mirror of
https://github.com/uw-imap/imap.git
synced 2024-11-16 10:28:23 +01:00
22f316e36d
MD5 2126fd125ea26b73b20f01fcd5940369
1852 lines
72 KiB
Plaintext
1852 lines
72 KiB
Plaintext
|
||
|
||
|
||
|
||
|
||
|
||
Network Working Group A. Melnikov, Ed.
|
||
Request for Comments: 4422 Isode Limited
|
||
Obsoletes: 2222 K. Zeilenga, Ed.
|
||
Category: Standards Track OpenLDAP Foundation
|
||
June 2006
|
||
|
||
|
||
Simple Authentication and Security Layer (SASL)
|
||
|
||
Status of This Memo
|
||
|
||
This document specifies an Internet standards track protocol for the
|
||
Internet community, and requests discussion and suggestions for
|
||
improvements. Please refer to the current edition of the "Internet
|
||
Official Protocol Standards" (STD 1) for the standardization state
|
||
and status of this protocol. Distribution of this memo is unlimited.
|
||
|
||
Copyright Notice
|
||
|
||
Copyright (C) The Internet Society (2006).
|
||
|
||
Abstract
|
||
|
||
The Simple Authentication and Security Layer (SASL) is a framework
|
||
for providing authentication and data security services in
|
||
connection-oriented protocols via replaceable mechanisms. It
|
||
provides a structured interface between protocols and mechanisms.
|
||
The resulting framework allows new protocols to reuse existing
|
||
mechanisms and allows old protocols to make use of new mechanisms.
|
||
The framework also provides a protocol for securing subsequent
|
||
protocol exchanges within a data security layer.
|
||
|
||
This document describes how a SASL mechanism is structured, describes
|
||
how protocols include support for SASL, and defines the protocol for
|
||
carrying a data security layer over a connection. In addition, this
|
||
document defines one SASL mechanism, the EXTERNAL mechanism.
|
||
|
||
This document obsoletes RFC 2222.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Melnikov & Zeilenga Standards Track [Page 1]
|
||
|
||
RFC 4422 SASL June 2006
|
||
|
||
|
||
Table of Contents
|
||
|
||
1. Introduction ....................................................3
|
||
1.1. Document Audiences .........................................4
|
||
1.2. Relationship to Other Documents ............................4
|
||
1.3. Conventions ................................................5
|
||
2. Identity Concepts ...............................................5
|
||
3. The Authentication Exchange .....................................6
|
||
3.1. Mechanism Naming ...........................................8
|
||
3.2. Mechanism Negotiation ......................................9
|
||
3.3. Request Authentication Exchange ............................9
|
||
3.4. Challenges and Responses ...................................9
|
||
3.4.1. Authorization Identity String ......................10
|
||
3.5. Aborting Authentication Exchanges .........................10
|
||
3.6. Authentication Outcome ....................................11
|
||
3.7. Security Layers ...........................................12
|
||
3.8. Multiple Authentications ..................................12
|
||
4. Protocol Requirements ..........................................13
|
||
5. Mechanism Requirements .........................................16
|
||
6. Security Considerations ........................................18
|
||
6.1. Active Attacks ............................................19
|
||
6.1.1. Hijack Attacks .....................................19
|
||
6.1.2. Downgrade Attacks ..................................19
|
||
6.1.3. Replay Attacks .....................................20
|
||
6.1.4. Truncation Attacks .................................20
|
||
6.1.5. Other Active Attacks ...............................20
|
||
6.2. Passive Attacks ...........................................20
|
||
6.3. Re-keying .................................................21
|
||
6.4. Other Considerations ......................................21
|
||
7. IANA Considerations ............................................22
|
||
7.1. SASL Mechanism Registry ...................................22
|
||
7.2. Registration Changes ......................................26
|
||
8. References .....................................................26
|
||
8.1. Normative References ......................................26
|
||
8.2. Informative References ....................................27
|
||
9. Acknowledgements ...............................................28
|
||
Appendix A. The SASL EXTERNAL Mechanism ..........................29
|
||
A.1. EXTERNAL Technical Specification ..........................29
|
||
A.2. SASL EXTERNAL Examples ....................................30
|
||
A.3. Security Considerations ...................................31
|
||
Appendix B. Changes since RFC 2222 ...............................31
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Melnikov & Zeilenga Standards Track [Page 2]
|
||
|
||
RFC 4422 SASL June 2006
|
||
|
||
|
||
1. Introduction
|
||
|
||
The Simple Authentication and Security Layer (SASL) is a framework
|
||
for providing authentication and data security services in
|
||
connection-oriented protocols via replaceable mechanisms. SASL
|
||
provides a structured interface between protocols and mechanisms.
|
||
SASL also provides a protocol for securing subsequent protocol
|
||
exchanges within a data security layer. The data security layer can
|
||
provide data integrity, data confidentiality, and other services.
|
||
|
||
SASL's design is intended to allow new protocols to reuse existing
|
||
mechanisms without requiring redesign of the mechanisms and allows
|
||
existing protocols to make use of new mechanisms without redesign of
|
||
protocols.
|
||
|
||
SASL is conceptually a framework that provides an abstraction layer
|
||
between protocols and mechanisms as illustrated in the following
|
||
diagram.
|
||
|
||
SMTP LDAP XMPP Other protocols ...
|
||
\ | | /
|
||
\ | | /
|
||
SASL abstraction layer
|
||
/ | | \
|
||
/ | | \
|
||
EXTERNAL GSSAPI PLAIN Other mechanisms ...
|
||
|
||
It is through the interfaces of this abstraction layer that the
|
||
framework allows any protocol to utilize any mechanism. While this
|
||
layer does generally hide the particulars of protocols from
|
||
mechanisms and the particulars of mechanisms from protocols, this
|
||
layer does not generally hide the particulars of mechanisms from
|
||
protocol implementations. For example, different mechanisms require
|
||
different information to operate, some of them use password-based
|
||
authentication, some of then require realm information, others make
|
||
use of Kerberos tickets, certificates, etc. Also, in order to
|
||
perform authorization, server implementations generally have to
|
||
implement identity mapping between authentication identities, whose
|
||
form is mechanism specific, and authorization identities, whose form
|
||
is application protocol specific. Section 2 discusses identity
|
||
concepts.
|
||
|
||
It is possible to design and implement this framework in ways that do
|
||
abstract away particulars of similar mechanisms. Such a framework
|
||
implementation, as well as mechanisms implementations, could be
|
||
designed not only to be shared by multiple implementations of a
|
||
particular protocol but to be shared by implementations of multiple
|
||
protocols.
|
||
|
||
|
||
|
||
Melnikov & Zeilenga Standards Track [Page 3]
|
||
|
||
RFC 4422 SASL June 2006
|
||
|
||
|
||
The framework incorporates interfaces with both protocols and
|
||
mechanisms in which authentication exchanges are carried out.
|
||
Section 3 discusses SASL authentication exchanges.
|
||
|
||
To use SASL, each protocol (amongst other items) provides a method
|
||
for identifying which mechanism is to be used, a method for exchange
|
||
of mechanism-specific server-challenges and client-responses, and a
|
||
method for communicating the outcome of the authentication exchange.
|
||
Section 4 discusses SASL protocol requirements.
|
||
|
||
Each SASL mechanism defines (amongst other items) a series of
|
||
server-challenges and client-responses that provide authentication
|
||
services and negotiate data security services. Section 5 discusses
|
||
SASL mechanism requirements.
|
||
|
||
Section 6 discusses security considerations. Section 7 discusses
|
||
IANA considerations. Appendix A defines the SASL EXTERNAL mechanism.
|
||
|
||
1.1. Document Audiences
|
||
|
||
This document is written to serve several different audiences:
|
||
|
||
- protocol designers using this specification to support
|
||
authentication in their protocol,
|
||
|
||
- mechanism designers that define new SASL mechanisms, and
|
||
|
||
- implementors of clients or servers for those protocols that
|
||
support SASL.
|
||
|
||
While the document organization is intended to allow readers to focus
|
||
on details relevant to their engineering, readers are encouraged to
|
||
read and understand all aspects of this document.
|
||
|
||
1.2. Relationship to Other Documents
|
||
|
||
This document obsoletes RFC 2222. It replaces all portions of RFC
|
||
2222 excepting sections 7.1 (the KERBEROS_IV mechanism), 7.2 (the
|
||
GSSAPI mechanism), 7.3 (the SKEY mechanism). The KERBEROS_IV and
|
||
SKEY mechanisms are now viewed as obsolete and their specifications
|
||
provided in RFC 2222 are Historic. The GSSAPI mechanism is now
|
||
separately specified [SASL-GSSAPI].
