity is
to be derived from authentication credentials which exist in the
system which is providing the external authentication.
J. Myers [Page 8]
Internet DRAFT SASL March 19, 2001
9. References
[IMAP4] Crispin, M., "Internet Message Access Protocol - Version 4",
RFC 1730, University of Washington, December 1994.
[GSSAPI] Linn, J., "Generic Security Service Application Program
Interface, Version 2", RFC 2078, January 1997
[KEYWORDS] Bradner, "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March 1997
[RFC-1543] Postel, J., "Instructions to RFC Authors", RFC 1543,
October 1993
[SASL-GSSAPI] Myers, J., "SASL GSSAPI mechanisms", draft-ietf-cat-
sasl-gssapi-XX.txt, September 2000
[SASL-OTP] Newman, C., "The One-Time-Password SASL Mechanism", RFC
2444, October 1998
10. Security considerations
Security issues are discussed throughout this memo.
The mechanisms that support integrity protection are designed such
that the negotiation of the security layer and authorization identity
is integrity protected. When the client selects a security layer
with at least integrity protection, this protects against an active
attacker hijacking the connection and modifying the authentication
exchange to negotiate a plaintext connection.
When a server or client supports multiple authentication mechanisms,
each of which has a different security strength, it is possible for
an active attacker to cause a party to use the least secure mechanism
supported. To protect against this sort of attack, a client or
server which supports mechanisms of different strengths should have a
configurable minimum strength that it will use. It is not sufficient
for this minimum strength check to only be on the server, since an
active attacker can change which mechanisms the client sees as being
supported, causing the client to send authentication credentials for
its weakest supported mechanism.
The client's selection of a SASL mechanism is done in the clear and
may be modified by an active attacker. It is important for any new
SASL mechanisms to be designed such that an active attacker cannot
obtain an authentication with weaker security properties by modifying
the SASL mechanism name and/or the challenges and responses.
J. Myers [Page 9]
Internet DRAFT SASL March 19, 2001
Any protocol interactions prior to authentication are performed in
the clear and may be modified by an active attacker. In the case
where a client selects integrity protection, it is important that any
security-sensitive protocol negotiations be performed after
authentication is complete. Protocols should be designed such that
negotiations performed prior to authentication should be either
ignored or revalidated once authentication is complete.
11. Author's address
John G. Myers
Netscape Communications
501 E. Middlefield Road
Mail Stop SCA 15:201
Mountain View, CA 94043-4042
Email: jgmyers@netscape.com
Appendix A. Relation of SASL to transport security
Questions have been raised about the relationship between SASL and
various services (such as IPsec and TLS) which provide a secured
connection.
Two of the key features of SASL are:
1. The separation of the authorization identity from the identity in
the client's credentials. This permits agents such as proxy
servers to authenticate using their own credentials, yet request
the access privileges of the identity for which they are proxying.
2. Upon successful completion of an authentication exchange, the
server knows the authorization identity the client wishes to use.
This allows servers to move to a "user is authenticated" state in
the protocol.
These features are extremely important to some application protocols,
yet Transport Security services do not always provide them. To
define SASL mechanisms based on these services would be a very messy
task, as the framing of these services would be redundant with the
framing of SASL and some method of providing these important SASL
features would have to be devised.
Sometimes it is desired to enable within an existing connection the
use of a security service which does not fit the SASL model. (TLS is
an example of such a service.) This can be done by adding a command,
for example "STARTTLS", to the protocol. Such a command is outside
J. Myers [Page 10]
Internet DRAFT SASL March 19, 2001
the scope of SASL, and should be different from the command which
starts a SASL authentication protocol exchange.
In certain situations, it is reasonable to use SASL underneath one of
these Transport Security services. The transport service would
secure the connection, either service would authenticate the client,
and SASL would negotiate the authorization identity. The SASL
negotiation would be what moves the protocol from "unauthenticated"
to "authenticated" state. The "EXTERNAL" SASL mechanism is
explicitly intended to handle the case where the transport service
secures the connection and authenticates the client and SASL
negotiates the authorization identity.
When using SASL underneath a sufficiently strong Transport Security
service, a SASL security layer would most likely be redundant. The
client and server would thus probably want to negotiate off the use
of a SASL security layer.
Appendix B. IANA considerations
The IANA is directed to modify the SASL mechanisms registry as
follows:
1. Change the "Intended usage" of the KERBEROS_V4 and SKEY mechanism
registrations to OBSOLETE.
2. Change the "Published specification" of the EXTERNAL mechanism to
this document.
Appendix C. Changes since RFC 2222
The GSSAPI mechanism was removed. It is now specified in a separate
document [SASL-GSSAPI].
The "KERBEROS_V4" mechanism defined in RFC 2222 is obsolete and has
been removed.
The "SKEY" mechanism described in RFC 2222 is obsolete and has been
removed. It has been replaced by the OTP mechanism [SASL-OTP].
The overview has been substantially reorganized and clarified.
J. Myers [Page 11]
Internet DRAFT SASL March 19, 2001
Table of Contents
Status of this Memo ............................................... i
1. Abstract .................................................... 2
2. Organization of this document ............................... 2
2.1. How to read this document ................................... 2
2.2. Conventions used in this document ........................... 2
2.3. Examples .................................................... 2
3. Overview .................................................... 3
4. Authentication mechanisms ................................... 3
4.1. Authentication protocol exchange ............................ 3
4.2. Proxy authentication ........................................ 4
4.3. Security layers ............................................. 4
5. Protocol profile requirements ............................... 5
6. Specific issues ............................................. 5
6.1. Client sends data first ..................................... 5
6.2. Server returns success with additional data ................. 6
6.3. Multiple authentications .................................... 6
7. Registration procedures ..................................... 6
7.1. Comments on SASL mechanism registrations .................... 7
7.2. Location of registered SASL mechanism list .................. 7
7.3. Change control .............................................. 7
7.4. Registration template ....................................... 8
8. The external mechanism ...................................... 8
9. References .................................................. 9
10. Security considerations ..................................... 9
11. Author's address ............................................ 10
Appendix A. Relation of SASL to transport security ................ 10
Appendix B. IANA considerations ................................... 11
Appendix C. Changes since RFC 2222 ................................ 11
J. Myers [Page ii]
- draft SASL base spec John Gardiner Myers
- Re: draft SASL base spec Kurt D. Zeilenga
- Re: draft SASL base spec John Gardiner Myers