Simple Authentication and Security Layer
Encyclopedia
Simple Authentication and Security Layer (SASL) is a framework
Software framework
In computer programming, a software framework is an abstraction in which software providing generic functionality can be selectively changed by user code, thus providing application specific software...

 for authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...

 and data security
Data security
Data security is the means of ensuring that data is kept safe from corruption and that access to it is suitably controlled. Thus data security helps to ensure privacy. It also helps in protecting personal data. Data security is part of the larger practice of Information security.- Disk Encryption...

 in Internet protocol
Communications protocol
A communications protocol is a system of digital message formats and rules for exchanging those messages in or between computing systems and in telecommunications...

s. It decouples authentication mechanisms from application protocols, in theory allowing any authentication mechanism supported by SASL to be used in any application protocol that uses SASL. Authentication mechanisms can also support proxy authorization, a facility allowing one user to assume the identity of another. They can also provide a data security layer offering data integrity and data confidentiality services. DIGEST-MD5 provides an example of mechanisms which can provide a data-security layer. Application protocols that support SASL typically also support Transport Layer Security
Transport Layer Security
Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...

 (TLS) to complement the services offered by SASL.

In 1997 John Gardiner Myers wrote the original SASL specification (RFC 2222) while at Carnegie Mellon University
Carnegie Mellon University
Carnegie Mellon University is a private research university in Pittsburgh, Pennsylvania, United States....

. In 2006 that document was obsoleted by RFC 4422, edited by Alexey Melnikov and Kurt Zeilenga.

SASL is an IETF Standard Track protocol, a Proposed Standard.

SASL mechanisms

A SASL mechanism implements a series of challenges and responses. Defined SASL mechanisms include:
  • "EXTERNAL", where authentication is implicit in the context (e.g., for protocols already using IPsec
    IPsec
    Internet Protocol Security is a protocol suite for securing Internet Protocol communications by authenticating and encrypting each IP packet of a communication session...

     or TLS
    Transport Layer Security
    Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...

    )
  • "ANONYMOUS", for unauthenticated guest access
  • "PLAIN", a simple cleartext password
    Password
    A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....

     mechanism. PLAIN obsoleted the LOGIN mechanism.
  • "OTP", a one-time password
    One-time password
    A one-time password is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional passwords. The most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable...

     mechanism. OTP obsoleted the SKEY Mechanism.
  • "SKEY", an S/KEY
    S/KEY
    S/KEY is a one-time password system developed for authentication to Unix-like operating systems, especially from dumb terminals or untrusted public computers on which one does not want to type a long-term password. A user's real password is combined in an offline device with a short set of...

     mechanism.
  • "CRAM-MD5
    CRAM-MD5
    In cryptography, CRAM-MD5 is achallenge-response authentication mechanism defined in RFC 2195 based on theHMAC-MD5 MACalgorithm...

    ", a simple challenge-response scheme based on HMAC-MD5
    HMAC
    In cryptography, HMAC is a specific construction for calculating a message authentication code involving a cryptographic hash function in combination with a secret key. As with any MAC, it may be used to simultaneously verify both the data integrity and the authenticity of a message...

    .
  • "DIGEST-MD5
    Digest access authentication
    Digest access authentication is one of the agreed upon methods a web server can use to negotiate credentials with a user's web browser. It uses encryption to send the password over the network which is safer than the Basic access authentication that sends plaintext.Technically digest...

    ", HTTP Digest compatible challenge-response scheme based upon MD5. DIGEST-MD5 offers a data security layer.
  • "NTLM
    NTLM
    In a Windows network, NTLM is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users....

    ", an NT LAN Manager authentication mechanism
  • "GSSAPI", for Kerberos
    Kerberos protocol
    Kerberos is a computer network authentication protocol which works on the basis of "tickets" to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed primarily at a client–server model, and it provides mutual...

     V5 authentication via the GSSAPI
    Generic Security Services Application Program Interface
    The Generic Security Services Application Program Interface is an application programming interface for programs to access security services....

    . GSSAPI offers a data-security layer.
  • GateKeeper (& GateKeeperPassport), a challenge-response mechanism developed by Microsoft
    Microsoft
    Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...

     for MSN Chat
    MSN Chat
    MSN Chat was the Microsoft Network version of IRCX , which replaced Microsoft Chat, a set of Exchange-based IRCX servers first available in the Microsoft Comic Chat client, although Comic Chat was not required to connect.- History :Client CompatibilityAccording to the MSN Chat website, the...



