One document matched: draft-myers-auth-sasl-04.txt
Differences from draft-myers-auth-sasl-03.txt
Network Working Group J. Myers
Internet Draft Carnegie Mellon
Document: draft-myers-auth-sasl-04.txt July 1996
Simple Authentication and Security Layer
Status of this Memo
This document is an Internet Draft. Internet Drafts are working
documents of the Internet Engineering Task Force (IETF), its Areas,
and its Working Groups. Note that other groups may also distribute
working documents as Internet Drafts.
Internet Drafts are draft documents valid for a maximum of six
months. Internet Drafts may be updated, replaced, or obsoleted by
other documents at any time. It is not appropriate to use Internet
Drafts as reference material or to cite them other than as a
``working draft'' or ``work in progress``.
To learn the current status of any Internet-Draft, please check the
1id-abstracts.txt listing contained in the Internet-Drafts Shadow
Directories on ds.internic.net, nic.nordu.net, ftp.isi.edu, or
munnari.oz.au.
A revised version of this draft document will be submitted to the RFC
editor as a Proposed Standard for the Internet Community. Discussion
and suggestions for improvement are requested. This document will
expire before December 1996. Distribution of this draft is
unlimited.
J. Myers [Page i]
Internet DRAFT SASL July 22, 1996
1. Abstract
This document describes a method for adding authentication support to
connection-based protocols. To use this specification, a protocol
includes a command for identifying and authenticating a user to a
server and for optionally negotiating protection of subsequent
protocol interactions. If its use is negotiated, a security layer is
inserted between the protocol and the connection. This document
describes how a protocol specifies such a command, defines several
mechanisms for use by the command, and defines the protocol used for
carrying a negotiated security layer over the connection.
2. Organization of this Document
2.1. How to Read This Document
This document is written to serve two different audiences, protocol
designers using this specification to support authentication in their
protocol, and implementors of clients or servers for those protocols
using this specification.
The sections "Introduction and Overview", "Profiling requirements",
and "Security Considerations" cover issues that protocol designers
need to understand and address in profiling this specification for
use in a specific protocol.
Implementors of a protocol using this specification need the
protocol-specific profiling information in addition to the
information in this document.
2.2. Conventions Used in this Document
In examples, "C:" and "S:" indicate lines sent by the client and
server respectively.
2.3. Examples
Examples in this document are for the IMAP profile [IMAP4] of this
specification. The base64 encoding of challenges and responses, as
well as the "+ " preceeding the responses are part of the IMAP4
profile, not part of the SASL specification itself.
3. Introduction and Overview
The Simple Authentication and Security Layer (SASL) is a method for
adding authentication support to connection-based protocols. To use
this specification, a protocol includes a command for identifying and
authenticating a user to a server and for optionally negotiating a
J. Myers [Page 2]
Internet DRAFT SASL July 22, 1996
security layer for subsequent protocol interactions.
The command has a single argument, identifying a SASL mechanism.
SASL mechanisms are named by strings, from 1 to 20 characters in
length, consisting of upper-case letters, digits, hyphens, and/or
underscores. SASL mechanism names must be registered with the IANA.
Procedures for registering new SASL mechanisms are given in the
section "Registration procedures"
If a server supports the requested mechanism, it initiates an
authentication protocol exchange. This consists of a series of
server challenges and client responses that are specific to the
requested mechanism. The challenges and responses are defined by the
mechanisms as binary tokens of arbitrary length. The protocol's
profile then specifies how these binary tokens are then encoded for
transfer over the connection.
After receiving the authentication command or any client response, a
server may issue a challenge, indicate failure, or indicate
completion. The protocol's profile specifies how the server
indicates which of the above it is doing.
After receiving a challenge, a client may issue a response or abort
the exchange. The protocol's profile specifies how the client
indicates which of the above it is doing.
