mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
900 lines
34 KiB
Plaintext
900 lines
34 KiB
Plaintext
|
||
|
||
|
||
|
||
|
||
|
||
Network Working Group J. Myers
|
||
Request for Comments: 2222 Netscape Communications
|
||
Category: Standards Track October 1997
|
||
|
||
|
||
Simple Authentication and Security Layer (SASL)
|
||
|
||
Status of this Memo
|
||
|
||
This document specifies an Internet standards track protocol for the
|
||
Internet community, and requests discussion and suggestions for
|
||
improvements. Please refer to the current edition of the "Internet
|
||
Official Protocol Standards" (STD 1) for the standardization state
|
||
and status of this protocol. Distribution of this memo is unlimited.
|
||
|
||
Copyright Notice
|
||
|
||
Copyright (C) The Internet Society (1997). All Rights Reserved.
|
||
|
||
Table of Contents
|
||
|
||
1. Abstract .............................................. 2
|
||
2. Organization of this Document ......................... 2
|
||
2.1. How to Read This Document ............................. 2
|
||
2.2. Conventions Used in this Document ..................... 2
|
||
2.3. Examples .............................................. 3
|
||
3. Introduction and Overview ............................. 3
|
||
4. Profiling requirements ................................ 4
|
||
5. Specific issues ....................................... 5
|
||
5.1. Client sends data first ............................... 5
|
||
5.2. Server returns success with additional data ........... 5
|
||
5.3. Multiple authentications .............................. 5
|
||
6. Registration procedures ............................... 6
|
||
6.1. Comments on SASL mechanism registrations .............. 6
|
||
6.2. Location of Registered SASL Mechanism List ............ 6
|
||
6.3. Change Control ........................................ 7
|
||
6.4. Registration Template ................................. 7
|
||
7. Mechanism definitions ................................. 8
|
||
7.1. Kerberos version 4 mechanism .......................... 8
|
||
7.2. GSSAPI mechanism ...................................... 9
|
||
7.2.1 Client side of authentication protocol exchange ....... 9
|
||
7.2.2 Server side of authentication protocol exchange ....... 10
|
||
7.2.3 Security layer ........................................ 11
|
||
7.3. S/Key mechanism ....................................... 11
|
||
7.4. External mechanism .................................... 12
|
||
8. References ............................................ 13
|
||
9. Security Considerations ............................... 13
|
||
10. Author's Address ...................................... 14
|
||
|
||
|
||
|
||
Myers Standards Track [Page 1]
|
||
|
||
RFC 2222 SASL October 1997
|
||
|
||
|
||
Appendix A. Relation of SASL to Transport Security .......... 15
|
||
Full Copyright Statement .................................... 16
|
||
|
||
1. Abstract
|
||
|
||
This document describes a method for adding authentication support to
|
||
connection-based protocols. To use this specification, a protocol
|
||
includes a command for identifying and authenticating a user to a
|
||
server and for optionally negotiating protection of subsequent
|
||
protocol interactions. If its use is negotiated, a security layer is
|
||
inserted between the protocol and the connection. This document
|
||
describes how a protocol specifies such a command, defines several
|
||
mechanisms for use by the command, and defines the protocol used for
|
||
carrying a negotiated security layer over the connection.
|
||
|
||
2. Organization of this Document
|
||
|
||
2.1. How to Read This Document
|
||
|
||
This document is written to serve two different audiences, protocol
|
||
designers using this specification to support authentication in their
|
||
protocol, and implementors of clients or servers for those protocols
|
||
using this specification.
|
||
|
||
The sections "Introduction and Overview", "Profiling requirements",
|
||
and "Security Considerations" cover issues that protocol designers
|
||
need to understand and address in profiling this specification for
|
||
use in a specific protocol.
|
||
|
||
Implementors of a protocol using this specification need the
|
||
protocol-specific profiling information in addition to the
|
||
information in this document.
|
||
|
||
2.2. Conventions Used in this Document
|
||
|
||
In examples, "C:" and "S:" indicate lines sent by the client and
|
||
server respectively.
|
||
|
||
The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY"
|
||
in this document are to be interpreted as defined in "Key words for
|
||
use in RFCs to Indicate Requirement Levels" [RFC 2119].
