Network Working Group J. Myers Internet Draft Carnegie Mellon Document: draft-myers-auth-sasl-01.txt June 1996 Simple Authentication and Session Layer Status of this Memo This document is an Internet Draft. Internet Drafts are working documents of the Internet Engineering Task Force (IETF), its Areas, and its Working Groups. Note that other groups may also distribute working documents as Internet Drafts. Internet Drafts are draft documents valid for a maximum of six months. Internet Drafts may be updated, replaced, or obsoleted by other documents at any time. It is not appropriate to use Internet Drafts as reference material or to cite them other than as a ``working draft'' or ``work in progress``. To learn the current status of any Internet-Draft, please check the 1id-abstracts.txt listing contained in the Internet-Drafts Shadow Directories on ds.internic.net, nic.nordu.net, ftp.isi.edu, or munnari.oz.au. A revised version of this draft document will be submitted to the RFC editor as a Proposed Standard for the Internet Community. Discussion and suggestions for improvement are requested. This document will expire before December 1996. Distribution of this draft is unlimited. J. Myers [Page i] Internet DRAFT SASL June 3, 1996 1. Abstract This document describes a method for adding authentication support to connection-based protocols. To use this specification, a protocol includes a command for identifying and authenticating a user to a server and for optionally negotiating a protection mechanism for subsequent protocol interactions. If use of a protection mechanism is negotiated, a "session layer" is inserted between the protocol and the connection. This document describes how a protocol specifies such a command, defines several mechanisms for use by the command, and defines the protocol used for carrying a negotiated session layer over the connection. 2. Organization of this Document 2.1. How to Read This Document This document is written to serve two different audiences, protocol designers using this specification to support authentication in their protocol, and implementors of clients or servers for those protocols using this specification. The sections "Introduction and Overview", "Profiling requirements", and "Security Considerations" cover issues that protocol designers need to understand and address in profiling this specification for use in a specific protocol. Implementors of a protocol using this specification need the protocol-specific profiling information in addition to the information in this document. 2.2. Conventions Used in this Document In examples, "C:" and "S:" indicate lines sent by the client and server respectively. 2.3. Examples Examples in this document are for the IMAP profile [IMAP4] of this specification. The base64 encoding of challenges and responses is part of the IMAP4 profile, not part of the SASL specification itself. 3. Introduction and Overview The Simple Authentication and Session Layer (SASL) is a method for adding authentication support to connection-based protocols. To use this specification, a protocol includes a command for identifying and authenticating a user to a server and for optionally negotiating a J. Myers [Page 2] Internet DRAFT SASL June 3, 1996 protection mechanism for subsequent protocol interactions. The command has a single argument, identifying a SASL mechanism. SASL mechanisms are named by strings, from 1 to 20 characters in length, consisting of upper-case letters, digits, hyphens, and/or underscores. SASL mechanism names must be registered with the IANA. Procedures for registering new SASL mechanisms are given in the section "Registration procedures" If a server supports the requested mechanism, it performs an authentication protocol exchange. This consists of a series of server challenges and client responses that are specific to the requested mechanism. The challenges and responses are defined by the mechanisms as binary tokens of arbitrary length. The protocol's profile then specifies how these binary tokens are then encoded for transfer over the connection. After receiving the authentication command or any client response, a server may issue a challenge, indicate failure, or indicate completion. The protocol's profile specifies how the server indicates which of the above it is doing. After receiving a challenge, a client may issue a response or abort the exchange. The protocol's profile specifies how the client indicates which of the above it is doing. During the authentication protocol exchange, the mechanism performs authentication, transmits an authorization identity (frequently known as a userid) from the client to server, and negotiates the use of a mechanism-specific session layer. If the use of a session layer is agreed upon, then the mechanism must also define or negotiate the maximum cipher-text buffer size that each side is able to receive. If use of a session layer is negotiated, it is applied to all subsequent data sent over the connection. The session layer takes effect immediately following the last response of the authentication exchange for data sent by the client and the completion indication for data sent by the server. Once the session layer is in effect, the protocol stream is processed by the session layer into buffers of cipher-text. Each buffer is transferred over the connection as a stream of octets prepended with a four octet field in network byte order that represents the length of the following buffer. The length of the cipher-text buffer must be no larger than the maximum size that was defined or negotiated by the other side. J. Myers [Page 3] Internet DRAFT SASL June 3, 1996 4. Profiling requirements In order to use this specification, a protocol definition must supply the following information: 1. A service name, to be selected from the IANA registry of "service" elements for the GSSAPI host-based service name form. [GSSAPI] 2. A definition of the command to initiate the authentication protocol exchange. This command must have as a parameter the mechanism name being selected by the client. 