During the authentication protocol exchange, the mechanism performs
authentication, transmits an authorization identity (frequently known
as a userid) from the client to server, and negotiates the use of a
mechanism-specific security layer. If the use of a security layer is
agreed upon, then the mechanism must also define or negotiate the
maximum cipher-text buffer size that each side is able to receive.
If use of a security layer is negotiated, it is applied to all
subsequent data sent over the connection. The security layer takes
effect immediately following the last response of the authentication
exchange for data sent by the client and the completion indication
for data sent by the server. Once the security layer is in effect,
the protocol stream is processed by the security layer into buffers
of cipher-text. Each buffer is transferred over the connection as a
stream of octets prepended with a four octet field in network byte
order that represents the length of the following buffer. The length
of the cipher-text buffer must be no larger than the maximum size
that was defined or negotiated by the other side.
J. Myers [Page 3]
Internet DRAFT SASL July 22, 1996
4. Profiling requirements
In order to use this specification, a protocol definition must supply
the following information:
1. A service name, to be selected from the IANA registry of "service"
elements for the GSSAPI host-based service name form. [GSSAPI]
2. A definition of the command to initiate the authentication
protocol exchange. This command must have as a parameter the
mechanism name being selected by the client.
3. A definition of the method by which the authentication protocol
exchange is carried out, including how the challenges and
responses are encoded, how the server indicates completion or
failure of the exchange, how the client aborts an exchange, and
how the exchange method interacts with any line length limits in
the protocol.
4. Identification of the octet where any negotiated security layer
starts to take effect, in both directions.
5. A specification of how the authorization identity passed from the
client to the server is to be interpreted.
5. Registration procedures
The following documents the procedure for registering new SASL
mechanism types.
While the registration procedures do not require it, authors of SASL
mechanisms are encouraged to seek community review and comment
whenever that is feasible. Authors may seek community review by
posting a specification of their proposed mechanism as an internet-
draft.
5.1. Comments on SASL mechanism registrations
Comments on registered SASL mechanisms may be submitted by members of
the community to IANA. These comments will be passed on to the
"owner" of the mechanism if possible. Submitters of comments may
request that their comment be attached to the SASL mechanism
registration itself, and if IANA approves of this the comment will be
made accessible in conjunction with the SASL mechanism registration
itself.
J. Myers [Page 4]
Internet DRAFT SASL July 22, 1996
5.2. Location of Registered SASL Mechanism List
SASL mechanism registrations will be posted in the anonymous FTP
directory "ftp://ftp.isi.edu/in-notes/iana/assignments/sasl-
mechanisms/" and all registered SASL mechanisms will be listed in the
periodically issued "Assigned Numbers" RFC [currently RFC- 1700].
The SASL mechanism description and other supporting material may also
be published as an Informational RFC by sending it to "rfc-
editor@isi.edu" (please follow the instructions to RFC authors [RFC-
1543]).
5.2. Change Control
Once a SASL mechanism registration has been published by IANA, the
author may request a change to its definition. The change request
follows the same procedure as the registration request.
The owner of a content type may pass responsibility for the content
type to another person or agency by informing IANA; this can be done
without discussion or review.
The IESG may reassign responsibility for a SASL mechanism. The most
common case of this will be to enable changes to be made to types
where the author of the registration has died, moved out of contact
or is otherwise unable to make changes that are important to the
community.
SASL mechanism registrations may not be deleted; mechanisms which are
no longer believed appropriate for use can be declared OBSOLETE by a
change to their "intended use" field; such SASL mechanisms will be
clearly marked in the lists published by IANA.
5.3. Registration Template
To: iana@isi.edu
Subject: Registration of SASL mechanism XXX
SASL mechanism name:
Security considerations:
Published specification (optional, recommended):
Person & email address to contact for further information:
Intended usage:
J. Myers [Page 5]
Internet DRAFT SASL July 22, 1996
(One of COMMON, LIMITED USE or OBSOLETE)
Author/Change controller:
(Any other information that the author deems interesting may be
added below this line.)
