Simple Authentication & Security Layer (SASL)
SASL is an Internet Standard method for adding authentication support to connection-based protocols. Along with the pages on TLS (Transport Layer Security) and Strong Authentication, this page describes the infrastructure of the Isode products that use cryptography.
The Internet family of protocols usually has one protocol for each distinct piece of functionality (e.g., SMTP (Simple Message Transfer Protocol) is used for transferring messages between servers). Authentication is different - there are many approaches. There are a two reasons for this. The first is that there is no ideal authentication mechanism: there is generally a trade off between factors such as user convenience; network security; overall security; ease of management; and efficiency. This leads to there being a choice of mechanisms with different characteristics. The second factor is that the choice of secure authentication mechanisms evolves with increasing availability of computing power (e.g., DES was being replaced with AES) and new technologies (e.g., biometrics). We need to recognize that there will continue to be many approaches to authentication, and should not expect convergence on a single approach.
SASL gives a framework that enables application protocols to negotiate an agreed authentication mechanism. SASL can enable (dependent on the agreed mechanisms)
- Server authentication of the client.
- Client authentication of the server.
- Data integrity and/or confidentiality.
SASL's authentication ID approach also provides and elegant mechanism to enable application logins using simple “ids” to be efficiently mapped onto directory based configuration, and to hide directory naming from the end user.
How SASL works
SASL is not a protocol, but is a framework that can be used with protocols such as SMTP. For each protocol that uses SASL, there will be a specification (an Internet Standard in cases where the base protocol is an Internet Standard) as to how the protocol uses SASL. This means that SASL can be used with a wide range of protocols, and can be adapted to the details of how any specific protocols works.
The basic operation of SASL is straightforward. The server provides a list of supported authentication mechanisms, and then the client says which one will be used (based on the client’s capabilities and security requirements).
Protocols that contain SASL support include:
- LDAP (Internet Standard Lightweight Directory Access Protocol)
- SMTP (Internet Standard Simple Message Transfer Protocol)
- POP3 (Internet Standard Post Office Protocol v3)
- IMAP (Internet Standard Internet Mail Access Protocol)
- XMPP: Extensible Messaging and Presence Protocol
- Isode's SOM (Switch Operations and Management) Protocol
To be used with SASL, a new authentication mechanism needs to be registered, and any authentication mechanism specific capabilities set out in an Internet standard. Selected SASL authentication mechanisms are listed below:
|Mechanism||Standardization||What it Does|
|CRAM-MD5||RFC 2195||Use MD5 hash for client authentication|
|DIGEST-MD5||RFC 2831||Adds server authentication and confidentiality to CRAM-MD5|
|GSSAPI||RFC 4752||For supporting Kerberos authentication|
|EXTERNAL||RFC 4422||For use with SSL/TLS and X.509 Digital Signatures|
|PLAIN||RFC 4616||Clear text password|
|LOGIN||de facto||Alternative to PLAIN|
|NTLM||Microsoft Propriatary||Similar to CRAM-MD5|
|SCRAM-SHA-1||RFC 5802||Salted Challenge Response Mechanism, a new standard|
Information on Isode’s use of SASL EXTERNAL is covered under strong authentication and X.509 support.
Further description of Isode's Kerberos support is given in the whitepaper [Isode Support for Kerberos, Active Directory and Single Sign On] and how it relates to LDAP is given here.
SASL to Support Name Mapping
Isode views SASL as key technology. Although SASL is widely implemented, many people are not familiar with it, and its role in authentication. Authentication is a key element of Isode's directory vision, and SASL is an important part of this. This section describes how SASL is used in conjunction with Isode’s M-Vault directory to provide generic authentication services.
SASL is important generally in communication protocols, as it enables extensive use of authentication technologies, which is a good thing. It is particularly important in conjunction with LDAP, as directory servers are often used to provide proxy authentication, as illustrated below.
A typical application login will provide a username and password. In a directory configured environment, the account will be represented by an entry in the directory. M-Vault SASL allows this id to be mapped to the directory name. This allows the application to authenticate with M-Vault using a single bind, and for the application to be unaware as to how the login ID is mapped onto a directory name. M-Vault SASL provides a number of options for mapping the login ID to a directory name:
- Searching the directory for an attribute holding the id.
- A two level search, for “user” and “domain” in a user@domain structured id.
- An Active Directory style algorithmic mapping of email address onto directory name.
This mapping provides a clean management structure, and reduces the number of directory operations needed to support authentication.
This model applies to Web applications, and to Isode's own M-Box and M-Switch products, that can map from internet email address login to directory names.
Isode's SASL Support
Isode uses SASL in the following protocols and products:
- LDAP (in M-Vault)
- SMTP (in M-Switch)
- SOM Isode protocol (in M-Switch)
- IMAP (in M-Box)
- POP3 (in M-Box)
- ManageSieve (in M-Box)
- XMPP (in M-Link and the Swiften XMPP Client Library)