Overview#
Simple Authentication and Security Layer (SASL) is a framework for Authentication and data Security Layer that can provide data integrity, data confidentiality, and other services for Internet ProtocolsSASL allows Authentication Method to be decoupled from application protocols, in theory allowing any Authentication Method supported by SASL to be used in any application protocol that uses SASL.Authentication Methods may also support Delegation. They may also provide a data Security Layer offering data integrity and data confidentiality services. DIGEST-MD5 provides an example of mechanisms which can provide a data Security Layer.
The original SASL specification RFC 2222 while at Carnegie Mellon University. In 2006 that document was made obsolete by RFC 4422, but a number of specific SASL Mechanisms are described in other specifications. [2]
As SASL Mechanisms are External to the Protocol, they may be referred to as EXTERNAL SASL Mechanism even though the SASL Mechanism may reside on and be done on by the same server.
Generic Operation [1]#
The basic operation of SASL is straightforward. The server provides a list of supported authentication mechanisms, and then the client determines which of the supported authentication mechanisms will be used (based on the client’s capabilities and security requirements.Protocols that contain SASL support include:
- LDAP (Internet Standard Lightweight Directory Access Protocol)
- SMTP (Internet Standard Simple Message Transfer Protocol)
- POP3 (Internet Standard Post Office Protocol v3)
- IMAP (Internet Standard Internet Mail Access Protocol)
- XMPP: Extensible Messaging and Presence Protocol
- Isode's SOM (Switch Operations and Management) Protocol
To be used with SASL, a new authentication mechanism needs to be registered, and any authentication mechanism specific capabilities need to be agreed upon.
Some selected SASL authentication mechanisms are listed below:
| Mechanism | Standardization | What it Does |
|---|---|---|
| CRAM-MD5 | RFC 2195 | Use MD5 hash for client authentication |
| DIGEST-MD5 | RFC 2831 | Adds server authentication and confidentiality to CRAM-MD5 |
| GSSAPI | RFC 4752 | For supporting Kerberos authentication |
| EXTERNAL | RFC 4422 | For use with SSL/TLS and X.509 Digital Signatures |
| PLAIN | RFC 4616 | Plaintext password |
| LOGIN | de facto | Alternative to PLAIN SASL Mechanism |
| NTLM | Microsoft Proprietary | Similar to CRAM-MD5 |
| SCRAM-SHA-1 | RFC 5802 | Salted Challenge Response Mechanism, a new standard |
| NMAS_LOGIN | used in NovellS Challenge Response System. |
LDAP and SASL#
For LDAP, common EXTERNAL SASL Mechanisms include:- ANONYMOUS SASL Mechanism -- This mechanism doesn't actually authenticate users to the server, but can be used to destroy a previous authentication session.
- CRAM-MD5 -- This mechanism provides a way for users to authenticate to the server using a password in a manner that does not expose the password itself. It is similar to, but weaker than, the DIGEST-MD5 SASL mechanism, and doesn't provide any way for ensuring connection integrity or confidentiality.
- DIGEST-MD5 -- This mechanism provides a way for users to authenticate to the server using a password in a manner that does not expose the password itself. It is similar to, but stronger than, the CRAM-MD5 SASL mechanism, and also provides a way to ensure connection integrity and/or confidentiality.
- GSSAPI -- This mechanism provides a way for users to authenticate to the server using a Kerberos V5 session. It also provides a mechanism that can be used to ensure connection integrity and/or confidentiality.
- PLAIN -- This mechanism provides a way for users to authenticate to the server with a username and password. It is similar to the protection offered by Simple Authentication, but may be more convenient in that users can identify themselves with a username rather than a DN.
- NMAS_LOGIN -- Novell Modular Authentication Service (NMAS) is a development framework that allows you to write applications that authenticate to the network using various login and authentication methods. The NMAS framework allows you to design a flexible and expandable login and authentication system using modular plug-in methods that leverage Novell International Cryptographic Infrastructure NICI and Novell Directory Services (eDirectory®).
- SPNEGO - aka GSS-SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) is a GSSAPI "pseudo mechanism" that is used to negotiate one of a number of possible real mechanisms.
More Information#
There might be more information for this subject on one of the following:- ANONYMOUS SASL Mechanism
- Authentication Protocol
- Best Practices for LDAP Security
- Bind Request
- Bind Response
- CRAM-MD5
- CRAM-MD5 SASL Mechanism
- Custom Password Self Service How
- DIGEST-MD5
- Differences between LDAP 2 and 3 Protocols
- Draft-behera-ldap-password-policy
- Enable UserPassword in Microsoft Active Directory
- GS2 Mechanism Family
- Generic Security Service Application Program Interface
- Glossary Of LDAP And Directory Terminology
- Kerberos
- Kurt Zeilenga
- LDAP Authentication
- LDAP Signing
- NDSD Loadable Module
- NMAS
- NMAS Result Codes
- OctetString
- On-Demand Password Synchronization
- Password
- RFC 4422
- RFC 4616
- SASL Mechanisms
- Salted Challenge Response Authentication Mechanism
- Security Strength Factor
- Simple Authentication and Security Layer
- Simple and Protected GSSAPI Negotiation Mechanism
- SupportedSASLMechanisms
- XDAS for eDirectory
[#1] Adapted from http://www.isode.com/products/sasl.html
retrieved 2012-09-28
[#2] Adapted from http://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer retrieved 2012-09-28
Please see our Copyright And Intellectual Property Page and Standard Disclaimer Pages!