6. Mechanism definitions
The following mechanisms are hereby defined.
6.1. Kerberos version 4 mechanism
The mechanism name associated with Kerberos version 4 is
"KERBEROS_V4".
The first challenge consists of a random 32-bit number in network
byte order. The client responds with a Kerberos ticket and an
authenticator for the principal "service.hostname@realm", where
"service" is the service name specified in the protocol's profile,
"hostname" is the first component of the host name of the server with
all letters in lower case, and where "realm" is the Kerberos realm of
the server. The encrypted checksum field included within the
Kerberos authenticator contains the server provided challenge in
network byte order.
Upon decrypting and verifying the ticket and authenticator, the
server verifies that the contained checksum field equals the original
server provided random 32-bit number. Should the verification be
successful, the server must add one to the checksum and construct 8
octets of data, with the first four octets containing the incremented
checksum in network byte order, the fifth octet containing a bit-mask
specifying the security layers supported by the server, and the sixth
through eighth octets containing, in network byte order, the maximum
cipher-text buffer size the server is able to receive. The server
must encrypt using DES ECB mode the 8 octets of data in the session
key and issue that encrypted data in a second challenge. The client
considers the server authenticated if the first four octets of the
un-encrypted data is equal to one plus the checksum it previously
sent.
The client must construct data with the first four octets containing
the original server-issued checksum in network byte order, the fifth
octet containing the bit-mask specifying the selected security layer,
the sixth through eighth octets containing in network byte order the
maximum cipher-text buffer size the client is able to receive, and
the following octets containing the authorization identity. The
client must then append from one to eight zero-valued octets so that
J. Myers [Page 6]
Internet DRAFT SASL July 22, 1996
the length of the data is a multiple of eight octets. The client must
then encrypt using DES PCBC mode the data with the session key and
respond with the encrypted data. The server decrypts the data and
verifies the contained checksum. The server must verify that the
principal identified in the Kerberos ticket is authorized to connect
as that authorization identity. After this verification, the
authentication process is complete.
The security layers and their corresponding bit-masks are as follows:
1 No security layer
2 Integrity (krb_mk_safe) protection
4 Privacy (krb_mk_priv) protection
Other bit-masks may be defined in the future; bits which are not
understood must be negotiated off.
EXAMPLE: The following are two Kerberos version 4 login scenarios to
the IMAP4 protocol (note that the line breaks in the sample
authenticators are for editorial clarity and are not in real
authenticators)
S: * OK IMAP4 Server
C: A001 AUTHENTICATE KERBEROS_V4
S: + AmFYig==
C: BAcAQU5EUkVXLkNNVS5FRFUAOCAsho84kLN3/IJmrMG+25a4DT
+nZImJjnTNHJUtxAA+o0KPKfHEcAFs9a3CL5Oebe/ydHJUwYFd
WwuQ1MWiy6IesKvjL5rL9WjXUb9MwT9bpObYLGOKi1Qh
S: + or//EoAADZI=
C: DiAF5A4gA+oOIALuBkAAmw==
S: A001 OK Kerberos V4 authentication successful
S: * OK IMAP4 Server
C: A001 AUTHENTICATE KERBEROS_V4
S: + gcfgCA==
C: BAcAQU5EUkVXLkNNVS5FRFUAOCAsho84kLN3/IJmrMG+25a4DT
+nZImJjnTNHJUtxAA+o0KPKfHEcAFs9a3CL5Oebe/ydHJUwYFd
WwuQ1MWiy6IesKvjL5rL9WjXUb9MwT9bpObYLGOKi1Qh
S: A001 NO Kerberos V4 authentication failed
J. Myers [Page 7]
Internet DRAFT SASL July 22, 1996
6.2. GSSAPI mechanism
The mechanism name associated with all mechanisms employing the
GSSAPI [GSSAPI] is "GSSAPI".