The GS2 family of mechanisms supports arbitrary GSS-API mechanisms in SASL. It is now standardized as RFC 5801.

SASL-aware application protocols

Application protocols define their representation of SASL exchanges with a profile. A protocol has a service name such as "ldap" in a registry shared with GSSAPI
Generic Security Services Application Program Interface
The Generic Security Services Application Program Interface is an application programming interface for programs to access security services....

 and Kerberos
Kerberos protocol
Kerberos is a computer network authentication protocol which works on the basis of "tickets" to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed primarily at a client–server model, and it provides mutual...

.

protocols currently supporting SASL include:
  • AMQP
    Advanced Message Queuing Protocol
    The Advanced Message Queuing Protocol is an open standard application layer protocol for message-oriented middleware. The defining features of AMQP are message orientation, queuing, routing , reliability and security.AMQP mandates the behaviour of the messaging provider and client to the extent...

  • BEEP
    BEEP
    In computer networking, BEEP is a framework for creating network application protocols. It includes an application protocol kernel for connection-oriented asynchronous interactions, and can be used both for binary and text messages within the context of a single application user identity.BEEP is...

  • IMAP
    Internet Message Access Protocol
    Internet message access protocol is one of the two most prevalent Internet standard protocols for e-mail retrieval, the other being the Post Office Protocol...

  • LDAP
  • IRC
    Internet Relay Chat
    Internet Relay Chat is a protocol for real-time Internet text messaging or synchronous conferencing. It is mainly designed for group communication in discussion forums, called channels, but also allows one-to-one communication via private message as well as chat and data transfer, including file...

     (either IRCX
    IRCX
    IRCX is an extension to the IRC protocol, developed by Microsoft.IRCX defines ways to use SASL authentication to authenticate securely to the server, channel properties/metadata, multilingual support that can be queried using the enhanced "LISTX" command , an additional user level IRCX (Internet...

     or Charybdis extension)
  • POP
    Post Office Protocol
    In computing, the Post Office Protocol is an application-layer Internet standard protocol used by local e-mail clients to retrieve e-mail from a remote server over a TCP/IP connection. POP and IMAP are the two most prevalent Internet standard protocols for e-mail retrieval. Virtually all modern...

  • SMTP
    Simple Mail Transfer Protocol
    Simple Mail Transfer Protocol is an Internet standard for electronic mail transmission across Internet Protocol networks. SMTP was first defined by RFC 821 , and last updated by RFC 5321 which includes the extended SMTP additions, and is the protocol in widespread use today...

  • IMSP
    IMSP
    IMSP is Internet Message Support Protocol. Defined in a 1995 , which carries this abstract:Work on standardizing IMSP was never completed because development of the ACAP protocol, which has a superset of IMSP's functionality.- Implementations :...

  • ACAP
    Application Configuration Access Protocol
    The Application Configuration Access Protocol is a protocol for storing and synchronizing general configuration and preference data. It was originally developed so that IMAP clients can easily access address books, user options, and other data on a central server and be kept in synch across all...

  • ManageSieve
  • XMPP
    Extensible Messaging and Presence Protocol
    Extensible Messaging and Presence Protocol is an open-standard communications protocol for message-oriented middleware based on XML . The protocol was originally named Jabber, and was developed by the Jabber open-source community in 1999 for near-real-time, extensible instant messaging , presence...

  • Subversion's custom "svn" protocol

External links

  • RFC 4422 - Simple Authentication and Security Layer (SASL) - obsoletes RFC 2222
  • RFC 4505 - Anonymous Simple Authentication and Security Layer (SASL) Mechanism - obsoletes RFC 2245
  • The IETF SASL Working Group, chartered to revise existing SASL specifications, as well as to develop a family of GSSAPI mechanisms
  • CMU SASL Information
  • Cyrus SASL, a free and portable SASL library providing generic security for various applications
  • GNU SASL, a free and portable SASL command-line utility and library, distributed under the GNU
    GNU
    GNU is a Unix-like computer operating system developed by the GNU project, ultimately aiming to be a "complete Unix-compatible software system"...

     GPLv3 and LGPLv2.1, respectively
  • Dovecot SASL, an SASL implementation
  • RFC 2831 - Using Digest Authentication as a SASL Mechanism
  • Java SASL API Programming and Deployment Guide
The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK