Network Working Group                                        A. Melnikov
Internet Draft                                                    Editor
Document: draft-ietf-sasl-rfc2222bis-05.txt                 January 2004
Obsoletes: RFC 2222                                Expires in six months


            Simple Authentication and Security Layer (SASL)

Status of this Memo

   This document is an Internet Draft and is in full conformance with
   all provisions of Section 10 of RFC 2026.

   Internet Drafts are working documents of the Internet Engineering
   Task Force (IETF), its Areas, and its Working Groups.  Note that
   other groups may also distribute working documents as Internet
   Drafts. Internet Drafts are draft documents valid for a maximum of
   six months.  Internet Drafts may be updated, replaced, or obsoleted
   by other documents at any time.  It is not appropriate to use
   Internet Drafts as reference material or to cite them other than as
   ``work in progress''.

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   A revised version of this draft document will be submitted to the RFC
   editor as a Proposed Standard for the Internet Community.  Discussion
   and suggestions for improvement are requested.  Distribution of this
   draft is unlimited.

   When published as an RFC this document will obsolete RFC 2222.

















A. Melnikov                                             FORMFEED[Page i]


Internet DRAFT                    SASL                   25 January 2004


1.    Abstract

   The Simple Authentication and Security Layer (SASL) provides a method
   for adding authentication support with an optional security layer to
   connection-based protocols.  It also describes a structure for
   authentication mechanisms.  The result is an abstraction layer
   between protocols and authentication mechanisms such that any SASL-
   compatible authentication mechanism can be used with any SASL-
   compatible protocol.

   This document describes how a SASL authentication mechanism is
   structured, describes how a protocol adds support for SASL, defines
   the protocol for carrying a security layer over a connection, and
   defines the EXTERNAL SASL authentication mechanism.

2.    Organization of this document

2.1.  How to read this document

   This document is written to serve two different audiences, protocol
   designers using this specification to support authentication in their
   protocol, and implementors of clients or servers for those protocols
   using this specification.

   The sections "Overview", "Authentication Mechanisms", "Protocol
   Profile Requirements", "Specific Issues", and "Security
   Considerations" cover issues that protocol designers need to
   understand and address in profiling this specification for use in a
   specific protocol.

   Implementors of a protocol using this specification need the
   protocol-specific profiling information in addition to the
   information in this document.

2.2.  Conventions used in this document

   In examples, "C:" and "S:" indicate lines sent by the client and
   server respectively.

   The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY"
   in this document are to be interpreted as defined in "Key words for
   use in RFCs to Indicate Requirement Levels" [KEYWORDS].

   Character names in this document use the notation for code points and
   names from the Unicode Standard [Unicode].  For example, the letter
   "a" may be represented as either <U+0061> or <LATIN SMALL LETTER A>.

   This document uses terms "integrity protection" and "confidentiality



A. Melnikov                                             FORMFEED[Page 2]


Internet DRAFT                    SASL                   25 January 2004


   protection". The former references to a security layer that is able
   to detect data modification by using some kind of hash.  However,
   integrity protection doesn't make the data unreadable to an attacker.
   Confidentiality protection is a security layer that is able to make
   the data unreadable to an attacker by using encryption.
   Confidentiality protection usually implies integrity protection.


3.    Overview

   The Simple Authentication and Security Layer (SASL) is a method for
   adding authentication support to connection-based protocols.

   The SASL specification has three layers, as indicated in the diagram
   below.  At the top, a protocol definition using SASL specifies a
   profile, including a command for identifying and authenticating a
   user to a server and for optionally negotiating a security layer for
   subsequent protocol interactions.  At the bottom, a SASL mechanism
   definition specifies an authentication mechanism.  The SASL
   framework, specified by this document, constrains the behavior of
   protocol profiles and mechanisms, separating protocol from mechanism
   and defining how they interact.

                SMTP Protocol     LDAP Protocol          Etc
                   Profile           Profile            . . .
                          \-----        |       -----/
                                \       |      /
                                 SASL framework
                                /       |      \
                          /-----        |       -----\
                   EXTERNAL         DIGEST-MD5           Etc
                SASL mechanism    SASL mechanism        . . .

   This separation between the definition of protocols and the
   definition of authentication mechanisms is crucial.  It permits an
   authentication mechanism to be defined once, making it usable by any
   SASL protocol profile.  In many implementations, the same SASL
   mechanism code is used for multiple protocols.

4.    Authentication mechanisms

   SASL mechanisms are named by strings, from 1 to 20 characters in
   length, consisting of ASCII [ASCII] upper-case letters, digits,
   hyphens, and/or underscores.  SASL mechanism names must be registered
   with the Internet Assigned Numbers Authority (IANA). IETF standards
   track documents may direct the IANA to reserve a portion of the SASL
   mechanism namespace and may specify different registration criteria
   for the reserved portion; the GSSAPI mechanism specification



A. Melnikov                                             FORMFEED[Page 3]


Internet DRAFT                    SASL                   25 January 2004


   [SASL-GSSAPI] does this. Procedures for registering new SASL
   mechanisms are given in section 8.

   The "sasl-mech" production below defines the syntax of a SASL
   mechanism name.  This uses the Augmented Backus-Naur Form (ABNF)
   notation as specified in [ABNF] and the ABNF core rules as specified
   in Appendix A of the ABNF specification [ABNF].

   sasl-mech    = 1*20mech-char
   mech-char    = %x41-5A / DIGIT / "-" / "_"
                  ; mech names restricted to ASCII uppercase letters,
                  ; digits, "-" and "_"


4.1.  Authentication protocol exchange

   A SASL mechanism is responsible for conducting an authentication
   protocol exchange.  This consists of a series of server challenges
   and client responses, the contents of which are specific to and
   defined by the mechanism.  To the protocol, the challenges and
   responses are opaque binary tokens of arbitrary length.  The
   protocol's profile then specifies how these binary tokens are then
   encoded for transfer over the connection.