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Myers Standards Track [Page 2]
|
||
|
||
RFC 2222 SASL October 1997
|
||
|
||
|
||
2.3. Examples
|
||
|
||
Examples in this document are for the IMAP profile [RFC 2060] of this
|
||
specification. The base64 encoding of challenges and responses, as
|
||
well as the "+ " preceding the responses are part of the IMAP4
|
||
profile, not part of the SASL specification itself.
|
||
|
||
3. Introduction and Overview
|
||
|
||
The Simple Authentication and Security Layer (SASL) is a method for
|
||
adding authentication support to connection-based protocols. To use
|
||
this specification, a protocol includes a command for identifying and
|
||
authenticating a user to a server and for optionally negotiating a
|
||
security layer for subsequent protocol interactions.
|
||
|
||
The command has a required argument identifying a SASL mechanism.
|
||
SASL mechanisms are named by strings, from 1 to 20 characters in
|
||
length, consisting of upper-case letters, digits, hyphens, and/or
|
||
underscores. SASL mechanism names must be registered with the IANA.
|
||
Procedures for registering new SASL mechanisms are given in the
|
||
section "Registration procedures"
|
||
|
||
If a server supports the requested mechanism, it initiates an
|
||
authentication protocol exchange. This consists of a series of
|
||
server challenges and client responses that are specific to the
|
||
requested mechanism. The challenges and responses are defined by the
|
||
mechanisms as binary tokens of arbitrary length. The protocol's
|
||
profile then specifies how these binary tokens are then encoded for
|
||
transfer over the connection.
|
||
|
||
After receiving the authentication command or any client response, a
|
||
server may issue a challenge, indicate failure, or indicate
|
||
completion. The protocol's profile specifies how the server
|
||
indicates which of the above it is doing.
|
||
|
||
After receiving a challenge, a client may issue a response or abort
|
||
the exchange. The protocol's profile specifies how the client
|
||
indicates which of the above it is doing.
|
||
|
||
During the authentication protocol exchange, the mechanism performs
|
||
authentication, transmits an authorization identity (frequently known
|
||
as a userid) from the client to server, and negotiates the use of a
|
||
mechanism-specific security layer. If the use of a security layer is
|
||
agreed upon, then the mechanism must also define or negotiate the
|
||
maximum cipher-text buffer size that each side is able to receive.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Myers Standards Track [Page 3]
|
||
|
||
RFC 2222 SASL October 1997
|
||
|
||
|
||
The transmitted authorization identity may be different than the
|
||
identity in the client's authentication credentials. This permits
|
||
agents such as proxy servers to authenticate using their own
|
||
credentials, yet request the access privileges of the identity for
|
||
which they are proxying. With any mechanism, transmitting an
|
||
authorization identity of the empty string directs the server to
|
||
derive an authorization identity from the client's authentication
|
||
credentials.
|
||
|
||
If use of a security layer is negotiated, it is applied to all
|
||
subsequent data sent over the connection. The security layer takes
|
||
effect immediately following the last response of the authentication
|
||
exchange for data sent by the client and the completion indication
|
||
for data sent by the server. Once the security layer is in effect,
|
||
the protocol stream is processed by the security layer into buffers
|
||
of cipher-text. Each buffer is transferred over the connection as a
|
||
stream of octets prepended with a four octet field in network byte
|
||
order that represents the length of the following buffer. The length
|
||
of the cipher-text buffer must be no larger than the maximum size
|
||
that was defined or negotiated by the other side.
|
||
|
||
4. Profiling requirements
|
||
|
||
In order to use this specification, a protocol definition must supply
|
||
the following information:
|
||
|
||
1. A service name, to be selected from the IANA registry of "service"
|
||
elements for the GSSAPI host-based service name form [RFC 2078].
|
||
|
||
2. A definition of the command to initiate the authentication
|
||
protocol exchange. This command must have as a parameter the
|
||
mechanism name being selected by the client.
|
||
|
||
The command SHOULD have an optional parameter giving an initial
|
||
response. This optional parameter allows the client to avoid a
|
||
round trip when using a mechanism which is defined to have the
|
||
client send data first. When this initial response is sent by the
|
||
client and the selected mechanism is defined to have the server
|
||
start with an initial challenge, the command fails. See section
|
||
5.1 of this document for further information.