|
||
|
||
Appendix B provides a summary of changes since RFC 2222.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Melnikov & Zeilenga Standards Track [Page 4]
|
||
|
||
RFC 4422 SASL June 2006
|
||
|
||
|
||
1.3. Conventions
|
||
|
||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
|
||
document are to be interpreted as described in BCP 14 [RFC2119].
|
||
|
||
Character names in this document use the notation for code points and
|
||
names from the Unicode Standard [Unicode]. For example, the letter
|
||
"a" may be represented as either <U+0061> or <LATIN SMALL LETTER A>.
|
||
|
||
Note: a glossary of terms used in Unicode can be found in [Glossary].
|
||
Information on the Unicode character encoding model can be found in
|
||
[CharModel].
|
||
|
||
In examples, "C:" and "S:" indicate lines of data to be sent by the
|
||
client and server, respectively. Lines have been wrapped for
|
||
improved readability.
|
||
|
||
2. Identity Concepts
|
||
|
||
In practice, authentication and authorization may involve multiple
|
||
identities, possibly in different forms (simple username, Kerberos
|
||
principal, X.500 Distinguished Name, etc.), possibly with different
|
||
representations (e.g., ABNF-described UTF-8 encoded Unicode character
|
||
string, BER-encoded Distinguished Name). While technical
|
||
specifications often prescribe both the identity form and
|
||
representation used on the network, different identity forms and/or
|
||
representations may be (and often are) used within implementations.
|
||
How identities of different forms relate to each other is, generally,
|
||
a local matter. In addition, the forms and representations used
|
||
within an implementation are a local matter.
|
||
|
||
However, conceptually, the SASL framework involves two identities:
|
||
|
||
1) an identity associated with the authentication credentials
|
||
(termed the authentication identity), and
|
||
|
||
2) an identity to act as (termed the authorization identity).
|
||
|
||
SASL mechanism specifications describe the credential form(s) (e.g.,
|
||
X.509 certificates, Kerberos tickets, simple username/password) used
|
||
to authenticate the client, including (where appropriate) the syntax
|
||
and semantics of authentication identities carried in the
|
||
credentials. SASL protocol specifications describe the identity
|
||
form(s) used in authorization and, in particular, prescribe the
|
||
syntax and semantics of the authorization identity character string
|
||
to be transferred by mechanisms.
|
||
|
||
|
||
|
||
|
||
Melnikov & Zeilenga Standards Track [Page 5]
|
||
|
||
RFC 4422 SASL June 2006
|
||
|
||
|
||
The client provides its credentials (which include or imply an
|
||
authentication identity) and, optionally, a character string
|
||
representing the requested authorization identity as part of the SASL
|
||
exchange. When this character string is omitted or empty, the client
|
||
is requesting to act as the identity associated with the credentials
|
||
(e.g., the user is requesting to act as the authentication identity).
|
||
|
||
The server is responsible for verifying the client's credentials and
|
||
verifying that the identity it associates with the client's
|
||
credentials (e.g., the authentication identity) is allowed to act as
|
||
the authorization identity. A SASL exchange fails if either (or
|
||
both) of these verifications fails. (The SASL exchange may fail for
|
||
other reasons, such as service authorization failure.)
|
||
|
||
However, the precise form(s) of the authentication identities (used
|
||
within the server in its verifications, or otherwise) and the precise
|
||
form(s) of the authorization identities (used in making authorization
|
||
decisions, or otherwise) are beyond the scope of SASL and this
|
||
specification. In some circumstances, the precise identity forms
|
||
used in some context outside of the SASL exchange may be dictated by
|
||
other specifications. For instance, an identity assumption
|
||
authorization (proxy authorization) policy specification may dictate
|
||
how authentication and authorization identities are represented in
|
||
policy statements.
|
||
|
||
3. The Authentication Exchange
|
||
|
||
Each authentication exchange consists of a message from the client to
|
||
the server requesting authentication via a particular mechanism,
|
||
followed by one or more pairs of challenges from the server and
|
||
responses from the client, followed by a message from the server
|
||
indicating the outcome of the authentication exchange. (Note:
|
||
exchanges may also be aborted as discussed in Section 3.5.)
|
||
|
||
The following illustration provides a high-level overview of an
|
||
authentication exchange.
|
||
|
||
C: Request authentication exchange
|
||
S: Initial challenge
|
||
C: Initial response
|
||
<additional challenge/response messages>
|
||
S: Outcome of authentication exchange
|
||
|
||
If the outcome is successful and a security layer was negotiated,
|
||
this layer is then installed (see Section 3.7). This also applies to
|
||
the following illustrations.
|
||
|
||
|
||
|
||
|
||
|
||
Melnikov & Zeilenga Standards Track [Page 6]
|
||
|
||
RFC 4422 SASL June 2006
|
||
|
||
|
||
Some mechanisms specify that the first data sent in the
|
||
authentication exchange is from the client to the server. Protocols
|
||
may provide an optional initial response field in the request message
|
||
to carry this data. Where the mechanism specifies that the first
|
||
data sent in the exchange is from the client to the server, the
|
||
protocol provides an optional initial response field, and the client
|
||
uses this field, the exchange is shortened by one round-trip:
|
||
|
||
C: Request authentication exchange + Initial response
|
||
<additional challenge/response messages>
|
||
S: Outcome of authentication exchange
|
||
|
||
Where the mechanism specifies that the first data sent in the
|
||
exchange is from the client to the server and this field is
|
||
unavailable or unused, the client request is followed by an empty
|
||
challenge.
|
||
|
||
C: Request authentication exchange
|
||
S: Empty Challenge
|
||
C: Initial Response
|
||
<additional challenge/response messages>
|
||
S: Outcome of authentication exchange
|
||
|
||
Should a client include an initial response in its request where the
|
||
mechanism does not allow the client to send data first, the
|
||
authentication exchange fails.
|
||
|
||
Some mechanisms specify that the server is to send additional data to
|
||
the client when indicating a successful outcome. Protocols may
|
||
provide an optional additional data field in the outcome message to
|
||
carry this data. Where the mechanism specifies that the server is to
|
||
return additional data with the successful outcome, the protocol
|
||
provides an optional additional data field in the outcome message,
|
||
and the server uses this field, the exchange is shortened by one
|
||
round-trip:
|
||
|
||
C: Request authentication exchange
|
||
S: Initial challenge
|
||
C: Initial response
|
||
<additional challenge/response messages>
|
||
S: Outcome of authentication exchange with
|
||
additional data with success
|
||
|
||
Where the mechanism specifies that the server is to return additional
|
||
data to the client with a successful outcome and this field is
|
||
unavailable or unused, the additional data is sent as a challenge
|
||
whose response is empty. After receiving this response, the server
|
||
then indicates the successful outcome.
|
||
|
||
|
||
|
||
Melnikov & Zeilenga Standards Track [Page 7]
|
||
|
||
RFC 4422 SASL June 2006
|
||
|
||
|
||
C: Request authentication exchange
|
||
S: Initial challenge
|
||
C: Initial response
|
||
<additional challenge/response messages>
|
||
S: Additional data challenge
|
||
C: Empty Response
|
||
S: Outcome of authentication exchange
|
||
|
||
Where mechanisms specify that the first data sent in the exchange is
|
||
from the client to the server and additional data is sent to the
|
||
client along with indicating a successful outcome, and the protocol
|
||
provides fields supporting both, then the exchange takes two fewer
|
||
round-trips:
|
||
|
||
C: Request authentication exchange + Initial response
|
||
<additional challenge/response messages>
|
||
S: Outcome of authentication exchange
|
||
with additional data with success
|
||
|
||
instead of:
|
||
|
||
C: Request authentication exchange
|
||
S: Empty Challenge
|
||
C: Initial Response
|
||
<additional challenge/response messages>
|
||
S: Additional data challenge
|
||
C: Empty Response
|
||
S: Outcome of authentication exchange
|
||
|
||
3.1. Mechanism Naming
|
||
|
||
SASL mechanisms are named by character strings, from 1 to 20
|
||
characters in length, consisting of ASCII [ASCII] uppercase letters,
|
||
digits, hyphens, and/or underscores. In the following Augmented
|
||
Backus-Naur Form (ABNF) [RFC4234] grammar, the <sasl-mech> production
|
||
defines the syntax of a SASL mechanism name.
|
||
|
||
sasl-mech = 1*20mech-char
|
||
mech-char = UPPER-ALPHA / DIGIT / HYPHEN / UNDERSCORE
|
||
; mech-char is restricted to A-Z (uppercase only), 0-9, -, and _
|
||
; from ASCII character set.
|
||
|
||
UPPER-ALPHA = %x41-5A ; A-Z (uppercase only)
|
||
DIGIT = %x30-39 ; 0-9
|
||
HYPHEN = %x2D ; hyphen (-)
|
||
UNDERSCORE = %x5F ; underscore (_)
|
||
|
||
SASL mechanism names are registered as discussed in Section 7.1.