   After receiving an authentication command or any client response, a
   server mechanism may issue a challenge, indicate failure, or indicate
   completion.  The server mechanism may return additional data with a
   completion indication.  The protocol's profile specifies how each of
   these is then represented over the connection.

   After receiving a challenge, a client mechanism may issue a response
   or abort the exchange.  The protocol's profile specifies how each of
   these is then represented over the connection.

   During the authentication protocol exchange, the mechanism performs
   authentication, transmits an authorization identity (frequently known
   as a userid) from the client to server, and negotiates the use of a
   mechanism-specific security layer.  If the use of a security layer is
   agreed upon, then the mechanism must also define or negotiate the
   maximum security layer buffer size that each side is able to receive.

4.2.  Authorization and authentication identities

   SASL authentication deals with two identities: the authorization
   identity and the authentication identity. The transmitted
   authorization identity may be an empty string (zero length), but the
   transmitted authentication identity may not be an empty string.




A. Melnikov                                             FORMFEED[Page 4]


Internet DRAFT                    SASL                   25 January 2004


   While some legacy mechanisms are incapable of transmitting an
   authorization identity (which means that for these mechanisms the
   authorization identity is always the empty string), newly defined
   mechanisms SHOULD be capable of transmiting a non-empty authorization
   identity.

   Authentication identity is the identity derived from the client's
   authentication credentials.

   The authorization identity is used by the server as the primary
   identity for making access policy decisions.

4.2.1.  Authorization identities and proxy authentication

   With any mechanism, transmitting an authorization identity of the
   empty string directs the server to derive the authorization identity
   from the client's authentication identity.

   If the authorization identity transmitted during the authentication
   protocol exchange is not the empty string, this is typically referred
   to as "proxy authentication".  This feature permits agents such as
   proxy servers to authenticate using their own credentials, yet
   request the access privileges of the identity for which they are
   proxying.

   The server makes an implementation defined policy decision as to
   whether the authentication identity is permitted to have the access
   privileges of the authorization identity and whether the
   authorization identity is permitted to receive service.  If it is
   not, the server indicates failure of the authentication protocol
   exchange.

   As a client might not have the same information as the server,
   clients SHOULD NOT derive authorization identities from
   authentication identities. Instead, clients SHOULD provide no (or
   empty) authorization identity when the user has not provided an
   authorization identity.

   The server SHOULD verify that a received authorization identity is in
   the correct form. Profiles whose authorization identities are simple
   user names (e.g. IMAP [RFC 3501]) SHOULD use "SASLPrep" profile
   [SASLPrep] of the "stringprep" algorithm [StringPrep] to prepare
   these names for matching. The profiles MAY use a stringprep profile
   that is more strict than "SASLPrep". If the preparation of the
   authorization identity fails or results in an empty string, the
   server MUST fail the authentication exchange. The only exception to
   this rule is when the received authorization identity is already the
   empty string.



A. Melnikov                                             FORMFEED[Page 5]


Internet DRAFT                    SASL                   25 January 2004


4.2.2.  Authorization Identity Format

   An authorization identity is a string of zero or more Unicode
   [Unicode] coded characters.  The NUL <U+0000> character is not
   permitted in authorization identities.

   The character encoding scheme used for transmitting an authorization
   identity over the protocol is specified in each authentication
   mechanism All IETF-defined mechanisms MUST, and all other mechanisms
   SHOULD, use UTF-8 [UTF-8]. (See [CHARSET-POLICY] for IETF policy
   regarding character sets and encoding schemes.)

   Mechanisms are expected to be capable of carrying the entire Unicode
   repertoire (with the exception of the NUL character). An
   authorization identity of the empty string and an absent
   authorization identity MUST be treated as equivalent. A mechanism
   which provides an optional field for an authorization identity,
   SHOULD NOT allow that field, when present, to be empty.  The meaning
   of an authorization identity of the empty string is described in the
   previous section.

4.3.  Security layers

   If use of a security layer is negotiated by the authentication
   protocol exchange, the security layer is applied to all subsequent
   data sent over the connection (until another security layer is
   negotiated; see also section 6.3). The security layer takes effect
   immediately following the last response of the authentication
   exchange for data sent by the client and the completion indication
   for data sent by the server.

   Note that all SASL mechanisms that are unable to negotiate a security
   layer automatically select no security layer.

   Once the security layer is in effect the protocol stream is processed
   by the security layer into buffers of security encoded data.  Each
   buffer of security encoded data is transferred over the connection as
   a stream of octets prepended with a four octet field in network byte
   order that represents the length of the following buffer.  The length
   of the security encoded data buffer MUST be no larger than the
   maximum size that was either defined in the mechanism specification
   or negotiated by the other side during the authentication protocol
   exchange.  Upon the receipt of a data buffer which is larger than the
   defined/negotiated maximal buffer size the receiver SHOULD close the
   connection.  This might be a sign of an attack or a buggy
   implementation.





A. Melnikov                                             FORMFEED[Page 6]


Internet DRAFT                    SASL                   25 January 2004


4.4.  Character string issues

   Authentication mechanisms SHOULD encode character strings in UTF-8
   [UTF-8] (see [CHARSET-POLICY] for IETF policy regarding character
   sets in IETF protocols).  In order to avoid interoperability problems
   due to differing normalizations, when a mechanisms specifies that
   character data is to be used as input to a cryptographic and/or
   comparison function, the mechanism specification MUST detail how the
   data is to be represented, including any normalizations or other
   preparations, to ensure proper function.  Designers of mechanisms
   SHOULD use the "SASLprep" profile [SASLPrep] of the "stringprep"
   algorithm [StringPrep] where applicable.

   There are three entities that have to deal with this issue: a client
   (upon getting user input or retrieving a value from configuration), a
   server (upon receiving the value from the client) and a utility that
   is able to store passwords/hashes in a database that can be later
   used by the server.  SASL mechanisms must define which entity (or
   entities) must perform the preparation. If preparation fails or
   results in an empty string, the entity doing the preparation SHALL
   fail the authentication exchange (or, in case of the utility, refuse
   to store the data).


5.    Protocol profile requirements

   In order to use this specification, a protocol definition MUST supply
   the following information:

   1) A service name, to be selected from the IANA registry of "service"
   elements for the GSSAPI host-based service name form [GSSAPI]. This
   service name is made available to the authentication mechanism.

   The registry is available at the URL
   <http://www.iana.org/assignments/gssapi-service-names>.

   2) A definition of the command to initiate the authentication
   protocol exchange.  This command must have as a parameter the name of
   the mechanism being selected by the client.

   The command SHOULD have an optional parameter giving an initial
   response.  This optional parameter allows the client to avoid a round
   trip when using a mechanism which is defined to have the client send
   data first.  When this initial response is sent by the client and the
   selected mechanism is defined to have the server start with an
   initial challenge, the command fails.  See section 6.1 of this
   document for further information.




A. Melnikov                                             FORMFEED[Page 7]


Internet DRAFT                    SASL                   25 January 2004


   3) A definition of the method by which the authentication protocol
   exchange is carried out, including how the challenges and responses
   are encoded, how the server indicates completion or failure of the
   exchange, how the client aborts an exchange, and how the exchange
   method interacts with any line length limits in the protocol.

   The exchange method SHOULD allow the server to include an optional
   data ("optional challenge") with a success notification.  This allows
   the server to avoid a round trip when using a mechanism which is
   defined to have the server send additional data along with the
   indication of successful completion.  See section 6.2 of this
   document for further information.

   4) A protocol profile SHOULD specify a mechanism through which a
   client may obtain the names of the SASL mechanisms available to it.
   This is typically done through the protocol's extensions or
   capabilities mechanism.

   5) Identification of the octet where any negotiated security layer
   starts to take effect, in both directions.

   6) Specify if the protocol profile supports "multiple
   authentications" (see section 6.3).

   7) If both TLS and SASL security layer are allowed to be negotiated
   by the protocol, the protocol profile MUST define in which order they
   are applied to a cleartext data sent over the connection.

   8) A protocol profile MAY further refine the definition of an
   authorization identity by adding additional syntactic restrictions
   and protocol-specific semantics. A protocol profile MUST specify the
   form of the authorization identity (since it is protocol specific, as
   opposed to the authentication identity, which is mechanism specific)
   and how authorization identities are to be compared. Profiles whose
   authorization identities are simple user names (e.g. IMAP [RFC 3501])
   SHOULD use "SASLPrep" profile [SASLPrep] of the "stringprep"
   algorithm [StringPrep] to prepare these names for matching. The
   profiles MAY use a stringprep profile that is more strict than
   SASLPrep.

   A protocol profile SHOULD NOT attempt to amend the definition of
   mechanisms or make mechanism-specific encodings.  This breaks the
   separation between protocol and mechanism that is fundamental to the
   design of SASL. Likewise, SASL mechanisms SHOULD be profile neutral.







A. Melnikov                                             FORMFEED[Page 8]


Internet DRAFT                    SASL                   25 January 2004


6.    Specific issues

6.1.  Client sends data first

   Some mechanisms specify that the first data sent in the
   authentication protocol exchange is from the client to the server.

   If a protocol's profile permits the command which initiates an
   authentication protocol exchange to contain an initial client
   response, this parameter SHOULD be used with such mechanisms.

   If the initial client response parameter is not given, or if a
   protocol's profile does not permit the command which initiates an
   authentication protocol exchange to contain an initial client
   response, then the server issues a challenge with no data.  The
   client's response to this challenge is then used as the initial
   client response.  (The server then proceeds to send the next
   challenge, indicates completion, or indicates failure.)

6.1.1.  Examples


   The following are two examples of an SECURID authentication [SASL-
   SECURID] in the SMTP protocol [SMTP].  In the first example below,
   the client is trying fast reauthentication by sending the initial
   response:

      S: 220-smtp.example.com ESMTP Server
      C: EHLO client.example.com
      S: 250-smtp.example.com Hello client.example.com, pleased to meet you
      S: 250-AUTH GSSAPI SECURID
      S: 250 DSN
      C: AUTH SECURID AG1hZ251cwAxMjM0NTY3OAA=
      S: 235 Authentication successful

   The example below is almost identical to the previous, but here the
   client chooses not to use the initial response parameter.

      S: 220-smtp.example.com ESMTP Server
      C: EHLO client.example.com
      S: 250-smtp.example.com Hello client.example.com, pleased to meet you
      S: 250-AUTH GSSAPI SECURID
      S: 250 DSN
      C: AUTH SECURID
      S: 334
      C: AG1hZ251cwAxMjM0NTY3OAA=
      S: 235 Authentication successful




A. Melnikov                                             FORMFEED[Page 9]


Internet DRAFT                    SASL                   25 January 2004


      Section 7.2 contains an additional example.

6.2.  Server returns success with additional data

   Some mechanisms may specify that additional data be sent to the
   client along with an indication of successful completion of the
   exchange.  This data would, for example, authenticate the server to
   the client.

   If a protocol's profile does not permit this additional data to be
   returned with a success indication, then the server issues the data
   as a server challenge, without an indication of successful
   completion.  The client then responds with no data.  After receiving
   this empty response, the server then indicates successful completion
   (with no additional data).

   Client implementors should be aware of an additional failure case
   that might occur when the profile supports sending the additional
   data with success. Imagine that an active attacker is trying to
   impersonate the server and sends faked data, which should be used to
   authenticate the server to the client, with success.  (A similar
   situation can happen when either the server and/or the client has a
   bug and they calculate different responses.) After checking the data,
   the client will think that the authentication exchange has failed,
   however the server will think that the authentication exchange has
   completed successfully.  At this point the client can not abort the
   authentication exchange; it SHOULD close the connection instead.
   However, if the profile did not support sending of additional data
   with success, the client could have aborted the exchange at the very
   last step of the authentication exchange.

6.2.1.  Examples


   The following are two examples of a DIGEST-MD5 authentication [SASL-
   DIGEST] in the XMPP protocol [XMPP]. In the first example below, the
   server is sending mutual authentication data with success.

      C: <stream:stream
          xmlns='jabber:client'
          xmlns:stream='http://etherx.jabber.org/streams'
          to='example.com'
          version='1.0'>
      S: <stream:stream
          xmlns='jabber:client'
          xmlns:stream='http://etherx.jabber.org/streams'
          id='c2s_234'
          from='example.com'



A. Melnikov                                            FORMFEED[Page 10]


Internet DRAFT                    SASL                   25 January 2004


          version='1.0'>
      S: <stream:features>
           <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
             <mechanism>DIGEST-MD5</mechanism>
             <mechanism>CRAM-MD5</mechanism>
           </mechanisms>
         </stream:features>
      C: <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl'
               mechanism='DIGEST-MD5'/>
      S: <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
         cmVhbG09InNvbWVyZWFsbSIsbm9uY2U9Ik9BNk1HOXRFUUdtMmhoIixxb3A9ImF1dGgi
         LGNoYXJzZXQ9dXRmLTgsYWxnb3JpdGhtPW1kNS1zZXNzCg==
         </challenge>
      C: <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
         dXNlcm5hbWU9InNvbWVub2RlIixyZWFsbT0ic29tZXJlYWxtIixub25jZT0i
         T0E2TUc5dEVRR20yaGgiLGNub25jZT0iT0E2TUhYaDZWcVRyUmsiLG5jPTAw
         MDAwMDAxLHFvcD1hdXRoLGRpZ2VzdC11cmk9InhtcHAvZXhhbXBsZS5jb20i
         LHJlc3BvbnNlPWQzODhkYWQ5MGQ0YmJkNzYwYTE1MjMyMWYyMTQzYWY3LGNo
         YXJzZXQ9dXRmLTgK
         </response>
      S: <success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
         cnNwYXV0aD1lYTQwZjYwMzM1YzQyN2I1NTI3Yjg0ZGJhYmNkZmZmZAo=
         </success>

      The example below is almost identical to the previous, but here
      the server chooses not to use the additional data with success.

      C: <stream:stream
          xmlns='jabber:client'
          xmlns:stream='http://etherx.jabber.org/streams'
          to='example.com'
          version='1.0'>
      S: <stream:stream
          xmlns='jabber:client'
          xmlns:stream='http://etherx.jabber.org/streams'
          id='c2s_234'
          from='example.com'
          version='1.0'>
      S: <stream:features>
           <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
             <mechanism>DIGEST-MD5</mechanism>
             <mechanism>CRAM-MD5</mechanism>
           </mechanisms>
         </stream:features>
      C: <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl'
               mechanism='DIGEST-MD5'/>
      S: <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
         cmVhbG09InNvbWVyZWFsbSIsbm9uY2U9Ik9BNk1HOXRFUUdtMmhoIixxb3A9ImF1dGgi



A. Melnikov                                            FORMFEED[Page 11]


Internet DRAFT                    SASL                   25 January 2004


         LGNoYXJzZXQ9dXRmLTgsYWxnb3JpdGhtPW1kNS1zZXNzCg==
         </challenge>
      C: <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
         dXNlcm5hbWU9InNvbWVub2RlIixyZWFsbT0ic29tZXJlYWxtIixub25jZT0i
         T0E2TUc5dEVRR20yaGgiLGNub25jZT0iT0E2TUhYaDZWcVRyUmsiLG5jPTAw
         MDAwMDAxLHFvcD1hdXRoLGRpZ2VzdC11cmk9InhtcHAvZXhhbXBsZS5jb20i
         LHJlc3BvbnNlPWQzODhkYWQ5MGQ0YmJkNzYwYTE1MjMyMWYyMTQzYWY3LGNo
         YXJzZXQ9dXRmLTgK
         </response>
      S: <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
         cnNwYXV0aD1lYTQwZjYwMzM1YzQyN2I1NTI3Yjg0ZGJhYmNkZmZmZAo=
         </challenge>
      C: <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>
      S: <success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>

6.3.  Multiple authentications

   Unless otherwise stated by the protocol's profile, only one
   successful SASL negotiation may occur in a protocol session.  In this
   case, once an authentication protocol exchange has successfully
   completed, further attempts to initiate an authentication protocol
   exchange fail.

   If a profile explicitly permits multiple successful SASL negotiations
   to occur, then in no case may multiple security layers be
   simultaneously in effect.  If a security layer is in effect and a
   subsequent SASL negotiation selects a second security layer, then the
   second security layer replaces the first. If a security layer is in
   effect and a subsequent SASL negotiation selects no security layer,
   the original security layer remains in effect.

   Note that keeping the original security layer is a subject to a class
   of security attack described in section 6.3.1. However, at the time
   of the writing of this document the Working Group consensus is not to
   change SASL handling of security layers, as the risk of such attacks
   is considered to be low and specific to only certain classes of
   implementations.  The protocol profiles that allow for
   reauthentication SHOULD recommend that another security layer is
   negotiated once a security layer was installed.

   Also note, that if a subsequent authentication fails, the protocol
   profile MAY allow the connection state to return to non-
   authenticated, however the previously negotiated security layer MUST
   NOT be removed. Only a successful reauthentication is able
   replace/remove the previously negotiated security layer.






A. Melnikov                                            FORMFEED[Page 12]


Internet DRAFT                    SASL                   25 January 2004


6.3.1.  Description of Multiple Authentication attack

   Let's assume that the protected resources on a server are partitioned
   into a set of protection spaces, each with its own authentication
   mechanisms and/or authorization database. Let's use the term
   "partition" to reference any such protected space. An example of a
   partition might be an HTTP "realm".  Also a proxy/frontend can use
   different partitions for different servers/backends it represents.

   Now consider the following scenario. A client has already
   authenticated and established a security layer with "Partition A"
   which is managed by the server AA.  Now the same client authenticates
   to "Partition B" (managed by the server BB) without negotiating a new
   security layer, while the security layer negotiated with "Partition
   A" remains in effect. The server BB is now able to observe how known
   cleartext is encrypted. This scenario enables the server BB to make
   guesses about previously observed ciphertext between the client and
   the server AA using the server's SASL engine as an oracle.  This
   scenario is illustrated below:
































A. Melnikov                                            FORMFEED[Page 13]


Internet DRAFT                    SASL                   25 January 2004


              +---------+                   +---------+
              |         |                   |         |
              |Partition|                   |Partition|
              |    B    |                   |    A    |
              +---------+                   +---------+
                  |  ^                           |
                  |  :      +-----------+        |
     Traffic from |  :      | Encryption|        | Traffic from A
      B to client +-------->| end point |<-------+ to client
                     :      | (SSL/SASL)|
                     :      +-----------+
                     :            |
                     :            |
                     :          +---+
                     :          |   |
                     :          |   |
                     :          |   | Encryption tunnel, e.g. SASL or SSL,
                     :          |   | between the server
       (1) Recording +---------:|   | and a single client only.
           encrypted            |   | Separate tunnels to different
           traffic between      |   | clients.
       Partition A and client   +---+
                                  |
                                  |
                                  +-----------> Traffic to clients

   <<Some text about trust relationship here.


   Where this suitation cannot be managed through trust relationship, it
   may be approrpiate for the server implementation to not support
   multiple authentications.  >>



7.    The EXTERNAL mechanism

   The mechanism name associated with external authentication is
   "EXTERNAL".

   The client sends an initial response with the UTF-8 encoding of the
   authorization identity. The form of the authorization identity is
   further restricted by the application-level protocol's SASL profile.

   The server uses information, external to SASL, to determine whether
   the client is authorized to authenticate as the authorization
   identity.  If the client is so authorized, the server indicates
   successful completion of the authentication exchange; otherwise the



A. Melnikov                                            FORMFEED[Page 14]


Internet DRAFT                    SASL                   25 January 2004


   server indicates failure.

   The system providing this external information may be, for example,
   IPSec or TLS. However, the client can make no assumptions as to what
   information the server can use in determining client authorization.
   E.g., just because TLS was established, doesn't mean that the server
   will use the information provided by TLS.

   If the client sends the empty string as the authorization identity
   (thus requesting that the authorization identity be derived from the
   client's authentication credentials), the authorization identity is
   to be derived from authentication credentials which exist in the
   system that is providing the external authentication.

7.1.  Formal syntax

   The following syntax specification uses the augmented Backus-Naur
   Form (BNF) notation as specified in [ABNF].  This uses the ABNF core
   rules as specified in Appendix A of the ABNF specification [ABNF].
   Non-terminals referenced but not defined below are as defined by
   [UTF-8].

   The "extern-init-resp" rule below defines the initial response sent
   from client to server.

   extern-init-resp  = *( UTF8-char-no-nul )

   UTF8-char-no-nul  = UTF8-1-no-nul / UTF8-2 / UTF8-3 / UTF8-4

   UTF8-1-no-nul     = %x01-7F


7.2.  Example

   The following is an example of an EXTERNAL authentication in the SMTP
   protocol [SMTP].  In this example, the client is proxy
   authenticating, sending the authorization identity "fred" using in
   the (optional) initial response.  The server has determined the
   client's identity through IPsec and has a security policy that
   permits that identity to proxy authenticate as any other identity.

   To the protocol profile, the four octet sequence "fred" is an opaque
   binary data. The SASL protocol profile for SMTP [SMTP-AUTH] specifies
   that server challenges and client responses are encoded in BASE64
   [BASE64]; the BASE64 encoding of "fred" is "ZnJlZA==".

      S: 220 smtp.example.com ESMTP server ready
      C: EHLO jgm.example.com



A. Melnikov                                            FORMFEED[Page 15]


Internet DRAFT                    SASL                   25 January 2004


      S: 250-smtp.example.com
      S: 250 AUTH DIGEST-MD5 EXTERNAL
      C: AUTH EXTERNAL ZnJlZA==
      S: 235 Authentication successful.

   The following example is almost identical to the one above, but the
   client doesn't use proxy authentication.

      S: 220 smtp.example.com ESMTP server ready
      C: EHLO jgm.example.com
      S: 250-smtp.example.com
      S: 250 AUTH DIGEST-MD5 EXTERNAL
      C: AUTH EXTERNAL
      S: 235 Authentication successful.


8.    IANA Considerations


8.1.  Guidelines for IANA


   It is requested that IANA updates the SASL mechanisms registry as
   follows:


      Change the "Intended usage" of the KERBEROS_V4 and SKEY mechanism
      registrations to OBSOLETE.  Change the "Published specification"
      of the EXTERNAL mechanism to this document. Updated registration
      is provided in Section 8.6.

8.2.  Registration procedure


   Registration of a SASL mechanism is done by filling in the template
   in section 8.5 and sending it via electronic mail to <iana@iana.org>.
   IANA has the right to reject obviously bogus registrations, but will
   perform no review of claims made in the registration form.  SASL
   mechanism registrations are currently available at the URL
   <http://www.iana.org/assignments/sasl-mechanisms>.

   There is no naming convention for SASL mechanisms; any name that
   conforms to the syntax of a SASL mechanism name can be registered.
   An IETF Standards Track document may reserve a portion of the SASL
   mechanism namespace ("family of SASL mechanisms") for its own use,
   amending the registration rules for that portion of the namespace.
   Each family of SASL mechanisms MUST be identified by a prefix.




A. Melnikov                                            FORMFEED[Page 16]


Internet DRAFT                    SASL                   25 January 2004


   While the registration procedures do not require it, authors of SASL
   mechanisms are encouraged to seek community review and comment
   whenever that is feasible.  Authors may seek community review by
   posting a specification of their proposed mechanism as an Internet-
   Draft.  SASL mechanisms intended for widespread use should be
   standardized through the normal IETF process, when appropriate.

8.3.  Comments on SASL mechanism registrations

   Comments on registered SASL mechanisms should first be sent to the
   "owner" of the mechanism and/or to the SASL WG mailing list.
   Submitters of comments may, after a reasonable attempt to contact the
   owner, request IANA to attach their comment to the SASL mechanism
   registration itself.  If IANA approves of this, the comment will be
   made accessible in conjunction with the SASL mechanism registration
   itself.

8.4.  Change control

   Once a SASL mechanism registration has been published by IANA, the
   author may request a change to its definition.  The change request
   follows the same procedure as the registration request.

   The owner of a SASL mechanism may pass responsibility for the SASL
   mechanism to another person or agency by informing IANA; this can be
   done without discussion or review.

   The IESG may reassign responsibility for a SASL mechanism. The most
   common case of this will be to enable changes to be made to
   mechanisms where the author of the registration has died, moved out
   of contact or is otherwise unable to make changes that are important
   to the community.

   SASL mechanism registrations may not be deleted; mechanisms which are
   no longer believed appropriate for use can be declared OBSOLETE by a
   change to their "intended use" field; such SASL mechanisms will be
   clearly marked in the lists published by IANA.

   The IESG is considered to be the owner of all SASL mechanisms which
   are on the IETF standards track.

8.5.  Registration template


     Subject: Registration of SASL mechanism X

     Family of SASL mechanisms: (YES or NO)




A. Melnikov                                            FORMFEED[Page 17]


Internet DRAFT                    SASL                   25 January 2004


     SASL mechanism name (or prefix for the family):

     Security considerations:

     Published specification (optional, recommended):

     Person & email address to contact for further information:

     Intended usage:

     (One of COMMON, LIMITED USE or OBSOLETE)

     Owner/Change controller:

     (Any other information that the author deems interesting may be
     added below this line.)


8.6.  The EXTERNAL mechanism registration

   It is requested that the SASL Mechanism registry [IANA-SASL] entry
   for the EXTERNAL mechanism be updated to reflect that this document
   now provides its technical specification.


      Subject: Updated Registration of SASL mechanism EXTERNAL

      Family of SASL mechanisms: NO

      SASL mechanism name: EXTERNAL

      Security considerations: See RFC XXXX, section 9.

      Published specification (optional, recommended): RFC XXXX

      Person & email address to contact for further information:
        Alexey Melnikov <Alexey.Melnikov@isode.com>

      Intended usage: COMMON

      Owner/Change controller: IESG <iesg@ietf.org>

      Note: Updates existing entry for EXTERNAL

9.   Security considerations

   Security issues are discussed throughout this memo.




A. Melnikov                                            FORMFEED[Page 18]


Internet DRAFT                    SASL                   25 January 2004


   SASL implementations might be subject to online dictionary attacks
   (e.g. username harvesting, password cracking). In order to mitigate
   the attacks a server implementation is encouraged to implement a
   policy when after a number of failed authentication attempts it
   returns errors to all subsequent authentication attempts on the same
   connection.  Alternatively, the server may implement a policy whereby
   the connection is dropped after a number of failed authentication
   attempts. If a server implementation chooses to do so, it should not
   drop the connection until at least 3 authentication attempts have
   failed.

   The mechanisms that support integrity protection are designed such
   that the negotiation of the security layer and authorization identity
   is integrity protected.  When the client selects a security layer
   with at least integrity protection, this protects against an active
   attacker hijacking the connection and modifying the authentication
   exchange to negotiate a plaintext connection.

   When a server or client supports multiple authentication mechanisms,
   each of which has a different security strength, it is possible for
   an active attacker to cause a party to use the least secure mechanism
   supported.  To protect against this sort of attack, a client or
   server which supports mechanisms of different strengths should have a
   configurable minimum strength that it will use.  It is not sufficient
   for this minimum strength check to only be on the server, since an
   active attacker can change which mechanisms the client sees as being
   supported, causing the client to send authentication credentials for
   its weakest supported mechanism.

   The client's selection of a SASL mechanism is done in the clear and
   may be modified by an active attacker.  It is important for any new
   SASL mechanisms to be designed such that an active attacker cannot
   obtain an authentication with weaker security properties by modifying
   the SASL mechanism name and/or the challenges and responses.

   In order to detect Man-in-the-middle (MITM) attacks the client MAY
   list available SASL mechanisms both before and after the SASL
   security layer is negotiated.  This allows the client to detect
   active attacks that remove mechanisms from the server's list of
   supported mechanisms, and allows the client to ensure that it is
   using the best mechanism supported by both client and server.  New
   protocol profiles SHOULd require servers to make the list of SASL
   mechanisms available for the initial authentication available to the
   client after security layers are established.  Some older protocols
   do not require this (or don't support listing of SASL mechanisms once
   authentication is complete); for these protocols clients MUST NOT
   treat an empty list of SASL mechanisms after authentication as a MITM
   attack.



A. Melnikov                                            FORMFEED[Page 19]


Internet DRAFT                    SASL                   25 January 2004


   Any protocol interactions prior to authentication are performed in
   the clear and may be modified by an active attacker.  In the case
   where a client selects integrity protection, it is important that any
   security-sensitive protocol negotiations be performed after
   authentication is complete.  Protocols should be designed such that
   negotiations performed prior to authentication should be either
   ignored or revalidated once authentication is complete.

   When use of a security layer is negotiated by the authentication
   protocol exchange, the receiver should handle gracefully any security
   encoded data buffer larger than the defined/negotiated maximal size.
   In particular, it must not blindly allocate the amount of memory
   specified in the buffer size field, as this might cause the "out of
   memory" condition. If the receiver detects a large block, it SHOULD
   close the connection.

   Distributed server implementations need to be careful in how they
   trust other parties and, in particular, authentication secrets should
   only be disclosed to other parties that are trusted to manage and use
   those secrets in manner acceptable to disclosing party.  It should be
   noted that where those secrets are used to providing data
   confidentiality protections, if a third party (other then the
   discloser/declosee) has knowledge of some portion of the protected
   information, it can use this knowledge in an attack upon other
   portions of the protected information.

   Section 6.3.1 contains a description of a potential class of attack
   on a distributed server implementation. The section also gives some
   recommendations about mitigating such attacks.

   "stringprep" and Unicode security considerations apply to
   authentication identities, authorization identities and passwords.

   The EXTERNAL mechanism provides no security protection; it is
   vulnerable to spoofing by either client or server, active attack, and
   eavesdropping.  It should only be used when external security
   mechanisms are present and have sufficient strength.

10.    References

10.1.  Normative References

   [ABNF] Crocker, D. (Ed.), Overell, P., "Augmented BNF for Syntax
   Specifications: ABNF", RFC 2234, November 1997

   [ASCII] American National Standards Institute, "Code Extension
   Techniques for Use with the 7-bit Coded Character Set of American
   National Standard Code (ASCII) for Information Interchange", FIPS PUB



A. Melnikov                                            FORMFEED[Page 20]


Internet DRAFT                    SASL                   25 January 2004


   35, 1974

   [CHARSET-POLICY] Alvestrand, H., "IETF Policy on Character Sets and
   Languages", RFC 2277, BCP 18, January 1998

   [GSSAPI] Linn, J., "Generic Security Service Application Program
   Interface, Version 2, Update 1", RFC 2743, January 2000

   [ISO-10646] "Universal Multiple-Octet Coded Character Set (UCS) -
   Architecture and Basic Multilingual Plane", ISO/IEC 10646-1 : 1993.

   [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate
   Requirement Levels", RFC 2119, BCP 19, March 1997

   [Unicode] The Unicode Consortium, "The Unicode Standard, Version
   3.2.0" is defined by "The Unicode Standard, Version 3.0" (Reading,
   MA, Addison-Wesley, 2000. ISBN 0-201-61633-5), as amended by the
   "Unicode Standard Annex #27: Unicode 3.1"
   (http://www.unicode.org/reports/tr27/) and by the "Unicode Standard
   Annex #28: Unicode 3.2" (http://www.unicode.org/reports/tr28/).

   [Stringprep] Hoffman, P., Blanchet, M., "Preparation of
   Internationalized Strings ("stringprep")", RFC 3454, December 2002.

   [SASLPrep] Zeilenga, K., "SASLprep: Stringprep profile for user names
   and passwords", Work in progress, draft-ietf-sasl-saslprep-XX.txt.

   [UTF-8] Yergeau, F., "UTF-8, a transformation format of ISO 10646",
   RFC 3629, STD 63, November 2003.

10.2.  Informative References


   [SASL-GSSAPI] Melnikov, A., "SASL GSSAPI mechanisms", work in
   progress, draft-ietf-sasl-gssapi-XX.txt, November 2003

   [SASL-DIGEST] Leach, P., Newman, C., Melnikov, A., "Using Digest
   Authentication as a SASL Mechanism", work in progress, draft-ietf-
   sasl-rfc2831bis-XX.txt, replaces RFC 2831

   [SASL-OTP] Newman, C., "The One-Time-Password SASL Mechanism", RFC
   2444, October 1998.

   [SASL-SECURID] Nystrom, M., "The SecurID(r) SASL Mechanism", RFC
   2808, April 2000.

   [SMTP] Klensin, J., "Simple Mail Transfer Protocol", RFC 2821, April
   2001.



A. Melnikov                                            FORMFEED[Page 21]


Internet DRAFT                    SASL                   25 January 2004


   [SMTP-AUTH] Myers, J., "SMTP Service Extension for Authentication",
   RFC 2554, March 1999.

   Being revised by Siemborski, R., "SMTP Service Extension for
   Authentication", work in progress, draft-siemborski-rfc2554bis-
   XX.txt.

   [XMPP] Saint-Andre, P., "Extensible Messaging and Presence Protocol
   (XMPP): Core", work in progress, draft-ietf-xmpp-core-XX.txt.

   [BASE64] Josefsson, S., "The Base16, Base32, and Base64 Data
   Encodings", RFC 3548, July 2003.

   [RFC-INSTRUCTIONS] Postel, J., Reynolds, J., "Instructions to RFC
   Authors", RFC 2223, October 1997.

   [IANA-SASL]  IANA, "SIMPLE AUTHENTICATION AND SECURITY LAYER (SASL)
   MECHANISMS", http://www.iana.org/assignments/sasl-mechanisms.

11.   Editor's Address

     Alexey Melnikov
     Isode Limited

     Email: Alexey.Melnikov@isode.com

12.   Acknowledgments

   This document is a revision of RFC 2222 written by John G. Myers.  He
   also contributed significantly to this revision.

   Magnus Nystrom provided the ASCII art used in Section 6.3.

   Definition of partition was extracted from RFC 2617 ("HTTP
   Authentication: Basic and Digest Access Authentication").

   Contributions of many members of the SASL mailing list are gratefully
   acknowledged, in particular Kurt D. Zeilenga, Peter Saint-Andre, Rob
   Siemborski, Jeffrey Hutzelman, Hallvard B Furuseth and Tony Hansen
   for proofreading the document and various editorial suggestions.


13.   Full Copyright Statement

   Copyright (C) The Internet Society (2004).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it



A. Melnikov                                            FORMFEED[Page 22]


Internet DRAFT                    SASL                   25 January 2004


   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.

Appendix A. Relation of SASL to transport security

   Questions have been raised about the relationship between SASL and
   various services (such as IPsec and TLS) which provide a secured
   connection.

   Two of the key features of SASL are:

      The separation of the authorization identity from the identity in
      the client's credentials.  This permits agents such as proxy
      servers to authenticate using their own credentials, yet request
      the access privileges of the identity for which they are proxying.

      Upon successful completion of an authentication exchange, the
      server knows the authorization identity the client wishes to use.
      This allows servers to move to a "user is authenticated" state in
      the protocol.

   These features are extremely important to some application protocols,
   yet Transport Security services do not always provide them.  To
   define SASL mechanisms based on these services would be a very messy



A. Melnikov                                            FORMFEED[Page 23]


Internet DRAFT                    SASL                   25 January 2004


   task, as the framing of these services would be redundant with the
   framing of SASL and some method of providing these important SASL
   features would have to be devised.

   Sometimes it is desired to enable within an existing connection the
   use of a security service which does not fit the SASL model.  (TLS is
   an example of such a service.)  This can be done by adding a command,
   for example "STARTTLS", to the protocol.  Such a command is outside
   the scope of SASL, and should be different from the command which
   starts a SASL authentication protocol exchange.

   In certain situations, it is reasonable to use SASL underneath one of
   these Transport Security services.  The transport service would
   secure the connection, either service would authenticate the client,
   and SASL would negotiate the authorization identity.  The SASL
   negotiation would be what moves the protocol from "unauthenticated"
   to "authenticated" state.  The "EXTERNAL" SASL mechanism is
   explicitly intended to handle the case where the transport service
   secures the connection and authenticates the client and SASL
   negotiates the authorization identity.

Appendix B. Changes since RFC 2222

   The GSSAPI mechanism was removed.  It is now specified in a separate
   document [SASL-GSSAPI].

   The "KERBEROS_V4" mechanism defined in RFC 2222 is obsolete and has
   been removed.

   The "SKEY" mechanism described in RFC 2222 is obsolete and has been
   removed.  It has been replaced by the OTP mechanism [SASL-OTP].

   The overview has been substantially reorganized and clarified.

   Clarified the definition and semantics of the authorization identity.

   Prohibited the NUL character in authorization identities.

   Added a section on character string issues.

   The word "must" in the first paragraph of the "Protocol profile
   requirements" section was changed to "MUST".

   Specified that protocol profiles SHOULD provide a way for clients to
   discover available SASL mechanisms.

   Made the requirement that protocol profiles specify the semantics of
   the authorization identity optional to the protocol profile.



A. Melnikov                                            FORMFEED[Page 24]


Internet DRAFT                    SASL                   25 January 2004


   Clarified that such a specification is a refinement of the definition
   in the base SASL spec.

   Added a requirement discouraging protocol profiles from breaking the
   separation between protocol and mechanism.

   Mentioned that standards track documents may carve out their own
   portions of the SASL mechanism namespace and may amend registration
   rules for the portion. However registration of individual SASL
   mechanisms is still required.

   Specified that the authorization identity in the EXTERNAL mechanism
   is encoded in UTF-8.

   Added a statement that a protocol profile SHOULD allow challenge data
   to be sent with a success indication.

   Added a security consideration for the EXTERNAL mechansim.

   Clarified sections concerning success with additional data.

   Cleaned up IANA considerations/registrations and assembled them in
   one place.

   Updated references and split them into Informative and Normative.

   Added text to the Security Considerations section regarding handling
   of extremely large SASL blocks.

   Replaced UTF-8 ABNF with the reference to the UTF-8 document.

   Added text about SASLPrep for authentication identities and
   passwords.  Described where SASLPrep preparation should take place.

   Added paragraph about verifying authorization identities.

   Added a protocol profile requirement to specify interaction between
   SASL and TLS security layers.

   Added a protocol profile requirement to specify if it supports
   reauthentication.

   Removed the text that seemed to suggest that SASL security layer must
   not be used when TLS is available.

   Created two subsections in 4.2 to talk separately about proxy
   authorization and format of the authorization identities.




A. Melnikov                                            FORMFEED[Page 25]


Internet DRAFT                    SASL                   25 January 2004


   Made requirement to verify that an authorization identity is correct
   by performing SASLPrep a SHOULD, instead of a MUST.

   Clarified that each SASL mechanism must decide where SASLPrep is
   taking place.

   Added 4 new examples for initial response and additional data with
   success.

   Added text on checking the list of available SASL mechanisms after
   negotiating a security layer.

   Added definition of "integrity protection" and "confidentiality
   protection".

   Added text about preventing password cracking/username harvesting
   attacks.

   Added warning about negotiating no layer once a security layer is
   negotiated.































A. Melnikov                                            FORMFEED[Page 26]


Internet DRAFT                    SASL                   25 January 2004


   Status of this Memo .......................................... i
   1.    Abstract ............................................... 2
   2.    Organization of this document .......................... 2
   2.1.  How to read this document .............................. 2
   2.2.  Conventions used in this document ...................... 2
   3.    Overview ............................................... 3
   4.    Authentication mechanisms .............................. 3
   4.1.  Authentication protocol exchange ....................... 4
   4.2.  Authorization and authentication identities ............ 4
   4.2.1.  Authorization identities and proxy authentication .... 5
   4.2.2.  Authorization Identity Format ........................ 6
   4.3.  Security layers ........................................ 6
   4.4.  Character string issues ................................ 7
   5.    Protocol profile requirements .......................... 7
   6.    Specific issues ........................................ 9
   6.1.  Client sends data first ................................ 9
   6.1.1.  Examples ............................................. 9
   6.2.  Server returns success with additional data ........... 10
   6.2.1.  Examples ............................................ 10
   6.3.  Multiple authentications .............................. 12
   6.3.1.  Description of Multiple Authentication attack ....... 13
   7.    The EXTERNAL mechanism ................................ 14
   7.1.  Formal syntax ......................................... 15
   7.2.  Example ............................................... 15
   8.    IANA Considerations ................................... 15
   8.1.  Guidelines for IANA ................................... 16
   8.2.  Registration procedure ................................ 16
   8.3.  Comments on SASL mechanism registrations .............. 16
   8.4.  Change control ........................................ 17
   8.5.  Registration template ................................. 17
   8.6.  The EXTERNAL mechanism registration ................... 18
   9.   Security considerations ................................ 18
   10.    References ........................................... 20
   10.1.  Normative References ................................. 20
   10.2.  Informative References ............................... 21
   11.   Editor's Address ...................................... 21
   12.   Acknowledgments ....................................... 22
   13.   Full Copyright Statement .............................. 22
   Appendix A. Relation of SASL to transport security .......... 23
   Appendix B. Changes since RFC 2222 .......................... 24











A. Melnikov                                            FORMFEED[Page ii]