|
||
|
||
3. A definition of the method by which the authentication protocol
|
||
exchange is carried out, including how the challenges and
|
||
responses are encoded, how the server indicates completion or
|
||
failure of the exchange, how the client aborts an exchange, and
|
||
how the exchange method interacts with any line length limits in
|
||
the protocol.
|
||
|
||
|
||
|
||
|
||
Myers Standards Track [Page 4]
|
||
|
||
RFC 2222 SASL October 1997
|
||
|
||
|
||
4. Identification of the octet where any negotiated security layer
|
||
starts to take effect, in both directions.
|
||
|
||
5. A specification of how the authorization identity passed from the
|
||
client to the server is to be interpreted.
|
||
|
||
5. Specific issues
|
||
|
||
5.1. Client sends data first
|
||
|
||
Some mechanisms specify that the first data sent in the
|
||
authentication protocol exchange is from the client to the server.
|
||
|
||
If a protocol's profile permits the command which initiates an
|
||
authentication protocol exchange to contain an initial client
|
||
response, this parameter SHOULD be used with such mechanisms.
|
||
|
||
If the initial client response parameter is not given, or if a
|
||
protocol's profile does not permit the command which initiates an
|
||
authentication protocol exchange to contain an initial client
|
||
response, then the server issues a challenge with no data. The
|
||
client's response to this challenge is then used as the initial
|
||
client response. (The server then proceeds to send the next
|
||
challenge, indicates completion, or indicates failure.)
|
||
|
||
5.2. Server returns success with additional data
|
||
|
||
Some mechanisms may specify that server challenge data be sent to the
|
||
client along with an indication of successful completion of the
|
||
exchange. This data would, for example, authenticate the server to
|
||
the client.
|
||
|
||
If a protocol's profile does not permit this server challenge to be
|
||
returned with a success indication, then the server issues the server
|
||
challenge without an indication of successful completion. The client
|
||
then responds with no data. After receiving this empty response, the
|
||
server then indicates successful completion.
|
||
|
||
5.3. Multiple authentications
|
||
|
||
Unless otherwise stated by the protocol's profile, only one
|
||
successful SASL negotiation may occur in a protocol session. In this
|
||
case, once an authentication protocol exchange has successfully
|
||
completed, further attempts to initiate an authentication protocol
|
||
exchange fail.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Myers Standards Track [Page 5]
|
||
|
||
RFC 2222 SASL October 1997
|
||
|
||
|
||
In the case that a profile explicitly permits multiple successful
|
||
SASL negotiations to occur, then in no case may multiple security
|
||
layers be simultaneously in effect. If a security layer is in effect
|
||
and a subsequent SASL negotiation selects no security layer, the
|
||
original security layer remains in effect. If a security layer is in
|
||
effect and a subsequent SASL negotiation selects a second security
|
||
layer, then the second security layer replaces the first.
|
||
|
||
6. Registration procedures
|
||
|
||
Registration of a SASL mechanism is done by filling in the template
|
||
in section 6.4 and sending it in to iana@isi.edu. IANA has the right
|
||
to reject obviously bogus registrations, but will perform no review
|
||
of clams made in the registration form.
|
||
|
||
There is no naming convention for SASL mechanisms; any name that
|
||
conforms to the syntax of a SASL mechanism name can be registered.
|
||
|
||
While the registration procedures do not require it, authors of SASL
|
||
mechanisms are encouraged to seek community review and comment
|
||
whenever that is feasible. Authors may seek community review by
|
||
posting a specification of their proposed mechanism as an internet-
|
||
draft. SASL mechanisms intended for widespread use should be
|
||
standardized through the normal IETF process, when appropriate.
|
||
|
||
6.1. Comments on SASL mechanism registrations
|
||
|
||
Comments on registered SASL mechanisms should first be sent to the
|
||
"owner" of the mechanism. Submitters of comments may, after a
|
||
reasonable attempt to contact the owner, request IANA to attach their
|
||
comment to the SASL mechanism registration itself. If IANA approves
|
||
of this the comment will be made accessible in conjunction with the
|
||
SASL mechanism registration itself.
|
||
|
||
6.2. Location of Registered SASL Mechanism List
|
||
|
||
SASL mechanism registrations will be posted in the anonymous FTP
|
||
directory "ftp://ftp.isi.edu/in-notes/iana/assignments/sasl-
|
||
mechanisms/" and all registered SASL mechanisms will be listed in the
|
||
periodically issued "Assigned Numbers" RFC [currently STD 2, RFC
|
||
1700]. The SASL mechanism description and other supporting material
|
||
may also be published as an Informational RFC by sending it to "rfc-
|
||
editor@isi.edu" (please follow the instructions to RFC authors [RFC
|
||
2223]).
