Simple Authentication and Security Layer


Simple Authentication and Security Layer

Simple Authentication and Security Layer (SASL) is a framework for authentication and data security in Internet protocols. It decouples authentication mechanisms from application protocols, in theory allowing any authentication mechanism supported by SASL to be used in any application protocol that uses SASL. Authentication mechanisms can also support "proxy authorization", a facility allowing one user to assume the identity of another. Authentication mechanisms can also provide a "data security layer" offering "data integrity" and "data confidentiality" services. DIGEST-MD5 is an example of mechanisms which can provide a data security layer. Application protocols that support SASL typically also support Transport Layer Security (TLS) to complement the services offered by SASL.

SASL was originally specified in RFC 2222, authored by John Gardiner Myers while at Carnegie Mellon University. That document was obsolesced by RFC 4422, edited by Alexey Melnikov and Kurt Zeilenga.

SASL is an IETF "Standard Track" protocol, presently a "Proposed Standard".

SASL Mechanisms

A SASL mechanism is modelled as a series of challenges and responses. Defined SASL mechanisms [http://www.iana.org/assignments/sasl-mechanisms] include:
* "EXTERNAL", where authentication is implicit in the context (e.g., for protocols already using IPsec or TLS)
* "ANONYMOUS", for unauthenticated guest access
* "PLAIN", a simple cleartext password mechanism. PLAIN obsoleted the LOGIN mechanism.
* "OTP", a one-time password mechanism. OTP obsoleted the SKEY Mechanism.
* "SKEY", an S/KEY mechanism.
* "CRAM-MD5", a simple challenge-response scheme based on HMAC-MD5.
* "DIGEST-MD5", HTTP Digest compatible challenge-response scheme based upon MD5. DIGEST-MD5 offers a data security layer.
* "NTLM", an NT LAN Manager authentication mechanism.
* "GSSAPI", for Kerberos V5 authentication via the GSSAPI. GSSAPI offers a data security layer.
* GateKeeper (& GateKeeperPassport), a challenge-response mechanism developed by Microsoft for MSN ChatA family of SASL mechanisms is planned to support arbitrary GSSAPI mechanisms.

SASL-aware Application Protocols

Application protocols define their representation of SASL exchanges with a "profile". A protocol has a "service name" such as "ldap" in a registry shared with GSSAPI and Kerberos [http://www.iana.org/assignments/gssapi-service-names] . Protocols currently supporting SASL include BEEP, IMAP, LDAP, IRCX, POP, SMTP, IMSP, ACAP and XMPP.

ee also

* Transport Layer Security (TLS)

External links

* RFC 4422 - Simple Authentication and Security Layer (SASL) - obsoletes RFC 2222
* RFC 4505 - Anonymous Simple Authentication and Security Layer (SASL) Mechanism - obsoletes RFC 2245
* The IETF [http://www.ietf.org/html.charters/sasl-charter.html SASL Working Group] is chartered to revise existing SASL specifications, as well as to develop a family of GSSAPI mechanisms.
* [http://asg.web.cmu.edu/sasl/ CMU SASL Information]
* [http://asg.web.cmu.edu/sasl/sasl-library.html Cyrus SASL] is a free and portable SASL library.
* [http://josefsson.org/gsasl/ GNU SASL] is a free and portable SASL command line utility and library, distributed under the GNU GPLv3 and LGPLv2.1, respectively.
* [http://wiki.dovecot.org/Sasl Dovecot SASL] is a growing SASL implementation.
* RFC 2831 - Using Digest Authentication as a SASL Mechanism


Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Simple authentication and security layer — (signifiant « Couche d authentification et de sécurité simple » ou SASL) est un cadre d authentification et d autorisation normalisé par l IETF. Le cadre découple les mécanismes d authentification des protocoles d application,… …   Wikipédia en Français

  • Simple Authentication and Security Layer — (signifiant « Couche d authentification et de sécurité simple » ou SASL) est un cadre d authentification et d autorisation standardisé par l IETF. Le cadre découple les mécanismes d authentification des protocoles d application,… …   Wikipédia en Français

  • Simple Authentication and Security Layer — (SASL) ist ein Framework, das von verschiedenen Protokollen zur Authentifizierung im Internet verwendet wird. Es wurde im Oktober 1997 als RFC 2222 definiert, der im Juni 2006 durch RFC 4422 ersetzt wurde. SASL bietet dem Applikationsprotokoll… …   Deutsch Wikipedia

  • Simple Authentication and Security Layer — SASL (англ. Simple Authentication and Security Layer  простой уровень аутентификации и безопасности)  это фреймворк (каркас) для предоставления аутентификации и защиты данных в протоколах на основе соединений. Он разделяет… …   Википедия

  • Simple Mail Transfer Protocol — This article is about the Internet standard for electronic mail transmission. For the email delivery company, see SMTP (company). Internet protocol suite Application layer …   Wikipedia

  • Simple Mail Transfer Protocol - AUTHentication — Internet message access protocol authentication SMTP AUTH est une extension du protocole SMTP. C est un protocole de transfert des courriels sur Internet qui inclut une étape d authentification au cours de laquelle le client se connecte… …   Wikipédia en Français

  • Simple Network Management Protocol — (SNMP) forms part of the internet protocol suite as defined by the Internet Engineering Task Force (IETF). SNMP is used in network management systems to monitor network attached devices for conditions that warrant administrative attention. It… …   Wikipedia

  • Security token — Several types of security tokens with a penny for scale …   Wikipedia

  • Security question — A security question is used as an authenticator by banks, cable companies and wireless providers as an extra security layer. They are a form of shared secret.cite web url=http://www.slate.com/id/2183030/pagenum/all/ title=In What City Did You… …   Wikipedia

  • Simple Mail Transfer Protocol — Fonction Envoi de courriels Sigle SMTP Port 25 (sans authentification) 587 (avec authentification) …   Wikipédia en Français