Simple Authentication and Security Layer
Simple Authentication and Security Layer (SASL) is a framework for authentication and data security in Internet protocols. It decouples authentication mechanisms from application protocols, in theory allowing any authentication mechanism supported by SASL to be used in any application protocol that uses SASL. Authentication mechanisms can also support proxy authorization, a facility allowing one user to assume the identity of another. They can also provide a data security layer offering data integrity and data confidentiality services. DIGEST-MD5 provides an example of mechanisms which can provide a data-security layer. Application protocols that support SASL typically also support Transport Layer Security (TLS) to complement the services offered by SASL.
In 1997 John Gardiner Myers wrote the original SASL specification (RFC 2222) while at Carnegie Mellon University. In 2006 that document was obsoleted by RFC 4422, edited by Alexey Melnikov and Kurt Zeilenga.
SASL is an IETF Standard Track protocol, As of 2010[update] a Proposed Standard.
SASL mechanisms
A SASL mechanism implements a series of challenges and responses. Defined SASL mechanisms[1] include:
- "EXTERNAL", where authentication is implicit in the context (e.g., for protocols already using IPsec or TLS)
- "ANONYMOUS", for unauthenticated guest access
- "PLAIN", a simple cleartext password mechanism. PLAIN obsoleted the LOGIN mechanism.
- "OTP", a one-time password mechanism. OTP obsoleted the SKEY Mechanism.
- "SKEY", an S/KEY mechanism.
- "CRAM-MD5", a simple challenge-response scheme based on HMAC-MD5.
- "DIGEST-MD5", HTTP Digest compatible challenge-response scheme based upon MD5. DIGEST-MD5 offers a data security layer.
- "NTLM", an NT LAN Manager authentication mechanism
- "GSSAPI", for Kerberos V5 authentication via the GSSAPI. GSSAPI offers a data-security layer.
- GateKeeper (& GateKeeperPassport), a challenge-response mechanism developed by Microsoft for MSN Chat
The GS2 family of mechanisms supports arbitrary GSS-API mechanisms in SASL.[2] It is now standardized as RFC 5801.
SASL-aware application protocols
Application protocols define their representation of SASL exchanges with a profile. A protocol has a service name such as "ldap" in a registry shared with GSSAPI and Kerberos.[3]
As of 2010[update] protocols currently supporting SASL include:
- AMQP
- BEEP
- IMAP
- LDAP
- IRC (either IRCX or Charybdis extension)
- POP
- SMTP
- IMSP
- ACAP
- ManageSieve
- XMPP
- Subversion's custom "svn" protocol
See also
- Transport Layer Security (TLS)
External links
- RFC 4422 - Simple Authentication and Security Layer (SASL) - obsoletes RFC 2222
- RFC 4505 - Anonymous Simple Authentication and Security Layer (SASL) Mechanism - obsoletes RFC 2245
- The IETF SASL Working Group, chartered to revise existing SASL specifications, as well as to develop a family of GSSAPI mechanisms
- CMU SASL Information
- Cyrus SASL, a free and portable SASL library providing generic security for various applications[4]
- GNU SASL, a free and portable SASL command-line utility and library, distributed under the GNU GPLv3 and LGPLv2.1, respectively
- Dovecot SASL, an SASL implementation
- RFC 2831 - Using Digest Authentication as a SASL Mechanism
- Java SASL API Programming and Deployment Guide
References
- ^ SASL mechanisms
- ^ Simon Josefsson. "Using GSS-API Mechanisms in SASL: The GS2 Mechanism Family".
- ^ GSSAPI/Kerberos/SASL Service names
- ^
Bartlett, Andrew (2005-04-25). "GENSEC - Designing a security subsystem" (PDF). p. 4. Retrieved 2010-03-28.
The idea of a generic security API is not new [...] to implement, by some mechanism or other, a wide variety of these protocols, including SASL, GSS-API, SPNEGO as well as the proprietary NTLMSSP [...] in the wider open source world we see individual applications introduce similar abstraction layers, or adopt the Open Source Cyrus-SASL library to provide one.
{{cite web}}: More than one of|pages=and|page=specified (help)