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Myers Standards Track [Page 6]
|
||
|
||
RFC 2222 SASL October 1997
|
||
|
||
|
||
6.3. Change Control
|
||
|
||
Once a SASL mechanism registration has been published by IANA, the
|
||
author may request a change to its definition. The change request
|
||
follows the same procedure as the registration request.
|
||
|
||
The owner of a SASL mechanism may pass responsibility for the SASL
|
||
mechanism to another person or agency by informing IANA; this can be
|
||
done without discussion or review.
|
||
|
||
The IESG may reassign responsibility for a SASL mechanism. The most
|
||
common case of this will be to enable changes to be made to
|
||
mechanisms where the author of the registration has died, moved out
|
||
of contact or is otherwise unable to make changes that are important
|
||
to the community.
|
||
|
||
SASL mechanism registrations may not be deleted; mechanisms which are
|
||
no longer believed appropriate for use can be declared OBSOLETE by a
|
||
change to their "intended use" field; such SASL mechanisms will be
|
||
clearly marked in the lists published by IANA.
|
||
|
||
The IESG is considered to be the owner of all SASL mechanisms which
|
||
are on the IETF standards track.
|
||
|
||
6.4. Registration Template
|
||
|
||
To: iana@iana.org
|
||
Subject: Registration of SASL mechanism X
|
||
|
||
SASL mechanism name:
|
||
|
||
Security considerations:
|
||
|
||
Published specification (optional, recommended):
|
||
|
||
Person & email address to contact for further information:
|
||
|
||
Intended usage:
|
||
|
||
(One of COMMON, LIMITED USE or OBSOLETE)
|
||
|
||
Author/Change controller:
|
||
|
||
(Any other information that the author deems interesting may be
|
||
added below this line.)
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Myers Standards Track [Page 7]
|
||
|
||
RFC 2222 SASL October 1997
|
||
|
||
|
||
7. Mechanism definitions
|
||
|
||
The following mechanisms are hereby defined.
|
||
|
||
7.1. Kerberos version 4 mechanism
|
||
|
||
The mechanism name associated with Kerberos version 4 is
|
||
"KERBEROS_V4".
|
||
|
||
The first challenge consists of a random 32-bit number in network
|
||
byte order. The client responds with a Kerberos ticket and an
|
||
authenticator for the principal "service.hostname@realm", where
|
||
"service" is the service name specified in the protocol's profile,
|
||
"hostname" is the first component of the host name of the server with
|
||
all letters in lower case, and where "realm" is the Kerberos realm of
|
||
the server. The encrypted checksum field included within the
|
||
Kerberos authenticator contains the server provided challenge in
|
||
network byte order.
|
||
|
||
Upon decrypting and verifying the ticket and authenticator, the
|
||
server verifies that the contained checksum field equals the original
|
||
server provided random 32-bit number. Should the verification be
|
||
successful, the server must add one to the checksum and construct 8
|
||
octets of data, with the first four octets containing the incremented
|
||
checksum in network byte order, the fifth octet containing a bit-mask
|
||
specifying the security layers supported by the server, and the sixth
|
||
through eighth octets containing, in network byte order, the maximum
|
||
cipher-text buffer size the server is able to receive. The server
|
||
must encrypt using DES ECB mode the 8 octets of data in the session
|
||
key and issue that encrypted data in a second challenge. The client
|
||
considers the server authenticated if the first four octets of the
|
||
un-encrypted data is equal to one plus the checksum it previously
|
||
sent.
