Simple Authentication and Security Layer

Last updated August 14, 2022

Simple Authentication and Security Layer (SASL) is a framework for authentication and data security in Internet protocols. It decouples authentication mechanisms from application protocols, in theory allowing any authentication mechanism supported by SASL to be used in any application protocol that uses SASL. Authentication mechanisms can also support proxy authorization, a facility allowing one user to assume the identity of another. They can also provide a data security layer offering data integrity and data confidentiality services. DIGEST-MD5 provides an example of mechanisms which can provide a data-security layer. Application protocols that support SASL typically also support Transport Layer Security (TLS) to complement the services offered by SASL.

SASL mechanisms

A SASL mechanism implements a series of challenges and responses. Defined SASL mechanisms^[1] include:

EXTERNAL: where authentication is implicit in the context (e.g., for protocols already using IPsec or TLS)
ANONYMOUS: for unauthenticated guest access
PLAIN: a simple cleartext password mechanism, defined in RFC 4616
OTP: a one-time password mechanism. Obsoletes the SKEY mechanism.
SKEY: an S/KEY mechanism.
CRAM-MD5: a simple challenge-response scheme based on HMAC-MD5.
DIGEST-MD5: (historic^[2]), partially HTTP Digest compatible challenge-response scheme based upon MD5. DIGEST-MD5 offered a data security layer.
SCRAM: (RFC 5802), modern challenge-response scheme based mechanism with channel binding support
NTLM: an NT LAN Manager authentication mechanism
GS2-: family of mechanisms supports arbitrary GSS-API mechanisms in SASL.^[3] It is now standardized as RFC 5801.
GSSAPI: for Kerberos V5 authentication via the GSSAPI. GSSAPI offers a data-security layer.
BROWSERID-AES128: for Mozilla Persona authentication^[4]
EAP-AES128: for GSS EAP authentication^[5]
GateKeeper (& GateKeeperPassport): a challenge-response mechanism developed by Microsoft for MSN Chat
OAUTHBEARER: OAuth 2.0 bearer tokens (RFC 6750), communicated through TLS^[6]
OAUTH10A: OAuth 1.0a message-authentication-code tokens (RFC 5849, Section 3.4.2)^[6]

SASL-aware application protocols

Application protocols define their representation of SASL exchanges with a profile. A protocol has a service name such as "ldap" in a registry shared with GSSAPI and Kerberos.^[7]

As of 2012^[update] protocols currently supporting SASL include:

Application Configuration Access Protocol
Advanced Message Queuing Protocol (AMQP)
Blocks Extensible Exchange Protocol
Internet Message Access Protocol (IMAP)
Internet Message Support Protocol
Internet Relay Chat (IRC) (with IRCX or the IRCv3 SASL extension)
Lightweight Directory Access Protocol (LDAP)
libvirt
ManageSieve (RFC 5804)
memcached
Post Office Protocol (POP)
Remote framebuffer protocol ^[8] used by VNC
Simple Mail Transfer Protocol (SMTP)
Subversion svn protocol
Extensible Messaging and Presence Protocol (XMPP)

Related Research Articles

Kerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed it primarily at a client–server model, and it provides mutual authentication—both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks.

The Lightweight Directory Access Protocol is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network. As examples, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number.

In computing, the Post Office Protocol (POP) is an application-layer Internet standard protocol used by e-mail clients to retrieve e-mail from a mail server. POP version 3 (POP3) is the version in common use, and along with IMAP the most common protocols for email retrieval.

The Simple Mail Transfer Protocol (SMTP) is an internet standard communication protocol for electronic mail transmission. Mail servers and other message transfer agents use SMTP to send and receive mail messages. User-level email clients typically use SMTP only for sending messages to a mail server for relaying, and typically submit outgoing email to the mail server on port 587 or 465 per RFC 8314. For retrieving messages, IMAP is standard, but proprietary servers also often implement proprietary protocols, e.g., Exchange ActiveSync.

The Secure Shell Protocol (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution.

Simple Network Management Protocol (SNMP) is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behaviour. Devices that typically support SNMP include cable modems, routers, switches, servers, workstations, printers, and more.

In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in virtual private networks (VPNs).

Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.

Extensible Messaging and Presence Protocol is an open communication protocol designed for instant messaging (IM), presence information, and contact list maintenance. Based on XML, it enables the near-real-time exchange of structured data between two or more network entities. Designed to be extensible, the protocol offers a multitude of applications beyond traditional IM in the broader realm of message-oriented middleware, including signalling for VoIP, video, file transfer, gaming and other uses.

Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), often pronounced "spenay-go", is a GSSAPI "pseudo mechanism" used by client-server software to negotiate the choice of security technology. SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports. The pseudo-mechanism uses a protocol to determine what common GSSAPI mechanisms are available, selects one and then dispatches all further security operations to it. This can help organizations deploy new security mechanisms in a phased manner.

The Blocks Extensible Exchange Protocol (BEEP) is a framework for creating network application protocols. BEEP includes building blocks like framing, pipelining, multiplexing, reporting and authentication for connection and message-oriented peer-to-peer (P2P) protocols with support of asynchronous full-duplex communication.

Diameter is an authentication, authorization, and accounting protocol for computer networks. It evolved from the earlier RADIUS protocol. It belongs to the application layer protocols in the internet protocol suite.

The Generic Security Service Application Program Interface is an application programming interface for programs to access security services.

Extensible Authentication Protocol (EAP) is an authentication framework frequently used in network and internet connections. It is defined in RFC 3748, which made RFC 2284 obsolete, and is updated by RFC 5247. EAP is an authentication framework for providing the transport and usage of material and parameters generated by EAP methods. There are many methods defined by RFCs, and a number of vendor-specific methods and new proposals exist. EAP is not a wire protocol; instead it only defines the information from the interface and the formats. Each protocol that uses EAP defines a way to encapsulate by the user EAP messages within that protocol's messages.