|
||
|
||
|
||
|
||
Melnikov & Zeilenga Standards Track [Page 8]
|
||
|
||
RFC 4422 SASL June 2006
|
||
|
||
|
||
3.2. Mechanism Negotiation
|
||
|
||
Mechanism negotiation is protocol specific.
|
||
|
||
Commonly, a protocol will specify that the server advertises
|
||
supported and available mechanisms to the client via some facility
|
||
provided by the protocol, and the client will then select the "best"
|
||
mechanism from this list that it supports and finds suitable.
|
||
|
||
Note that the mechanism negotiation is not protected by the
|
||
subsequent authentication exchange and hence is subject to downgrade
|
||
attacks if not protected by other means.
|
||
|
||
To detect downgrade attacks, a protocol can allow the client to
|
||
discover available mechanisms subsequent to the authentication
|
||
exchange and installation of data security layers with at least data
|
||
integrity protection. This allows the client to detect changes to
|
||
the list of mechanisms supported by the server.
|
||
|
||
3.3. Request Authentication Exchange
|
||
|
||
The authentication exchange is initiated by the client by requesting
|
||
authentication via a mechanism it specifies. The client sends a
|
||
message that contains the name of the mechanism to the server. The
|
||
particulars of the message are protocol specific.
|
||
|
||
Note that the name of the mechanism is not protected by the
|
||
mechanism, and hence is subject to alteration by an attacker if not
|
||
integrity protected by other means.
|
||
|
||
Where the mechanism is defined to allow the client to send data
|
||
first, and the protocol's request message includes an optional
|
||
initial response field, the client may include the response to the
|
||
initial challenge in the authentication request message.
|
||
|
||
3.4. Challenges and Responses
|
||
|
||
The authentication exchange involves one or more pairs of server-
|
||
challenges and client-responses, the particulars of which are
|
||
mechanism specific. These challenges and responses are enclosed in
|
||
protocol messages, the particulars of which are protocol specific.
|
||
|
||
Through these challenges and responses, the mechanism may:
|
||
|
||
- authenticate the client to the server,
|
||
|
||
- authenticate the server to the client,
|
||
|
||
|
||
|
||
|
||
Melnikov & Zeilenga Standards Track [Page 9]
|
||
|
||
RFC 4422 SASL June 2006
|
||
|
||
|
||
- transfer an authorization identity string,
|
||
|
||
- negotiate a security layer, and
|
||
|
||
- provide other services.
|
||
|
||
The negotiation of the security layer may involve negotiation of the
|
||
security services to be provided in the layer, how these services
|
||
will be provided, and negotiation of a maximum cipher-text buffer
|
||
size each side is able to receive in the layer (see Section 3.6).
|
||
|
||
After receiving an authentication request or any client response, the
|
||
server may issue a challenge, abort the exchange, or indicate the
|
||
outcome of an exchange. After receiving a challenge, a client
|
||
mechanism may issue a response or abort the exchange.
|
||
|
||
3.4.1. Authorization Identity String
|
||
|
||
The authorization identity string is a sequence of zero or more
|
||
Unicode [Unicode] characters, excluding the NUL (U+0000) character,
|
||
representing the identity to act as.
|
||
|
||
If the authorization identity string is absent, the client is
|
||
requesting to act as the identity the server associates with the
|
||
client's credentials. An empty string is equivalent to an absent
|
||
authorization identity.
|
||
|
||
A non-empty authorization identity string indicates that the client
|
||
wishes to act as the identity represented by the string. In this
|
||
case, the form of identity represented by the string, as well as the
|
||
precise syntax and semantics of the string, is protocol specific.
|
||
|
||
While the character encoding schema used to transfer the
|
||
authorization identity string in the authentication exchange is
|
||
mechanism specific, mechanisms are expected to be capable of carrying
|
||
the entire Unicode repertoire (with the exception of the NUL
|
||
character).
|
||
|
||
3.5. Aborting Authentication Exchanges
|
||
|
||
A client or server may desire to abort an authentication exchange if
|
||
it is unwilling or unable to continue (or enter into).
|
||
|
||
A client may abort the authentication exchange by sending a message,
|
||
the particulars of which are protocol specific, to the server,
|
||
indicating that the exchange is aborted. The server may be required
|
||
by the protocol to return a message in response to the client's abort
|
||
message.
|
||
|
||
|
||
|
||
Melnikov & Zeilenga Standards Track [Page 10]
|
||
|
||
RFC 4422 SASL June 2006
|
||
|
||
|
||
Likewise, a server may abort the authentication exchange by sending a
|
||
message, the particulars of which are protocol specific, to the
|
||
client, indicating that the exchange is aborted.
|
||
|
||
3.6. Authentication Outcome
|
||
|
||
At the conclusion of the authentication exchange, the server sends a
|
||
message, the particulars of which are protocol specific, to the
|
||
client indicating the outcome of the exchange.
|
||
|
||
The outcome is not successful if
|
||
|
||
- the authentication exchange failed for any reason,
|
||
|
||
- the client's credentials could not be verified,
|
||
|
||
- the server cannot associate an identity with the client's
|
||
credentials,
|
||
|
||
- the client-provided authorization identity string is malformed,
|
||
|
||
- the identity associated with the client's credentials is not
|
||
authorized to act as the requested authorization identity,
|
||
|
||
- the negotiated security layer (or lack thereof) is not
|
||
suitable, or
|
||
|
||
- the server is not willing to provide service to the client for
|
||
any reason.
|
||
|
||
The protocol may include an optional additional data field in this
|
||
outcome message. This field can only include additional data when
|
||
the outcome is successful.
|
||
|
||
If the outcome is successful and a security layer was negotiated,
|
||
this layer is then installed. If the outcome is unsuccessful, or a
|
||
security layer was not negotiated, any existing security is left in
|
||
place.
|
||
|
||
The outcome message provided by the server can provide a way for the
|
||
client to distinguish between errors that are best dealt with by re-
|
||
prompting the user for her credentials, errors that are best dealt
|
||
with by telling the user to try again later, and errors where the
|
||
user must contact a system administrator for resolution (see the SYS
|
||
and AUTH POP Response Codes [RFC3206] specification for an example).
|
||
This distinction is particularly useful during scheduled server
|
||
maintenance periods as it reduces support costs. It is also
|
||
important that the server can be configured such that the outcome
|
||
|
||
|
||
|
||
Melnikov & Zeilenga Standards Track [Page 11]
|
||
|
||
RFC 4422 SASL June 2006
|
||
|
||
|
||
message will not distinguish between a valid user with invalid
|
||
credentials and an invalid user.
|
||
|
||
3.7. Security Layers
|
||
|
||
SASL mechanisms may offer a wide range of services in security
|
||
layers. Typical services include data integrity and data
|
||
confidentiality. SASL mechanisms that do not provide a security
|
||
layer are treated as negotiating no security layer.
|
||
|
||
If use of a security layer is negotiated in the authentication
|
||
protocol exchange, the layer is installed by the server after
|
||
indicating the outcome of the authentication exchange and installed
|
||
by the client upon receipt of the outcome indication. In both cases,
|
||
the layer is installed before transfer of further protocol data. The
|
||
precise position upon which the layer takes effect in the protocol
|
||
data stream is protocol specific.
|
||
|
||
Once the security layer is in effect in the protocol data stream, it
|
||
remains in effect until either a subsequently negotiated security
|
||
layer is installed or the underlying transport connection is closed.
|
||
|
||
When in effect, the security layer processes protocol data into
|
||
buffers of protected data. If at any time the security layer is
|
||
unable or unwilling to continue producing buffers protecting protocol
|
||
data, the underlying transport connection MUST be closed. If the
|
||
security layer is not able to decode a received buffer, the
|
||
underlying connection MUST be closed. In both cases, the underlying
|
||
transport connection SHOULD be closed gracefully.
|
||
|
||
Each buffer of protected data is transferred over the underlying
|
||
transport connection as a sequence of octets prepended with a four-
|
||
octet field in network byte order that represents the length of the
|
||
buffer. The length of the protected data buffer MUST be no larger
|
||
than the maximum size that the other side expects. Upon the receipt
|
||
of a length field whose value is greater than the maximum size, the
|
||
receiver SHOULD close the connection, as this might be a sign of an
|
||
attack.
|
||
|
||
The maximum size that each side expects is fixed by the mechanism,
|
||
either through negotiation or by its specification.
|
||
|
||
3.8. Multiple Authentications
|
||
|
||
Unless explicitly permitted in the protocol (as stated in the
|
||
protocol's technical specification), only one successful SASL
|
||
authentication exchange may occur in a protocol session. In this
|
||
|
||
|
||
|
||
|
||
Melnikov & Zeilenga Standards Track [Page 12]
|
||
|
||
RFC 4422 SASL June 2006
|
||
|
||
|
||
case, once an authentication exchange has successfully completed,
|
||
further attempts to initiate an authentication exchange fail.
|
||
|
||
Where multiple successful SASL authentication exchanges are permitted
|
||
in the protocol, then in no case may multiple SASL security layers be
|
||
simultaneously in effect. If a security layer is in effect and a
|
||
subsequent SASL negotiation selects a second security layer, then the
|
||
second security layer replaces the first. If a security layer is in
|
||
effect and a subsequent SASL negotiation selects no security layer,
|
||
the original security layer remains in effect.
|
||
|
||
Where multiple successful SASL negotiations are permitted in the
|
||
protocol, the effect of a failed SASL authentication exchange upon
|
||
the previously established authentication and authorization state is
|
||
protocol specific. The protocol's technical specification should be
|
||
consulted to determine whether the previous authentication and
|
||
authorization state remains in force, or changed to an anonymous
|
||
state, or otherwise was affected. Regardless of the protocol-
|
||
specific effect upon previously established authentication and
|
||
authorization state, the previously negotiated security layer remains
|
||
in effect.
|
||
|
||
4. Protocol Requirements
|
||
|
||
In order for a protocol to offer SASL services, its specification
|
||
MUST supply the following information:
|
||
|
||
1) A service name, to be selected from registry of "service" elements
|
||
for the Generic Security Service Application Program Interface
|
||
(GSSAPI) host-based service name form, as described in Section 4.1
|
||
of [RFC2743]. Note that this registry is shared by all GSSAPI and
|
||
SASL mechanisms.
|
||
|
||
2) Detail any mechanism negotiation facility that the protocol
|
||
provides (see Section 3.2).
|
||
|
||
A protocol SHOULD specify a facility through which the client may
|
||
discover, both before initiation of the SASL exchange and after
|
||
installing security layers negotiated by the exchange, the names
|
||
of the SASL mechanisms that the server makes available to the
|
||
client. The latter is important to allow the client to detect
|
||
downgrade attacks. This facility is typically provided through
|
||
the protocol's extensions or capabilities discovery facility.
|
||
|
||
3) Definition of the messages necessary for authentication exchange,
|
||
including the following:
|
||
|
||
|
||
|
||
|
||
|
||
Melnikov & Zeilenga Standards Track [Page 13]
|
||
|
||
RFC 4422 SASL June 2006
|
||
|
||
|
||
a) A message to initiate the authentication exchange (see Section
|
||
3.3).
|
||
|
||
This message MUST contain a field for carrying the name of the
|
||
mechanism selected by the client.
|
||
|
||
This message SHOULD contain an optional field for carrying an
|
||
initial response. If the message is defined with this field,
|
||
the specification MUST describe how messages with an empty
|
||
initial response are distinguished from messages with no
|
||
initial response. This field MUST be capable of carrying
|
||
arbitrary sequences of octets (including zero-length sequences
|
||
and sequences containing zero-valued octets).
|
||
|
||
b) Messages to transfer server challenges and client responses
|
||
(see Section 3.4).
|
||
|
||
Each of these messages MUST be capable of carrying arbitrary
|
||
sequences of octets (including zero-length sequences and
|
||
sequences containing zero-valued octets).
|
||
|
||
c) A message to indicate the outcome of the authentication
|
||
exchange (see Section 3.6).
|
||
|
||
This message SHOULD contain an optional field for carrying
|
||
additional data with a successful outcome. If the message is
|
||
defined with this field, the specification MUST describe how
|
||
messages with an empty additional data are distinguished from
|
||
messages with no additional data. This field MUST be capable
|
||
of carrying arbitrary sequences of octets (including zero-
|
||
length sequences and sequences containing zero-valued octets).
|
||
|
||
4) Prescribe the syntax and semantics of non-empty authorization
|
||
identity strings (see Section 3.4.1).
|
||
|
||
In order to avoid interoperability problems due to differing
|
||
normalizations, the protocol specification MUST detail precisely
|
||
how and where (client or server) non-empty authorization identity
|
||
strings are prepared, including all normalizations, for comparison
|
||
and other applicable functions to ensure proper function.
|
||
|
||
Specifications are encouraged to prescribe use of existing
|
||
authorization identity forms as well as existing string
|
||
representations, such as simple user names [RFC4013].
|
||
|
||
Where the specification does not precisely prescribe how
|
||
identities in SASL relate to identities used elsewhere in the
|
||
protocol, for instance, in access control policy statements, it
|
||
|
||
|
||
|
||
Melnikov & Zeilenga Standards Track [Page 14]
|
||
|
||
RFC 4422 SASL June 2006
|
||
|
||
|
||
may be appropriate for the protocol to provide a facility by which
|
||
the client can discover information (such as the representation of
|
||
the identity used in making access control decisions) about
|
||
established identities for these uses.
|
||
|
||
5) Detail any facility the protocol provides that allows the client
|
||
and/or server to abort authentication exchange (see Section 3.5).
|
||
|
||
Protocols that support multiple authentications typically allow a
|
||
client to abort an ongoing authentication exchange by initiating a
|
||
new authentication exchange. Protocols that do not support
|
||
multiple authentications may require the client to close the
|
||
connection and start over to abort an ongoing authentication
|
||
exchange.
|
||
|
||
Protocols typically allow the server to abort ongoing
|
||
authentication exchanges by returning a non-successful outcome
|
||
message.
|
||
|
||
6) Identify precisely where newly negotiated security layers start to
|
||
take effect, in both directions (see Section 3.7).
|
||
|
||
Typically, specifications require security layers to start taking
|
||
effect on the first octet following the outcome message in data
|
||
being sent by the server and on the first octet sent after receipt
|
||
of the outcome message in data being sent by the client.
|
||
|
||
7) If the protocol supports other layered security services, such as
|
||
Transport Layer Security (TLS) [RFC4346], the specification MUST
|
||
prescribe the order in which security layers are applied to
|
||
protocol data.
|
||
|
||
For instance, where a protocol supports both TLS and SASL security
|
||
layers, the specification could prescribe any of the following:
|
||
|
||
a) SASL security layer is always applied first to data being sent
|
||
and, hence, applied last to received data,
|
||
|
||
b) SASL security layer is always applied last to data being sent
|
||
and, hence, applied first to received data,
|
||
|
||
c) Layers are applied in the order in which they were installed,
|
||
|
||
d) Layers are applied in the reverse order in which they were
|
||
installed, or
|
||
|
||
e) Both TLS and SASL security layers cannot be installed.
|
||
|
||
|
||
|
||
|
||
Melnikov & Zeilenga Standards Track [Page 15]
|
||
|
||
RFC 4422 SASL June 2006
|
||
|
||
|
||
8) Indicate whether the protocol supports multiple authentications
|
||
(see Section 3.8). If so, the protocol MUST detail the effect a
|
||
failed SASL authentication exchange will have upon a previously
|
||
established authentication and authorization state.
|
||
|
||
Protocol specifications SHOULD avoid stating implementation
|
||
requirements that would hinder replacement of applicable mechanisms.
|
||
In general, protocol specifications SHOULD be mechanism neutral.
|
||
There are a number of reasonable exceptions to this recommendation,
|
||
including
|
||
|
||
- detailing how credentials (which are mechanism specific) are
|
||
managed in the protocol,
|
||
|
||
- detailing how authentication identities (which are mechanism
|
||
specific) and authorization identities (which are protocol
|
||
specific) relate to each other, and
|
||
|
||
- detailing which mechanisms are applicable to the protocol.
|
||
|
||
5. Mechanism Requirements
|
||
|
||
SASL mechanism specifications MUST supply the following information:
|
||
|
||
1) The name of the mechanism (see Section 3.1). This name MUST be
|
||
registered as discussed in Section 7.1.
|
||
|
||
2) A definition of the server-challenges and client-responses of the
|
||
authentication exchange, as well as the following:
|
||
|
||
a) An indication of whether the mechanism is client-first,
|
||
variable, or server-first. If a SASL mechanism is defined as
|
||
client-first and the client does not send an initial response
|
||
in the authentication request, then the first server challenge
|
||
MUST be empty (the EXTERNAL mechanism is an example of this
|
||
case). If a SASL mechanism is defined as variable, then the
|
||
specification needs to state how the server behaves when the
|
||
initial client response in the authentication request is
|
||
omitted (the DIGEST-MD5 mechanism [DIGEST-MD5] is an example of
|
||
this case). If a SASL mechanism is defined as server-first,
|
||
then the client MUST NOT send an initial client response in the
|
||
authentication request (the CRAM-MD5 mechanism [CRAM-MD5] is an
|
||
example of this case).
|
||
|
||
b) An indication of whether the server is expected to provide
|
||
additional data when indicating a successful outcome. If so,
|
||
if the server sends the additional data as a challenge, the
|
||
|
||
|
||
|
||
|
||
Melnikov & Zeilenga Standards Track [Page 16]
|
||
|
||
RFC 4422 SASL June 2006
|
||
|
||
|
||
specification MUST indicate that the response to this challenge
|
||
is an empty response.
|
||
|
||
SASL mechanisms SHOULD be designed to minimize the number of
|
||
challenges and responses necessary to complete the exchange.
|
||
|
||
3) An indication of whether the mechanism is capable of transferring
|
||
authorization identity strings (see Section 3.4.1). While some
|
||
legacy mechanisms are incapable of transmitting an authorization
|
||
identity (which means that for these mechanisms, the authorization
|
||
identity is always the empty string), newly defined mechanisms
|
||
SHOULD be capable of transferring authorization identity strings.
|
||
The mechanism SHOULD NOT be capable of transferring both no
|
||
authorization identity string and an empty authorization identity.
|
||
|
||
Mechanisms that are capable of transferring an authorization
|
||
identity string MUST be capable of transferring arbitrary non-
|
||
empty sequences of Unicode characters, excluding those that
|
||
contain the NUL (U+0000) character. Mechanisms SHOULD use the
|
||
UTF-8 [RFC3629] transformation format. The specification MUST
|
||
detail how any Unicode code points special to the mechanism that
|
||
might appear in the authorization identity string are escaped to
|
||
avoid ambiguity during decoding of the authorization identity
|
||
string. Typically, mechanisms that have special characters
|
||
require these special characters to be escaped or encoded in the
|
||
character string (after encoding it in a particular Unicode
|
||
transformation format) using a data encoding scheme such as Base64
|
||
[RFC3548].
|
||
|
||
4) The specification MUST detail whether the mechanism offers a
|
||
security layer. If the mechanism does, the specification MUST
|
||
detail the security and other services offered in the layer as
|
||
well as how these services are to be implemented.
|
||
|
||
5) If the underlying cryptographic technology used by a mechanism
|
||
supports data integrity, then the mechanism specification MUST
|
||
integrity protect the transmission of an authorization identity
|
||
and the negotiation of the security layer.
|
||
|
||
SASL mechanisms SHOULD be protocol neutral.
|
||
|
||
SASL mechanisms SHOULD reuse existing credential and identity forms,
|
||
as well as associated syntaxes and semantics.
|
||
|
||
SASL mechanisms SHOULD use the UTF-8 transformation format [RFC3629]
|
||
for encoding Unicode [Unicode] code points for transfer.
|
||
|
||
|
||
|
||
|
||
|
||
Melnikov & Zeilenga Standards Track [Page 17]
|
||
|
||
RFC 4422 SASL June 2006
|
||
|
||
|
||
In order to avoid interoperability problems due to differing
|
||
normalizations, when a mechanism calls for character data (other than
|
||
the authorization identity string) to be used as input to a
|
||
cryptographic and/or comparison function, the specification MUST
|
||
detail precisely how and where (client or server) the character data
|
||
is to be prepared, including all normalizations, for input into the
|
||
function to ensure proper operation.
|
||
|
||
For simple user names and/or passwords in authentication credentials,
|
||
SASLprep [RFC4013] (a profile of the StringPrep [RFC3454] preparation
|
||
algorithm), SHOULD be specified as the preparation algorithm.
|
||
|
||
The mechanism SHOULD NOT use the authorization identity string in
|
||
generation of any long-term cryptographic keys or hashes as there is
|
||
no requirement that the authorization identity string be canonical.
|
||
Long-term, here, means a term longer than the duration of the
|
||
authentication exchange in which they were generated. That is, as
|
||
different clients (of the same or different protocol) may provide
|
||
different authorization identity strings that are semantically
|
||
equivalent, use of authorization identity strings in generation of
|
||
cryptographic keys and hashes will likely lead to interoperability
|
||
and other problems.
|
||
|
||
6. Security Considerations
|
||
|
||
Security issues are discussed throughout this memo.
|
||
|
||
Many existing SASL mechanisms do not provide adequate protection
|
||
against passive attacks, let alone active attacks, in the
|
||
authentication exchange. Many existing SASL mechanisms do not offer
|
||
security layers. It is hoped that future SASL mechanisms will
|
||
provide strong protection against passive and active attacks in the
|
||
authentication exchange, as well as security layers with strong basic
|
||
data security features (e.g., data integrity and data
|
||
confidentiality) services. It is also hoped that future mechanisms
|
||
will provide more advanced data security services like re-keying (see
|
||
Section 6.3).
|
||
|
||
Regardless, the SASL framework is susceptible to downgrade attacks.
|
||
Section 6.1.2 offers a variety of approaches for preventing or
|
||
detecting these attacks. In some cases, it is appropriate to use
|
||
data integrity protective services external to SASL (e.g., TLS) to
|
||
protect against downgrade attacks in SASL. Use of external
|
||
protective security services is also important when the mechanisms
|
||
available do not themselves offer adequate integrity and/or
|
||
confidentiality protection of the authentication exchange and/or
|
||
protocol data.
|
||
|
||
|
||
|
||
|
||
Melnikov & Zeilenga Standards Track [Page 18]
|
||
|
||
RFC 4422 SASL June 2006
|
||
|
||
|
||
6.1. Active Attacks
|
||
|
||
6.1.1. Hijack Attacks
|
||
|
||
When the client selects a SASL security layer with at least integrity
|
||
protection, this protection serves as a counter-measure against an
|
||
active attacker hijacking the connection and modifying protocol data
|
||
sent after establishment of the security layer. Implementations
|
||
SHOULD close the connection when the security services in a SASL
|
||
security layer report protocol data report lack of data integrity.
|
||
|
||
6.1.2. Downgrade Attacks
|
||
|
||
It is important that any security-sensitive protocol negotiations be
|
||
performed after installation of a security layer with data integrity
|
||
protection. Protocols should be designed such that negotiations
|
||
performed prior to this installation should be revalidated after
|
||
installation is complete. Negotiation of the SASL mechanism is
|
||
security sensitive.
|
||
|
||
When a client negotiates the authentication mechanism with the server
|
||
and/or other security features, it is possible for an active attacker
|
||
to cause a party to use the least secure security services available.
|
||
For instance, an attacker can modify the server-advertised mechanism
|
||
list or can modify the client-advertised security feature list within
|
||
a mechanism response. To protect against this sort of attack,
|
||
implementations SHOULD NOT advertise mechanisms and/or features that
|
||
cannot meet their minimum security requirements, SHOULD NOT enter
|
||
into or continue authentication exchanges that cannot meet their
|
||
minimum security requirements, and SHOULD verify that completed
|
||
authentication exchanges result in security services that meet their
|
||
minimum security requirements. Note that each endpoint needs to
|
||
independently verify that its security requirements are met.
|
||
|
||
In order to detect downgrade attacks to the least (or less) secure
|
||
mechanism supported, the client can discover the SASL mechanisms that
|
||
the server makes available both before the SASL authentication
|
||
exchange and after the negotiated SASL security layer (with at least
|
||
data integrity protection) has been installed through the protocol's
|
||
mechanism discovery facility. If the client finds that the
|
||
integrity-protected list (the list obtained after the security layer
|
||
was installed) contains a stronger mechanism than those in the
|
||
previously obtained list, the client should assume that the
|
||
previously obtained list was modified by an attacker and SHOULD close
|
||
the underlying transport connection.
|
||
|
||
The client's initiation of the SASL exchange, including the selection
|
||
of a SASL mechanism, is done in the clear and may be modified by an
|
||
|
||
|
||
|
||
Melnikov & Zeilenga Standards Track [Page 19]
|
||
|
||
RFC 4422 SASL June 2006
|
||
|
||
|
||
active attacker. It is important for any new SASL mechanisms to be
|
||
designed such that an active attacker cannot obtain an authentication
|
||
with weaker security properties by modifying the SASL mechanism name
|
||
and/or the challenges and responses.
|
||
|
||
Multi-level negotiation of security features is prone to downgrade
|
||
attack. Protocol designers should avoid offering higher-level
|
||
negotiation of security features in protocols (e.g., above SASL
|
||
mechanism negotiation) and mechanism designers should avoid lower-
|
||
level negotiation of security features in mechanisms (e.g., below
|
||
SASL mechanism negotiation).
|
||
|
||
6.1.3. Replay Attacks
|
||
|
||
Some mechanisms may be subject to replay attacks unless protected by
|
||
external data security services (e.g., TLS).