|
||
|
||
The client must construct data with the first four octets containing
|
||
the original server-issued checksum in network byte order, the fifth
|
||
octet containing the bit-mask specifying the selected security layer,
|
||
the sixth through eighth octets containing in network byte order the
|
||
maximum cipher-text buffer size the client is able to receive, and
|
||
the following octets containing the authorization identity. The
|
||
client must then append from one to eight zero-valued octets so that
|
||
the length of the data is a multiple of eight octets. The client must
|
||
then encrypt using DES PCBC mode the data with the session key and
|
||
respond with the encrypted data. The server decrypts the data and
|
||
verifies the contained checksum. The server must verify that the
|
||
principal identified in the Kerberos ticket is authorized to connect
|
||
as that authorization identity. After this verification, the
|
||
authentication process is complete.
|
||
|
||
|
||
|
||
Myers Standards Track [Page 8]
|
||
|
||
RFC 2222 SASL October 1997
|
||
|
||
|
||
The security layers and their corresponding bit-masks are as follows:
|
||
|
||
1 No security layer
|
||
2 Integrity (krb_mk_safe) protection
|
||
4 Privacy (krb_mk_priv) protection
|
||
|
||
Other bit-masks may be defined in the future; bits which are not
|
||
understood must be negotiated off.
|
||
|
||
EXAMPLE: The following are two Kerberos version 4 login scenarios to
|
||
the IMAP4 protocol (note that the line breaks in the sample
|
||
authenticators are for editorial clarity and are not in real
|
||
authenticators)
|
||
|
||
S: * OK IMAP4 Server
|
||
C: A001 AUTHENTICATE KERBEROS_V4
|
||
S: + AmFYig==
|
||
C: BAcAQU5EUkVXLkNNVS5FRFUAOCAsho84kLN3/IJmrMG+25a4DT
|
||
+nZImJjnTNHJUtxAA+o0KPKfHEcAFs9a3CL5Oebe/ydHJUwYFd
|
||
WwuQ1MWiy6IesKvjL5rL9WjXUb9MwT9bpObYLGOKi1Qh
|
||
S: + or//EoAADZI=
|
||
C: DiAF5A4gA+oOIALuBkAAmw==
|
||
S: A001 OK Kerberos V4 authentication successful
|
||
|
||
|
||
S: * OK IMAP4 Server
|
||
C: A001 AUTHENTICATE KERBEROS_V4
|
||
S: + gcfgCA==
|
||
C: BAcAQU5EUkVXLkNNVS5FRFUAOCAsho84kLN3/IJmrMG+25a4DT
|
||
+nZImJjnTNHJUtxAA+o0KPKfHEcAFs9a3CL5Oebe/ydHJUwYFd
|
||
WwuQ1MWiy6IesKvjL5rL9WjXUb9MwT9bpObYLGOKi1Qh
|
||
S: A001 NO Kerberos V4 authentication failed
|
||
|
||
7.2. GSSAPI mechanism
|
||
|
||
The mechanism name associated with all mechanisms employing the
|
||
GSSAPI [RFC 2078] is "GSSAPI".
|
||
|
||
7.2.1 Client side of authentication protocol exchange
|
||
|
||
The client calls GSS_Init_sec_context, passing in 0 for
|
||
input_context_handle (initially) and a targ_name equal to output_name
|
||
from GSS_Import_Name called with input_name_type of
|
||
GSS_C_NT_HOSTBASED_SERVICE and input_name_string of
|
||
"service@hostname" where "service" is the service name specified in
|
||
the protocol's profile, and "hostname" is the fully qualified host
|
||
name of the server. The client then responds with the resulting
|
||
output_token. If GSS_Init_sec_context returns GSS_S_CONTINUE_NEEDED,
|
||
|
||
|
||
|
||
Myers Standards Track [Page 9]
|
||
|
||
RFC 2222 SASL October 1997
|
||
|
||
|
||
then the client should expect the server to issue a token in a
|
||
subsequent challenge. The client must pass the token to another call
|
||
to GSS_Init_sec_context, repeating the actions in this paragraph.