6.2.1 Client side of authentication protocol exchange
The first challenge issued by the server contains no data.
The client calls GSS_Init_sec_context, passing in 0 for
input_context_handle (initially) and a targ_name equal to output_name
from GSS_Import_Name called with input_name_type of
GSS_C_NT_HOSTBASED_SERVICE and input_name_string of
"service@hostname" where "service" is the service name specified in
the protocol's profile, and "hostname" is the fully qualified host
name of the server. The client then responds with the resulting
output_token. If GSS_Init_sec_context returns GSS_CONTINUE_NEEDED,
then the client should expect the server to issue a token in a
subsequent challenge. The client must pass the token to another call
to GSS_Init_sec_context, repeating the actions in this paragraph.
When GSS_Init_sec_context returns GSS_COMPLETE, the client takes the
following actions: If the last call to GSS_Init_sec_context returned
an output_token, then the client responds with the output_token,
otherwise the client responds with no data. The client should then
expect the server to issue a token in a subsequent challenge. The
client passes this token to GSS_Unseal and interprets the first octet
of resulting cleartext as a bit-mask specifying the protection
mechanisms supported by the server and the second through fourth
octets as the maximum size output_message to send to the server. The
client then constructs data, with the first octet containing the
bit-mask specifying the selected protection mechanism, the second
through fourth octets containing in network byte order the maximum
size output_message the client is able to receive, and the remaining
octets containing the authorization identity. The client passes the
data to GSS_Seal with conf_flag set to FALSE, and responds with the
generated output_message. The client can then consider the server
authenticated.
6.2.2 Server side of authentication protocol exchange
The server starts by issuing a challenge with no data. It passes the
resulting client response to GSS_Accept_sec_context as input_token,
setting acceptor_cred_handle to NULL (for "use default credentials"),
and 0 for input_context_handle (initially). If
GSS_Accept_sec_context returns GSS_CONTINUE_NEEDED, the server
returns the generated output_token to the client in challenge and
passes the resulting response to another call to
J. Myers [Page 8]
Internet DRAFT SASL July 22, 1996
GSS_Accept_sec_context, repeating the actions in this paragraph.
When GSS_Accept_sec_context returns GSS_COMPLETE, the client takes
the following actions: If the last call to GSS_Accept_sec_context
returned an output_token, the server returns it to the client in a
challenge and expects a reply from the client with no data. Whether
or not an output_token was returned (and after receipt of any respons
from the client to such an output_token), the server then constructs
4 octets of data, with the first octet containing a bit-mask
specifying the protection mechanisms supported by the server and the
second through fourth octets containing in network byte order the
maximum size output_token the server is able to receive. The server
must then pass the plaintext to GSS_Seal with conf_flag set to FALSE
and issue the generated output_message to the client in a challenge.
The server must then pass the resulting response to GSS_Unseal and
interpret the first octet of resulting cleartext as the bit-mask for
the selected protection mechanism, the second through fourth octets
as the maximum size output_message to send to the client, and the
remaining octets as the authorization identity. The server must
verify that the src_name is authorized to authenticate as the
authorization identity. After these verifications, the
authentication process is complete.
6.2.3 Security layer
The security layers and their corresponding bit-masks are as follows:
1 No security layer
2 Integrity protection.
Sender calls GSS_Seal with conf_flag set to FALSE
4 Privacy protection.
Sender calls GSS_Seal with conf_flag set to TRUE
Other bit-masks may be defined in the future; bits which are not
understood must be negotiated off.
J. Myers [Page 9]
Internet DRAFT SASL July 22, 1996
6.3. S/Key mechanism
The mechanism name associated with S/Key [SKEY] is "SKEY".
The challenge issued by the server contains no data. The client
responds with the authorization identity.
The data encoded in the second ready response contains the decimal
sequence number followed by a single space and the seed string for
the indicated authorization identity. The client responds with the
one-time-password, as either a 64-bit value in network byte order or
encoded in the "six English words" format.