|
||
|
||
6.1.4. Truncation Attacks
|
||
|
||
Most existing SASL security layers do not themselves offer protection
|
||
against truncation attack. In a truncation attack, the active
|
||
attacker causes the protocol session to be closed, causing a
|
||
truncation of the possibly integrity-protected data stream that leads
|
||
to behavior of one or both the protocol peers that inappropriately
|
||
benefits the attacker. Truncation attacks are fairly easy to defend
|
||
against in connection-oriented application-level protocols. A
|
||
protocol can defend against these attacks by ensuring that each
|
||
information exchange has a clear final result and that each protocol
|
||
session has a graceful closure mechanism, and that these are
|
||
integrity protected.
|
||
|
||
6.1.5. Other Active Attacks
|
||
|
||
When use of a security layer is negotiated by the authentication
|
||
protocol exchange, the receiver SHOULD handle gracefully any
|
||
protected data buffer larger than the defined/negotiated maximal
|
||
size. In particular, it MUST NOT blindly allocate the amount of
|
||
memory specified in the buffer size field, as this might cause the
|
||
"out of memory" condition. If the receiver detects a large block, it
|
||
SHOULD close the connection.
|
||
|
||
6.2. Passive Attacks
|
||
|
||
Many mechanisms are subject to various passive attacks, including
|
||
simple eavesdropping of unprotected credential information as well as
|
||
online and offline dictionary attacks of protected credential
|
||
information.
|
||
|
||
|
||
|
||
|
||
Melnikov & Zeilenga Standards Track [Page 20]
|
||
|
||
RFC 4422 SASL June 2006
|
||
|
||
|
||
6.3. Re-keying
|
||
|
||
The secure or administratively permitted lifetimes of SASL
|
||
mechanisms' security layers are finite. Cryptographic keys weaken as
|
||
they are used and as time passes; the more time and/or cipher-text
|
||
that a cryptanalyst has after the first use of the a key, the easier
|
||
it is for the cryptanalyst to mount attacks on the key.
|
||
|
||
Administrative limits on a security layer's lifetime may take the
|
||
form of time limits expressed in X.509 certificates, in Kerberos V
|
||
tickets, or in directories, and are often desired. In practice, one
|
||
likely effect of administrative lifetime limits is that applications
|
||
may find that security layers stop working in the middle of
|
||
application protocol operation, such as, perhaps, during large data
|
||
transfers. As the result of this, the connection will be closed (see
|
||
Section 3.7), which will result in an unpleasant user experience.
|
||
|
||
Re-keying (key renegotiation process) is a way of addressing the
|
||
weakening of cryptographic keys. The SASL framework does not itself
|
||
provide for re-keying; SASL mechanisms may. Designers of future SASL
|
||
mechanisms should consider providing re-keying services.
|
||
|
||
Implementations that wish to re-key SASL security layers where the
|
||
mechanism does not provide for re-keying SHOULD reauthenticate the
|
||
same IDs and replace the expired or soon-to-expire security layers.
|
||
This approach requires support for reauthentication in the
|
||
application protocols (see Section 3.8).
|
||
|
||
6.4. Other Considerations
|
||
|
||
Protocol designers and implementors should understand the security
|
||
considerations of mechanisms so they may select mechanisms that are
|
||
applicable to their needs.
|
||
|
||
Distributed server implementations need to be careful in how they
|
||
trust other parties. In particular, authentication secrets should
|
||
only be disclosed to other parties that are trusted to manage and use
|
||
those secrets in a manner acceptable to the disclosing party.
|
||
Applications using SASL assume that SASL security layers providing
|
||
data confidentiality are secure even when an attacker chooses the
|
||
text to be protected by the security layer. Similarly, applications
|
||
assume that the SASL security layer is secure even if the attacker
|
||
can manipulate the cipher-text output of the security layer. New
|
||
SASL mechanisms are expected to meet these assumptions.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Melnikov & Zeilenga Standards Track [Page 21]
|
||
|
||
RFC 4422 SASL June 2006
|
||
|
||
|
||
Unicode security considerations [UTR36] apply to authorization
|
||
identity strings, as well as UTF-8 [RFC3629] security considerations
|
||
where UTF-8 is used. SASLprep [RFC4013] and StringPrep [RFC3454]
|
||
security considerations also apply where used.
|
||
|
||
7. IANA Considerations
|
||
|
||
7.1. SASL Mechanism Registry
|
||
|
||
The SASL mechanism registry is maintained by IANA. The registry is
|
||
currently available at <http://www.iana.org/assignments/sasl-
|
||
mechanisms>.
|
||
|
||
The purpose of this registry is not only to ensure uniqueness of
|
||
values used to name SASL mechanisms, but also to provide a definitive
|
||
reference to technical specifications detailing each SASL mechanism
|
||
available for use on the Internet.
|
||
|
||
There is no naming convention for SASL mechanisms; any name that
|
||
conforms to the syntax of a SASL mechanism name can be registered.
|
||
|
||
The procedure detailed in Section 7.1.1 is to be used for
|
||
registration of a value naming a specific individual mechanism.
|
||
|
||
The procedure detailed in Section 7.1.2 is to be used for
|
||
registration of a value naming a family of related mechanisms.
|
||
|
||
Comments may be included in the registry as discussed in Section
|
||
7.1.3 and may be changed as discussed in Section 7.1.4.
|
||
|
||
The SASL mechanism registry has been updated to reflect that this
|
||
document provides the definitive technical specification for SASL and
|
||
that this section provides the registration procedures for this
|
||
registry.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Melnikov & Zeilenga Standards Track [Page 22]
|
||
|
||
RFC 4422 SASL June 2006
|
||
|
||
|
||
7.1.1. Mechanism Name Registration Procedure
|
||
|
||
IANA will register new SASL mechanism names on a First Come First
|
||
Served basis, as defined in BCP 26 [RFC2434]. IANA has the right to
|
||
reject obviously bogus registration requests, but will perform no
|
||
review of claims made in the registration form.
|
||
|
||
Registration of a SASL mechanism is requested by filling in the
|
||
following template:
|
||
|
||
Subject: Registration of SASL mechanism X
|
||
|
||
SASL mechanism name (or prefix for the family):
|
||
|
||
Security considerations:
|
||
|
||
Published specification (recommended):
|
||
|
||
Person & email address to contact for further information:
|
||
|
||
Intended usage: (One of COMMON, LIMITED USE, or OBSOLETE)
|
||
|
||
Owner/Change controller:
|
||
|
||
Note: (Any other information that the author deems relevant may be
|
||
added here.)
|
||
|
||
and sending it via electronic mail to IANA at <iana@iana.org>.
|
||
|
||
While this registration procedure does not require expert review,
|
||
authors of SASL mechanisms are encouraged to seek community review
|
||
and comment whenever that is feasible. Authors may seek community
|
||
review by posting a specification of their proposed mechanism as an
|
||
Internet-Draft. SASL mechanisms intended for widespread use should
|
||
be standardized through the normal IETF process, when appropriate.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Melnikov & Zeilenga Standards Track [Page 23]
|
||
|
||
RFC 4422 SASL June 2006
|
||
|
||
|
||
7.1.2. Family Name Registration Procedure
|
||
|
||
As noted above, there is no general naming convention for SASL
|
||
mechanisms. However, specifications may reserve a portion of the
|
||
SASL mechanism namespace for a set of related SASL mechanisms, a
|
||
"family" of SASL mechanisms. Each family of SASL mechanisms is
|
||
identified by a unique prefix, such as X-. Registration of new SASL
|
||
mechanism family names requires expert review as defined in BCP 26
|
||
[RFC2434].
|
||
|
||
Registration of a SASL family name is requested by filling in the
|
||
following template:
|
||
|
||
Subject: Registration of SASL mechanism family X
|
||
|
||
SASL family name (or prefix for the family):
|
||
|
||
Security considerations:
|
||
|
||
Published specification (recommended):
|
||
|
||
Person & email address to contact for further information:
|
||
|
||
Intended usage: (One of COMMON, LIMITED USE, or OBSOLETE)
|
||
|
||
Owner/Change controller:
|
||
|
||
Note: (Any other information that the author deems relevant may be
|
||
added here.)
|
||
|
||
and sending it via electronic mail to the IETF SASL mailing list at
|
||
<ietf-sasl@imc.org> and carbon copying IANA at <iana@iana.org>.
|
||
After allowing two weeks for community input on the IETF SASL mailing
|
||
list, the expert will determine the appropriateness of the
|
||
registration request and either approve or disapprove the request
|
||
with notice to the requestor, the mailing list, and IANA.
|
||
|
||
The review should focus on the appropriateness of the requested
|
||
family name for the proposed use and the appropriateness of the
|
||
proposed naming and registration plan for existing and future
|
||
mechanism names in the family. The scope of this request review may
|
||
entail consideration of relevant aspects of any provided technical
|
||
specification, such as their IANA Considerations section. However,
|
||
this review is narrowly focused on the appropriateness of the
|
||
requested registration and not on the overall soundness of any
|
||
provided technical specification.
|
||
|
||
|
||
|
||
|
||
|
||
Melnikov & Zeilenga Standards Track [Page 24]
|
||
|
||
RFC 4422 SASL June 2006
|
||
|
||
|
||
Authors are encouraged to pursue community review by posting the
|
||
technical specification as an Internet-Draft and soliciting comment
|
||
by posting to appropriate IETF mailing lists.
|
||
|
||
7.1.3. Comments on SASL Mechanism Registrations
|
||
|
||
Comments on a registered SASL mechanism/family should first be sent
|
||
to the "owner" of the mechanism/family and/or to the <ietf-
|
||
sasl@imc.org> mailing list.
|
||
|
||
Submitters of comments may, after a reasonable attempt to contact the
|
||
owner, request IANA to attach their comment to the SASL mechanism
|
||
registration itself by sending mail to <iana@iana.org>. At IANA's
|
||
sole discretion, IANA may attach the comment to the SASL mechanism's
|
||
registration.
|
||
|
||
7.1.4. Change Control
|
||
|
||
Once a SASL mechanism registration has been published by IANA, the
|
||
author may request a change to its definition. The change request
|
||
follows the same procedure as the registration request.
|
||
|
||
The owner of a SASL mechanism may pass responsibility for the SASL
|
||
mechanism to another person or agency by informing IANA; this can be
|
||
done without discussion or review.
|
||
|
||
The IESG may reassign responsibility for a SASL mechanism. The most
|
||
common case of this will be to enable changes to be made to
|
||
mechanisms where the author of the registration has died, has moved
|
||
out of contact, or is otherwise unable to make changes that are
|
||
important to the community.
|
||
|
||
SASL mechanism registrations may not be deleted; mechanisms that are
|
||
no longer believed appropriate for use can be declared OBSOLETE by a
|
||
change to their "intended usage" field; such SASL mechanisms will be
|
||
clearly marked in the lists published by IANA.
|
||
|
||
The IESG is considered to be the owner of all SASL mechanisms that
|
||
are on the IETF standards track.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Melnikov & Zeilenga Standards Track [Page 25]
|
||
|
||
RFC 4422 SASL June 2006
|
||
|
||
|
||
7.2. Registration Changes
|
||
|
||
The IANA has updated the SASL mechanisms registry as follows:
|
||
|
||
1) Changed the "Intended usage" of the KERBEROS_V4 and SKEY mechanism
|
||
registrations to OBSOLETE.
|
||
|
||
2) Changed the "Published specification" of the EXTERNAL mechanism to
|
||
this document as indicated below:
|
||
|
||
Subject: Updated Registration of SASL mechanism EXTERNAL
|
||
Family of SASL mechanisms: NO
|
||
SASL mechanism name: EXTERNAL
|
||
Security considerations: See A.3 of RFC 4422
|
||
Published specification (optional, recommended): RFC 4422
|
||
Person & email address to contact for further information:
|
||
Alexey Melnikov <Alexey.Melnikov@isode.com>
|
||
Intended usage: COMMON
|
||
Owner/Change controller: IESG <iesg@ietf.org>
|
||
Note: Updates existing entry for EXTERNAL
|
||
|
||
8. References
|
||
|
||
8.1. Normative References
|
||
|
||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
|
||
Requirement Levels", BCP 14, RFC 2119, March 1997.
|
||
|
||
[RFC2244] Newman, C. and J. G. Myers, "ACAP -- Application
|
||
Configuration Access Protocol", RFC 2244, November
|
||
1997.
|
||
|
||
[RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing
|
||
an IANA Considerations Section in RFCs", BCP 26, RFC
|
||
2434, October 1998.
|
||
|
||
[RFC2743] Linn, J., "Generic Security Service Application Program
|
||
Interface Version 2, Update 1", RFC 2743, January 2000.
|
||
|
||
[RFC3454] Hoffman, P. and M. Blanchet, "Preparation of
|
||
Internationalized Strings ("stringprep")", RFC 3454,
|
||
December 2002.
|
||
|
||
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
|
||
10646", STD 63, RFC 3629, November 2003.
|
||
|
||
[RFC4013] Zeilenga, K., "SASLprep: Stringprep Profile for User
|
||
Names and Passwords", RFC 4013, February 2005.
|
||
|
||
|
||
|
||
Melnikov & Zeilenga Standards Track [Page 26]
|
||
|
||
RFC 4422 SASL June 2006
|
||
|
||
|
||
[RFC4234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
|
||
Specifications: ABNF", RFC 4234, October 2005.
|
||
|
||
[ASCII] Coded Character Set--7-bit American Standard Code for
|
||
Information Interchange, ANSI X3.4-1986.
|
||
|
||
[Unicode] The Unicode Consortium, "The Unicode Standard, Version
|
||
3.2.0" is defined by "The Unicode Standard, Version
|
||
3.0" (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-
|
||
61633-5), as amended by the "Unicode Standard Annex
|
||
#27: Unicode 3.1"
|
||
(http://www.unicode.org/reports/tr27/) and by the
|
||
"Unicode Standard Annex #28: Unicode 3.2"
|
||
(http://www.unicode.org/reports/tr28/).
|
||
|
||
[CharModel] Whistler, K. and M. Davis, "Unicode Technical Report
|
||
#17, Character Encoding Model", UTR17,
|
||
<http://www.unicode.org/unicode/reports/tr17/>, August
|
||
2000.
|
||
|
||
[Glossary] The Unicode Consortium, "Unicode Glossary",
|
||
<http://www.unicode.org/glossary/>.
|
||
|
||
8.2. Informative References
|
||
|
||
[RFC3206] Gellens, R., "The SYS and AUTH POP Response Codes", RFC
|
||
3206, February 2002.
|
||
|
||
[RFC3548] Josefsson, S., "The Base16, Base32, and Base64 Data
|
||
Encodings", RFC 3548, July 2003.
|
||
|
||
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the
|
||
Internet Protocol", RFC 4301, December 2005.
|
||
|
||
[RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer
|
||
Security (TLS) Protocol Version 1.1", RFC 4346, April
|
||
2006.
|
||
|
||
[SASL-GSSAPI] Melnikov, A. (Editor), "The Kerberos V5 ("GSSAPI") SASL
|
||
Mechanism", Work in Progress, May 2006.
|
||
|
||
[UTR36] Davis, M., "(Draft) Unicode Technical Report #36,
|
||
Character Encoding Model", UTR17,
|
||
<http://www.unicode.org/unicode/reports/tr36/>,
|
||
February 2005.
|
||
|
||
[CRAM-MD5] Nerenberg, L., "The CRAM-MD5 SASL Mechanism", Work in
|
||
Progress.
|
||
|
||
|
||
|
||
Melnikov & Zeilenga Standards Track [Page 27]
|
||
|
||
RFC 4422 SASL June 2006
|
||
|
||
|
||
[DIGEST-MD5] Leach, P., C. Newman, and A. Melnikov, "Using Digest
|
||
Authentication as a SASL Mechanism", Work in Progress,
|
||
March 2006.
|
||
|
||
9. Acknowledgements
|
||
|
||
This document is a revision of RFC 2222 written by John Myers.
|
||
|
||
This revision is a product of the IETF Simple Authentication and
|
||
Security Layer (SASL) Working Group.
|
||
|
||
The following individuals contributed significantly to this revision:
|
||
Abhijit Menon-Sen, Hallvard Furuseth, Jeffrey Hutzelman, John Myers,
|
||
Luke Howard, Magnus Nystrom, Nicolas Williams, Peter Saint-Andre, RL
|
||
'Bob' Morgan, Rob Siemborski, Sam Hartman, Simon Josefsson, Tim
|
||
Alsop, and Tony Hansen.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Melnikov & Zeilenga Standards Track [Page 28]
|
||
|
||
RFC 4422 SASL June 2006
|
||
|
||
|
||
Appendix A. The SASL EXTERNAL Mechanism
|
||
|
||
This appendix is normative.
|
||
|
||
The EXTERNAL mechanism allows a client to request the server to use
|
||
credentials established by means external to the mechanism to
|
||
authenticate the client. The external means may be, for instance, IP
|
||
Security [RFC4301] or TLS [RFC4346] services. In absence of some a
|
||
priori agreement between the client and the server, the client cannot
|
||
make any assumption as to what external means the server has used to
|
||
obtain the client's credentials, nor make an assumption as to the
|
||
form of credentials. For example, the client cannot assume that the
|
||
server will use the credentials the client has established via TLS.
|
||
|
||
A.1. EXTERNAL Technical Specification
|
||
|
||
The name of this mechanism is "EXTERNAL".
|
||
|
||
The mechanism does not provide a security layer.
|
||
|
||
The mechanism is capable of transferring an authorization identity
|
||
string. If empty, the client is requesting to act as the identity
|
||
the server has associated with the client's credentials. If non-
|
||
empty, the client is requesting to act as the identity represented by
|
||
the string.
|
||
|
||
The client is expected to send data first in the authentication
|
||
exchange. Where the client does not provide an initial response data
|
||
in its request to initiate the authentication exchange, the server is
|
||
to respond to the request with an empty initial challenge and then
|
||
the client is to provide its initial response.
|
||
|
||
The client sends the initial response containing the UTF-8 [RFC3629]
|
||
encoding of the requested authorization identity string. This
|
||
response is non-empty when the client is requesting to act as the
|
||
identity represented by the (non-empty) string. This response is
|
||
empty when the client is requesting to act as the identity the server
|
||
associated with its authentication credentials.
|
||
|
||
The syntax of the initial response is specified as a value of the
|
||
<extern-initial-resp> production detailed below using the Augmented
|
||
Backus-Naur Form (ABNF) [RFC4234] notation.
|
||
|
||
external-initial-resp = authz-id-string
|
||
authz-id-string = *( UTF8-char-no-nul )
|
||
UTF8-char-no-nul = UTF8-1-no-nul / UTF8-2 / UTF8-3 / UTF8-4
|
||
UTF8-1-no-nul = %x01-7F
|
||
|
||
|
||
|
||
|
||
Melnikov & Zeilenga Standards Track [Page 29]
|
||
|
||
RFC 4422 SASL June 2006
|
||
|
||
|
||
where the <UTF8-2>, <UTF8-3>, and <UTF8-4> productions are as defined
|
||
in [RFC3629].
|
||
|
||
There are no additional challenges and responses.
|
||
|
||
Hence, the server is to return the outcome of the authentication
|
||
exchange.
|
||
|
||
The exchange fails if
|
||
|
||
- the client has not established its credentials via external means,
|
||
|
||
- the client's credentials are inadequate,
|
||
|
||
- the client provided an empty authorization identity string and the
|
||
server is unwilling or unable to associate an authorization
|
||
identity with the client's credentials,
|
||
|
||
- the client provided a non-empty authorization identity string that
|
||
is invalid per the syntax requirements of the applicable
|
||
application protocol specification,
|
||
|
||
- the client provided a non-empty authorization identity string
|
||
representing an identity that the client is not allowed to act as,
|
||
or
|
||
|
||
- the server is unwilling or unable to provide service to the client
|
||
for any other reason.
|
||
|
||
Otherwise the exchange is successful. When indicating a successful
|
||
outcome, additional data is not provided.
|
||
|
||
A.2. SASL EXTERNAL Examples
|
||
|
||
This section provides examples of EXTERNAL authentication exchanges.
|
||
The examples are intended to help the readers understand the above
|
||
text. The examples are not definitive. The Application
|
||
Configuration Access Protocol (ACAP) [RFC2244] is used in the
|
||
examples.
|
||
|
||
The first example shows use of EXTERNAL with an empty authorization
|
||
identity. In this example, the initial response is not sent in the
|
||
client's request to initiate the authentication exchange.
|
||
|
||
S: * ACAP (SASL "DIGEST-MD5")
|
||
C: a001 STARTTLS
|
||
S: a001 OK "Begin TLS negotiation now"
|
||
<TLS negotiation, further commands are under TLS layer>
|
||
|
||
|
||
|
||
Melnikov & Zeilenga Standards Track [Page 30]
|
||
|
||
RFC 4422 SASL June 2006
|
||
|
||
|
||
S: * ACAP (SASL "DIGEST-MD5" "EXTERNAL")
|
||
C: a002 AUTHENTICATE "EXTERNAL"
|
||
S: + ""
|
||
C: + ""
|
||
S: a002 OK "Authenticated"
|
||
|
||
The second example shows use of EXTERNAL with an authorization
|
||
identity of "fred@example.com". In this example, the initial
|
||
response is sent with the client's request to initiate the
|
||
authentication exchange. This saves a round-trip.
|
||
|
||
S: * ACAP (SASL "DIGEST-MD5")
|
||
C: a001 STARTTLS
|
||
S: a001 OK "Begin TLS negotiation now"
|
||
<TLS negotiation, further commands are under TLS layer>
|
||
S: * ACAP (SASL "DIGEST-MD5" "EXTERNAL")
|
||
C: a002 AUTHENTICATE "EXTERNAL" {16+}
|
||
C: fred@example.com
|
||
S: a002 NO "Cannot assume requested authorization identity"
|
||
|
||
A.3. Security Considerations
|
||
|
||
The EXTERNAL mechanism provides no security protection; it is
|
||
vulnerable to spoofing by either client or server, active attack, and
|
||
eavesdropping. It should only be used when adequate security
|
||
services have been established.
|
||
|
||
Appendix B. Changes since RFC 2222
|
||
|
||
This appendix is non-normative.
|
||
|
||
The material in RFC 2222 was significantly rewritten in the
|
||
production of this document.
|
||
|
||
RFC 2222, by not stating that the authorization identity string was a
|
||
string of Unicode characters, let alone character data, implied that
|
||
the authorization identity string was a string of octets.
|
||
|
||
- The authorization identity string is now defined as a string of
|
||
Unicode characters. The NUL (U+0000) character is prohibited.
|
||
While protocol specifications are responsible for defining the
|
||
authorization identity form, as well as the Unicode string syntax
|
||
and related semantics, mechanism specifications are responsible
|
||
for defining how the Unicode string is carried in the
|
||
authentication exchange.
|
||
|
||
- Deleted "If so, when the client does not send data first, the
|
||
initial challenge MUST be specified as being an empty challenge."
|
||
|
||
|
||
|
||
Melnikov & Zeilenga Standards Track [Page 31]
|
||
|
||
RFC 4422 SASL June 2006
|
||
|
||
|
||
The following technical change was made to the EXTERNAL mechanism:
|
||
|
||
- The authorization identity string is to be UTF-8 encoded.
|
||
|
||
Note that protocol and mechanism specification requirements have
|
||
been significantly tightened. Existing protocol and mechanism
|
||
specifications will need to be updated to meet these requirements.
|
||
|
||
Editors' Addresses
|
||
|
||
Alexey Melnikov
|
||
Isode Limited
|
||
5 Castle Business Village
|
||
36 Station Road
|
||
Hampton, Middlesex,
|
||
TW12 2BX, United Kingdom
|
||
|
||
EMail: Alexey.Melnikov@isode.com
|
||
URI: http://www.melnikov.ca/
|
||
|
||
|
||
Kurt D. Zeilenga
|
||
OpenLDAP Foundation
|
||
|
||
EMail: Kurt@OpenLDAP.org
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Melnikov & Zeilenga Standards Track [Page 32]
|
||
|
||
RFC 4422 SASL June 2006
|
||
|
||
|
||
Full Copyright Statement
|
||
|
||
Copyright (C) The Internet Society (2006).
|
||
|
||
This document is subject to the rights, licenses and restrictions
|
||
contained in BCP 78, and except as set forth therein, the authors
|
||
retain all their rights.
|
||
|
||
This document and the information contained herein are provided on an
|
||
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
|
||
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
|
||
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
|
||
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
|
||
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
|
||
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||
|
||
Intellectual Property
|
||
|
||
The IETF takes no position regarding the validity or scope of any
|
||
Intellectual Property Rights or other rights that might be claimed to
|
||
pertain to the implementation or use of the technology described in
|
||
this document or the extent to which any license under such rights
|
||
might or might not be available; nor does it represent that it has
|
||
made any independent effort to identify any such rights. Information
|
||
on the procedures with respect to rights in RFC documents can be
|
||
found in BCP 78 and BCP 79.
|
||
|
||
Copies of IPR disclosures made to the IETF Secretariat and any
|
||
assurances of licenses to be made available, or the result of an
|
||
attempt made to obtain a general license or permission for the use of
|
||
such proprietary rights by implementers or users of this
|
||
specification can be obtained from the IETF on-line IPR repository at
|
||
http://www.ietf.org/ipr.
|
||
|
||
The IETF invites any interested party to bring to its attention any
|
||
copyrights, patents or patent applications, or other proprietary
|
||
rights that may cover technology that may be required to implement
|
||
this standard. Please address the information to the IETF at
|
||
ietf-ipr@ietf.org.
|
||
|
||
Acknowledgement
|
||
|
||
Funding for the RFC Editor function is provided by the IETF
|
||
Administrative Support Activity (IASA).
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Melnikov & Zeilenga Standards Track [Page 33]
|
||
|