What is SASL

SASL (Simple Authentication and Security Layer) is an Internet standard method for adding authentication support to connection-based protocols. Along with the pages on TLS (Transport Layer Security) and Strong Authentication, this describes all of the infrastructure of the Isode products that use cryptography.

The Internet family of protocols usually has one protocol for each distinct piece of functionality (e.g., SMTP (Simple Message Transfer Protocol) is used for transferring messages between servers). Authentication is different - there are many approaches. There are a two reasons for this. The first is that there is no ideal authentication mechanism: there always seems to be a trade off between factors such as user convenience; network security; overall security; ease of management; and efficiency. This leads to there being a choice of mechanisms with different characteristics. The second factor is that the choice of secure authentication mechanisms evolves with increasing availability of computing power (e.g., DES is being replaced with Rijndeal) and new technologies (e.g., biometrics). We need to recognize that there will continue to be many approaches to authentication, and should not expect convergence on a single approach.

SASL gives a framework that enables application protocols to negotiate an agreed authentication mechanism. SASL can enable (dependent on the agreed mechanisms)

  • Server authentication of the client.
  • Client authentication of the server.
  • Data confidentiality.

SASL’s authentication ID approach also provides and elegant mechanism to enable application logins using simple “ids” to be efficiently mapped onto directory based configuration, and to hide directory naming from the end user.

How SASL works

SASL is not a protocol, but is a framework that can be used with protocols such as SMTP. For each protocol that uses SASL, there will be a specification (an Internet Standard in cases where the base protocol is an Internet Standard) as to how the protocol uses SASL. This means that SASL can be used with a wide range of protocols, and can be adapted to the details of how any specific protocols works.

The basic operation of SASL is straightforward. The server provides a list of supported authentication mechanisms, and then the client says which one will be used (based on the client’s capabilities and security requirements).

Protocols that contain SASL support include:

  • LDAP (Internet Standard Lightweight Directory Access Protocol)
  • SMTP (Internet Standard Simple Message Transfer Protocol)
  • POP3 (Internet Standard Post Office Protocol v3)
  • IMAP (Internet Standard Internet Mail Access Protocol)
  • XML based protocols: Extensible Messaging and Presence Protocol (XMPP) and The Blocks Extensible Exchange Protocol (BEEP)

To be used with SASL, a new authentication mechanism needs to be registered, and any authentication mechanism specific capabilities set out in an Internet standard. Selected SASL authentication mechanisms are listed below:

Mechanism
Standardization
What it Does
CRAM-MD5 RFC 2195 Uses MD5 hash for client authentication
DIGEST-MD5 RFC 2831 Adds server authentication and confidentiality to CRAM-MD5
GSSAPI RFC 2222 For supporting Kerberos authentication
EXTERNAL RFC 4422 for use with TLS/SSL and X.509 Digital Signatures
PLAIN RFC 4616 Clear text password
LOGIN de facto alternative to PLAIN
NTLM Microsoft proprietary Similar to CRAM-MD5
SRP Internet Draft Secure Remote Password

 

SASL to Support Name Mapping

Isode views SASL as key technology. Although SASL is widely implemented, many people are not familiar with it, and its role in authentication. Authentication is a key element of Isode's directory vision, and SASL is an important part of this. This section describes how SASL is used in conjunction with Isode’s M-Vault directory to provide generic authentication services.

SASL is important generally in communication protocols, as it enables extensive use of authentication technologies, which is a good thing. It is particularly important in conjunction with LDAP, as directory servers are often used to provide proxy authentication, as illustrated below.

A typical application login will provide a username and password. In a directory configured environment, the account will be represented by an entry in the directory. M-Vault SASL allows this id to be mapped to the directory name. This allows the application to authenticate with M-Vault using a single bind, and for the application to be unaware as to how the login ID is mapped onto a directory name. M-Vault SASL provides a number of options for mapping the login ID to a directory name:

  1. Searching the directory for an attribute holding the id.
  2. A two level search, for “user” and “domain” in a user@domain structured id.
  3. An Active Directory compatible algorithmic mapping of email address onto directory name.

This mapping provides a clean management structure, and reduces the number of directory operations needed to support authentication.

This model applies to Web applications, and to Isode’s own M-Box and M-Switch products, that can map from internet email address login to directory names.

Isode's SASL Support

Isode supports SASL with the following protocols:

  • LDAP (in M-Vault)
  • SMTP (in M-Switch)
  • IMAP (in M-Boc)
  • POP3 (in M-Box)
  • SOM (Isode protocol in M-Switch)

Isode supports the following SASL mechanisms:

  • CRAM-MD5
  • DIGEST-MD5
  • GSSAPI
  • PLAIN
  • EXTERNAL
  • NTLM
  • LOGIN
  • SRP

Further description of Isode's Kerberos support and how it relates to LDAP is given here.

 

 

Copyright © 2008 Isode privacy   feedback Subscribe to our rss newsfeed