|
||
|
||
When GSS_Init_sec_context returns GSS_S_COMPLETE, the client takes
|
||
the following actions: If the last call to GSS_Init_sec_context
|
||
returned an output_token, then the client responds with the
|
||
output_token, otherwise the client responds with no data. The client
|
||
should then expect the server to issue a token in a subsequent
|
||
challenge. The client passes this token to GSS_Unwrap and interprets
|
||
the first octet of resulting cleartext as a bit-mask specifying the
|
||
security layers supported by the server and the second through fourth
|
||
octets as the maximum size output_message to send to the server. The
|
||
client then constructs data, with the first octet containing the
|
||
bit-mask specifying the selected security layer, the second through
|
||
fourth octets containing in network byte order the maximum size
|
||
output_message the client is able to receive, and the remaining
|
||
octets containing the authorization identity. The client passes the
|
||
data to GSS_Wrap with conf_flag set to FALSE, and responds with the
|
||
generated output_message. The client can then consider the server
|
||
authenticated.
|
||
|
||
7.2.2 Server side of authentication protocol exchange
|
||
|
||
The server passes the initial client response to
|
||
GSS_Accept_sec_context as input_token, setting input_context_handle
|
||
to 0 (initially). If GSS_Accept_sec_context returns
|
||
GSS_S_CONTINUE_NEEDED, the server returns the generated output_token
|
||
to the client in challenge and passes the resulting response to
|
||
another call to GSS_Accept_sec_context, repeating the actions in this
|
||
paragraph.
|
||
|
||
When GSS_Accept_sec_context returns GSS_S_COMPLETE, the client takes
|
||
the following actions: If the last call to GSS_Accept_sec_context
|
||
returned an output_token, the server returns it to the client in a
|
||
challenge and expects a reply from the client with no data. Whether
|
||
or not an output_token was returned (and after receipt of any
|
||
response from the client to such an output_token), the server then
|
||
constructs 4 octets of data, with the first octet containing a bit-
|
||
mask specifying the security layers supported by the server and the
|
||
second through fourth octets containing in network byte order the
|
||
maximum size output_token the server is able to receive. The server
|
||
must then pass the plaintext to GSS_Wrap with conf_flag set to FALSE
|
||
and issue the generated output_message to the client in a challenge.
|
||
The server must then pass the resulting response to GSS_Unwrap and
|
||
interpret the first octet of resulting cleartext as the bit-mask for
|
||
the selected security layer, the second through fourth octets as the
|
||
maximum size output_message to send to the client, and the remaining
|
||
|
||
|
||
|
||
Myers Standards Track [Page 10]
|
||
|
||
RFC 2222 SASL October 1997
|
||
|
||
|
||
octets as the authorization identity. The server must verify that
|
||
the src_name is authorized to authenticate as the authorization
|
||
identity. After these verifications, the authentication process is
|
||
complete.
|
||
|
||
7.2.3 Security layer
|
||
|
||
The security layers and their corresponding bit-masks are as follows:
|
||
|
||
1 No security layer
|
||
2 Integrity protection.
|
||
Sender calls GSS_Wrap with conf_flag set to FALSE
|
||
4 Privacy protection.
|
||
Sender calls GSS_Wrap with conf_flag set to TRUE
|
||
|
||
Other bit-masks may be defined in the future; bits which are not
|
||
understood must be negotiated off.
|
||
|
||
7.3. S/Key mechanism
|
||
|
||
The mechanism name associated with S/Key [RFC 1760] using the MD4
|
||
digest algorithm is "SKEY".
|
||
|
||
The client sends an initial response with the authorization identity.
|
||
|
||
The server then issues a challenge which contains the decimal
|
||
sequence number followed by a single space and the seed string for
|
||
the indicated authorization identity. The client responds with the
|
||
one-time-password, as either a 64-bit value in network byte order or
|
||
encoded in the "six English words" format.
|
||
|
||
The server must verify the one-time-password. After this
|
||
verification, the authentication process is complete.
|
||
|
||
S/Key authentication does not provide for any security layers.
|
||
|
||
EXAMPLE: The following are two S/Key login scenarios in the IMAP4
|
||
protocol.
|
||
|
||
S: * OK IMAP4 Server
|
||
C: A001 AUTHENTICATE SKEY
|
||
S: +
|
||
C: bW9yZ2Fu
|
||
S: + OTUgUWE1ODMwOA==
|
||
C: Rk9VUiBNQU5OIFNPT04gRklSIFZBUlkgTUFTSA==
|
||
S: A001 OK S/Key authentication successful
|
||
|
||
|
||
|
||
|
||
|
||
Myers Standards Track [Page 11]
|
||
|
||
RFC 2222 SASL October 1997
|
||
|
||
|
||
S: * OK IMAP4 Server
|
||
C: A001 AUTHENTICATE SKEY
|
||
S: +
|
||
C: c21pdGg=
|
||
S: + OTUgUWE1ODMwOA==
|
||
C: BsAY3g4gBNo=
|
||
S: A001 NO S/Key authentication failed
|
||
|
||
The following is an S/Key login scenario in an IMAP4-like protocol
|
||
which has an optional "initial response" argument to the AUTHENTICATE
|
||
command.
|
||
|
||
S: * OK IMAP4-Like Server
|
||
C: A001 AUTHENTICATE SKEY bW9yZ2Fu
|
||
S: + OTUgUWE1ODMwOA==
|
||
C: Rk9VUiBNQU5OIFNPT04gRklSIFZBUlkgTUFTSA==
|
||
S: A001 OK S/Key authentication successful
|
||
|
||
7.4. External mechanism
|
||
|
||
The mechanism name associated with external authentication is
|
||
"EXTERNAL".
|
||
|
||
The client sends an initial response with the authorization identity.
|
||
|
||
The server uses information, external to SASL, to determine whether
|
||
the client is authorized to authenticate as the authorization
|
||
identity. If the client is so authorized, the server indicates
|
||
successful completion of the authentication exchange; otherwise the
|
||
server indicates failure.
|
||
|
||
The system providing this external information may be, for example,
|
||
IPsec or TLS.
|
||
|
||
If the client sends the empty string as the authorization identity
|
||
(thus requesting the authorization identity be derived from the
|
||
client's authentication credentials), the authorization identity is
|
||
to be derived from authentication credentials which exist in the
|
||
system which is providing the external authentication.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Myers Standards Track [Page 12]
|
||
|
||
RFC 2222 SASL October 1997
|
||
|
||
|
||
8. References
|
||
|
||
[RFC 2060] Crispin, M., "Internet Message Access Protocol - Version
|
||
4rev1", RFC 2060, December 1996.
|
||
|
||
[RFC 2078] Linn, J., "Generic Security Service Application Program
|
||
Interface, Version 2", RFC 2078, January 1997.
|
||
|
||
[RFC 2119] Bradner, S., "Key words for use in RFCs to Indicate
|
||
Requirement Levels", RFC 2119, March 1997.
|
||
|
||
[RFC 2223] Postel, J., and J. Reynolds, "Instructions to RFC
|
||
Authors", RFC 2223, October 1997.
|
||
|
||
[RFC 1760] Haller, N., "The S/Key One-Time Password System", RFC
|
||
1760, February 1995.
|
||
|
||
[RFC 1700] Reynolds, J., and J. Postel, "Assigned Numbers", STD 2,
|
||
RFC 1700, October 1994.
|
||
|
||
9. Security Considerations
|
||
|
||
Security issues are discussed throughout this memo.
|
||
|
||
The mechanisms that support integrity protection are designed such
|
||
that the negotiation of the security layer and authorization identity
|
||
is integrity protected. When the client selects a security layer
|
||
with at least integrity protection, this protects against an active
|
||
attacker hijacking the connection and modifying the authentication
|
||
exchange to negotiate a plaintext connection.
|
||
|
||
When a server or client supports multiple authentication mechanisms,
|
||
each of which has a different security strength, it is possible for
|
||
an active attacker to cause a party to use the least secure mechanism
|
||
supported. To protect against this sort of attack, a client or
|
||
server which supports mechanisms of different strengths should have a
|
||
configurable minimum strength that it will use. It is not sufficient
|
||
for this minimum strength check to only be on the server, since an
|
||
active attacker can change which mechanisms the client sees as being
|
||
supported, causing the client to send authentication credentials for
|
||
its weakest supported mechanism.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Myers Standards Track [Page 13]
|
||
|
||
RFC 2222 SASL October 1997
|
||
|
||
|
||
The client's selection of a SASL mechanism is done in the clear and
|
||
may be modified by an active attacker. It is important for any new
|
||
SASL mechanisms to be designed such that an active attacker cannot
|
||
obtain an authentication with weaker security properties by modifying
|
||
the SASL mechanism name and/or the challenges and responses.
|
||
|
||
Any protocol interactions prior to authentication are performed in
|
||
the clear and may be modified by an active attacker. In the case
|
||
where a client selects integrity protection, it is important that any
|
||
security-sensitive protocol negotiations be performed after
|
||
authentication is complete. Protocols should be designed such that
|
||
negotiations performed prior to authentication should be either
|
||
ignored or revalidated once authentication is complete.
|
||
|
||
10. Author's Address
|
||
|
||
John G. Myers
|
||
Netscape Communications
|
||
501 E. Middlefield Road
|
||
Mail Stop MV-029
|
||
Mountain View, CA 94043-4042
|
||
|
||
EMail: jgmyers@netscape.com
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Myers Standards Track [Page 14]
|
||
|
||
RFC 2222 SASL October 1997
|
||
|
||
|
||
Appendix A. Relation of SASL to Transport Security
|
||
|
||
Questions have been raised about the relationship between SASL and
|
||
various services (such as IPsec and TLS) which provide a secured
|
||
connection.
|
||
|
||
Two of the key features of SASL are:
|
||
|
||
1. The separation of the authorization identity from the identity in
|
||
the client's credentials. This permits agents such as proxy
|
||
servers to authenticate using their own credentials, yet request
|
||
the access privileges of the identity for which they are proxying.
|
||
|
||
2. Upon successful completion of an authentication exchange, the
|
||
server knows the authorization identity the client wishes to use.
|
||
This allows servers to move to a "user is authenticated" state in
|
||
the protocol.
|
||
|
||
These features are extremely important to some application protocols,
|
||
yet Transport Security services do not always provide them. To
|
||
define SASL mechanisms based on these services would be a very messy
|
||
task, as the framing of these services would be redundant with the
|
||
framing of SASL and some method of providing these important SASL
|
||
features would have to be devised.
|
||
|
||
Sometimes it is desired to enable within an existing connection the
|
||
use of a security service which does not fit the SASL model. (TLS is
|
||
an example of such a service.) This can be done by adding a command,
|
||
for example "STARTTLS", to the protocol. Such a command is outside
|
||
the scope of SASL, and should be different from the command which
|
||
starts a SASL authentication protocol exchange.
|
||
|
||
In certain situations, it is reasonable to use SASL underneath one of
|
||
these Transport Security services. The transport service would
|
||
secure the connection, either service would authenticate the client,
|
||
and SASL would negotiate the authorization identity. The SASL
|
||
negotiation would be what moves the protocol from "unauthenticated"
|
||
to "authenticated" state. The "EXTERNAL" SASL mechanism is
|
||
explicitly intended to handle the case where the transport service
|
||
secures the connection and authenticates the client and SASL
|
||
negotiates the authorization identity.
|
||
|
||
When using SASL underneath a sufficiently strong Transport Security
|
||
service, a SASL security layer would most likely be redundant. The
|
||
client and server would thus probably want to negotiate off the use
|
||
of a SASL security layer.
|
||
|
||
|
||
|
||
|
||
|
||
Myers Standards Track [Page 15]
|
||
|
||
RFC 2222 SASL October 1997
|
||
|
||
|
||
Full Copyright Statement
|
||
|
||
Copyright (C) The Internet Society (1997). All Rights Reserved.
|
||
|
||
This document and translations of it may be copied and furnished to
|
||
others, and derivative works that comment on or otherwise explain it
|
||
or assist in its implmentation may be prepared, copied, published
|
||
andand distributed, in whole or in part, without restriction of any
|
||
kind, provided that the above copyright notice and this paragraph are
|
||
included on all such copies and derivative works. However, this
|
||
document itself may not be modified in any way, such as by removing
|
||
the copyright notice or references to the Internet Society or other
|
||
Internet organizations, except as needed for the purpose of
|
||
developing Internet standards in which case the procedures for
|
||
copyrights defined in the Internet Standards process must be
|
||
followed, or as required to translate it into languages other than
|
||
English.
|
||
|
||
The limited permissions granted above are perpetual and will not be
|
||
revoked by the Internet Society or its successors or assigns.
|
||
|
||
This document and the information contained herein is provided on an
|
||
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
|
||
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
|
||
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
|
||
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
|
||
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Myers Standards Track [Page 16]
|
||
|