Simple Authentication and Security Layer
Simple Authentication and Security Layer ( SASL ) is a framework used by various protocols for authentication on the Internet . It was defined as RFC 2222 in October 1997 , which was replaced by RFC 4422 in June 2006 .
SASL thus offers the application protocol a standardized option for negotiating communication parameters. As a rule, only one authentication method is negotiated, but it can also be agreed that an encrypted transport protocol, such as TLS , is first used. The SASL implementations on the client and server sides agree on a procedure, and this can then be used transparently by the application. This standard significantly simplifies the development of secure application protocols. The developer only has to use an existing SASL implementation instead of implementing a complete authentication and data encryption process himself.
SASL is used in SMTP , IMAP , POP 3, LDAP and XMPP , among others .
SASL authentication mechanisms
The standardized mechanisms are listed at the IANA (see web links). The following is a list of the most popular mechanisms:
- PLAIN, all data are exchanged in plain text ( TLS usually offers the necessary security mechanisms here)
- GSSAPI is itself a framework that offers Kerberos v5, for example
- CRAM-MD5 , avoids the transmission of the password in plain text
- DIGEST-MD5, similar to CRAM-MD5, but with the option of negotiating additional parameters such as integrity assurance
- SCRAM ( RFC 5802 ), a mechanism based on a modern challenge-response method
- OTP , provides password verification without the server knowing the password
- ANONYMOUS, the user can use the service without authentication
- EXTERNAL, authentication takes place outside of SASL
literature
- Roland Bless et al .: Secure network communication , Springer Verlag, 2005, ISBN 3-540-21845-9 .
Web links
- RFCs
- SASL mechanisms
- Free libraries