In cryptography, CRAM-MD5 is a challenge–response authentication mechanism (CRAM) based on the HMAC-MD5 algorithm. As one of the mechanisms supported by the Simple Authentication and Security Layer (SASL), it is often used in email software as part of SMTP Authentication and for the authentication of POP and IMAP users, as well as in applications implementing LDAP, XMPP, BEEP, and other protocols.

OAuth is an open standard for access delegation, commonly used as a way for internet users to grant websites or applications access to their information on other websites but without giving them the passwords. This mechanism is used by companies such as Amazon, Google, Facebook, Microsoft, and Twitter to permit the users to share information about their accounts with third-party applications or websites.

Security Support Provider Interface (SSPI) is a component of Windows API that performs security-related operations such as authentication.

SMTP Authentication, often abbreviated SMTP AUTH, is an extension of the Simple Mail Transfer Protocol (SMTP) whereby a client may log in using any authentication mechanism supported by the server. It is mainly used by submission servers, where authentication is mandatory.

In cryptography, the Salted Challenge Response Authentication Mechanism (SCRAM) is a family of modern, password-based challenge–response authentication mechanisms providing authentication of a user to a server. As it is specified for Simple Authentication and Security Layer (SASL), it can be used for password-based logins to services like SMTP and IMAP (e-mail), or XMPP (chat). For XMPP, supporting it is mandatory.

Token Binding is a proposed standard for a Transport Layer Security (TLS) extension that aims to increase TLS security by using cryptographic certificates on both ends of the TLS connection. Current practice often depends on bearer tokens, which may be lost or stolen. Bearer tokens are also vulnerable to man-in-the-middle attacks or replay attacks. In contrast, bound tokens are established by a user agent that generates a private-public key pair per target server, providing the public key to the server, and thereafter proving possession of the corresponding private key on every TLS connection to the server.

References

↑ "Simple Authentication and Security Layer (SASL) Mechanisms". iana.org.
↑ RFC 6331
↑ Simon Josefsson. "Using GSS-API Mechanisms in SASL: The GS2 Mechanism Family".
↑ Luke Howard. "A SASL and GSS-API Mechanism for the BrowserID Authentication Protocol".
↑ Sam Hartman. "A GSS-API Mechanism for the Extensible Authentication Protocol".
1 2 A Set of Simple Authentication and Security Layer (SASL) Mechanisms for OAuth. IETF. August 2015. doi: 10.17487/RFC7628 . RFC 7628 . Retrieved October 7, 2016.
↑ "Generic Security Service Application Program Interface (GSSAPI)/Kerberos/Simple Authentication and Security Layer (SASL) Service Names". iana.org.
↑ "Request for allocation of new security type code for SASL auth". realvnc.com.

External links

RFC 4422 - Simple Authentication and Security Layer (SASL) - obsoletes RFC 2222
RFC 4505 - Anonymous Simple Authentication and Security Layer (SASL) Mechanism - obsoletes RFC 2245
RFC 4616 - The PLAIN Simple Authentication and Security Layer (SASL) Mechanism - updates RFC 2595
The IETF SASL Working Group, chartered to revise existing SASL specifications, as well as to develop a family of GSSAPI mechanisms
Cyrus SASL, a free and portable SASL library providing generic security for various applications
GNU SASL, a free and portable SASL command-line utility and library, distributed under the GNU GPLv3 and LGPLv2.1, respectively
Dovecot SASL, an SASL implementation
RFC 2831 (historic) - Using Digest Authentication as a SASL Mechanism, obsoleted in RFC 6331
Java SASL API Programming and Deployment Guide

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Simple Authentication and Security Layer (SASL) Mechanisms". iana.org.

[2] RFC 6331

[3] Simon Josefsson. "Using GSS-API Mechanisms in SASL: The GS2 Mechanism Family".

[4] Luke Howard. "A SASL and GSS-API Mechanism for the BrowserID Authentication Protocol".

[5] Sam Hartman. "A GSS-API Mechanism for the Extensible Authentication Protocol".

[rfc7628-6] 1 2 A Set of Simple Authentication and Security Layer (SASL) Mechanisms for OAuth. IETF. August 2015. doi: 10.17487/RFC7628 . RFC 7628 . Retrieved October 7, 2016.

[7] "Generic Security Service Application Program Interface (GSSAPI)/Kerberos/Simple Authentication and Security Layer (SASL) Service Names". iana.org.

[8] "Request for allocation of new security type code for SASL auth". realvnc.com.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

v t e Authentication
Authentication APIs	BSD Authentication (BSD Auth) eAuthentication (eAuth) Generic Security Services API (GSSAPI) Java Authentication and Authorization Service (JAAS) Pluggable Authentication Modules (PAM) Simple Authentication and Security Layer (SASL) Security Support Provider Interface (SSPI) XCert Universal Database API (XUDA)
Authentication protocols	ACF2 Authentication and Key Agreement (AKA) CAVE-based authentication Challenge-Handshake Authentication Protocol (CHAP) MS-CHAP Central Authentication Service (CAS) CRAM-MD5 Diameter Extensible Authentication Protocol (EAP) Host Identity Protocol (HIP) IndieAuth Kerberos LAN Manager NT LAN Manager (NTLM) OAuth OpenID OpenID Connect (OIDC) Password-authenticated key agreement protocols Password Authentication Protocol (PAP) Protected Extensible Authentication Protocol (PEAP) Remote Access Dial In User Service (RADIUS) Resource Access Control Facility (RACF) Secure Remote Password protocol (SRP) TACACS Woo–Lam
Category Commons