The server musth verify the one-time-password. After this
verification, the authentication process is complete.
S/Key authentication does not provide for any security layers.
EXAMPLE: The following are two S/Key login scenarios in the IMAP4
protocol.
S: * OK IMAP4 Server
C: A001 AUTHENTICATE SKEY
S: +
C: bW9yZ2Fu
S: + OTUgUWE1ODMwOA==
C: Rk9VUiBNQU5OIFNPT04gRklSIFZBUlkgTUFTSA==
S: A001 OK S/Key authentication successful
S: * OK IMAP4 Server
C: A001 AUTHENTICATE SKEY
S: +
C: c21pdGg=
S: + OTUgUWE1ODMwOA==
C: BsAY3g4gBNo=
S: A001 NO S/Key authentication failed
J. Myers [Page 10]
Internet DRAFT SASL July 22, 1996
7. References
[IMAP4] Crispin, M., "Internet Message Access Protocol - Version 4",
RFC 1730, University of Washington, December 1994.
[GSSAPI] Linn, J., "Generic Security Service Application Program
Interface, Version 2", draft-ietf-cat-gssv2-XX, OpenVision
Technologies, May 1996
[RFC-1543] Postel, J., "Instructions to RFC Authors", RFC 1543,
October 1993
[SKEY] Haller, Neil M. "The S/Key One-Time Password System", RFC
1760, Bellcore, February 1995
8. Security Considerations
Security issues are discussed throughout this memo.
The mechanisms that support integrity protection are designed such
that the negotiation of the security layer and authorization identity
is integrity protected. When the client selects a security layer
with at least integrity protection, this protects against an active
attacker hijacking the connection and modifying the authentication
exchange to negotiate a plaintext connection.
The client's selection of an SASL mechanism is done in the clear and
may be modified by an active attacker. It is important for any new
SASL mechanisms to be designed such that an active attacker cannot
obtain an authentication with weaker security properties by modifying
the SASL mechanism name and/or the challenges and responses.
Any protocol interactions prior to authentication are performed in
the clear and may be modified by an active attacker. In the case
where a client selects integrity protection, it is important that any
security-sensitive protocol negotiations be performed after
authentication is complete. Protocols should be designed such that
negotiations performed prior to authentication should be either
ignored or revalidated once authentication is complete.
9. Author's Address
John G. Myers
Carnegie-Mellon University
5000 Forbes Ave.
Pittsburgh PA, 15213-3890
EMail: jgm+@cmu.edu
J. Myers [Page 11]
Internet DRAFT SASL July 22, 1996
J. Myers [Page 12]
Internet DRAFT SASL July 22, 1996
Table of Contents
Status of this Memo ............................................... i
1. Abstract ..................................................... 2
2. Organization of this Document ................................ 2
2.1. How to Read This Document .................................... 2
2.2. Conventions Used in this Document ............................ 2
2.3. Examples ..................................................... 2
3. Introduction and Overview .................................... 2
4. Profiling requirements ....................................... 4
5. Registration procedures ...................................... 4
5.1. Comments on SASL mechanism registrations ..................... 4
5.2. Location of Registered SASL Mechanism List .................. 5
5.2. Change Control .............................................. 5
5.3. Registration Template ....................................... 5
6. Mechanism definitions ........................................ 6
6.1. Kerberos version 4 mechanism ................................. 6
6.2. GSSAPI mechanism ............................................. 8
6.2.1 Client side of authentication protocol exchange ............. 8
6.2.2 Server side of authentication protocol exchange ............. 8
6.2.3 Security layer .............................................. 9
6.3. S/Key mechanism .............................................. 10
7. References ................................................... 11
8. Security Considerations ...................................... 11
9. Author's Address ............................................. 11
J. Myers [Page ii]
| PAFTECH AB 2003-2026 | 2026-04-23 09:51:09 |