3. A definition of the method by which the authentication protocol exchange is carried out, including how the challenges and responses are encoded, how the server indicates completion or failure of the exchange, how the client aborts an exchange, and how the exchange method interacts with any line length limits in the protocol. 4. Identification of the octet where any negotiated session layer starts to take effect, in both directions. 5. A specification of how the authorization identity passed from the client to the server is to be interpreted. 5. Registration procedures The following documents the procedure for registering new SASL mechanism types. While the registration procedures do not require it, authors of SASL mechanisms are encouraged to seek community review and comment whenever that is feasable. Authors may seek community review by posting a specification of their proposed mechanism as an internet- draft. 5.1. Comments on SASL mechanism registrations Comments on registered SASL mechanisms may be submitted by members of the community to IANA. These comments will be passed on to the "owner" of the mechanism if possible. Submitters of comments may request that their comment be attached to the SASL mechanism registration itself, and if IANA approves of this the comment will be made accessible in conjunction with the SASL mechanism registration itself. J. Myers [Page 4] Internet DRAFT SASL June 3, 1996 5.2. Location of Registered SASL Mechanism List Media type registrations will be posted in the anonymous FTP directory "ftp://ftp.isi.edu/in-notes/iana/assignments/sasl- mechanisms/" and all registered SASL mechanisms will be listed in the periodically issued "Assigned Numbers" RFC [currently RFC- 1700]. The SASL mechanism description and other supporting material may also be published as an Informational RFC by sending it to "rfc- editor@isi.edu" (please follow the instructions to RFC authors [RFC- 1543]). 5.2. Change Control Once a SASL mechanism registration has been published by IANA, the author may request a change to its definition. The change request follows the same procedure as the registration request. The owner of a content type may pass responsibility for the content type to another person or agency by informing IANA; this can be done without discussion or review. The IESG may reassign responsibility for a SASL mechanism. The most common case of this will be to enable changes to be made to types where the author of the registration has died, moved out of contact or is otherwise unable to make changes that are important to the community. SASL mechanism registrations may not be deleted; mechanisms which are no longer believed appropriate for use can be declared OBSOLETE by a change to their "intended use" field; such SASL mechanisms will be clearly marked in the lists published by IANA. 5.3. Registration Template To: iana@isi.edu Subject: Registration of SASL mechanism XXX SASL mechanism name: Security considerations: Published specification (optional, recommended): Person & email address to contact for further information: Intended usage: J. Myers [Page 5] Internet DRAFT SASL June 3, 1996 (One of COMMON, LIMITED USE or OBSOLETE) Author/Change controller: (Any other information that the author deems interesting may be added below this line.) 6. Mechanism definitions The following mechanisms are hereby defined. 6.1. Kerberos version 4 mechanism The mechanism name associated with Kerberos version 4 is "KERBEROS_V4". The first challenge consists of a random 32-bit number in network byte order. The client responds with a Kerberos ticket and an authenticator for the principal "service.hostname@realm", where "service" is the service name specified in the protocol's profile, "hostname" is the first component of the host name of the server with all letters in lower case, and where "realm" is the Kerberos realm of the server. The encrypted checksum field included within the Kerberos authenticator contains the server provided challenge in network byte order. Upon decrypting and verifying the ticket and authenticator, the server verifies that the contained checksum field equals the original server provided random 32-bit number. Should the verification be successful, the server must add one to the checksum and construct 8 octets of data, with the first four octets containing the incremented checksum in network byte order, the fifth octet containing a bit-mask specifying the protection mechanisms supported by the server, and the sixth through eighth octets containing, in network byte order, the maximum cipher-text buffer size the server is able to receive. The server must encrypt the 8 octets of data in the session key and issue that encrypted data in a second challenge. The client considers the server authenticated if the first four octets the un-encrypted data is equal to one plus the checksum it previously sent. The client must construct data with the first four octets containing the original server-issued checksum in network byte order, the fifth octet containing the bit-mask specifying the selected protection mechanism, the sixth through eighth octets containing in network byte order the maximum cipher-text buffer size the client is able to receive, and the following octets containing the authorization identity. The client must then append from one to eight zero-valued octets so that the length of the data is a multiple of eight octets. J. Myers [Page 6] Internet DRAFT SASL June 3, 1996 The client must then PCBC encrypt the data with the session key and respond with the encrypted data. The server decrypts the data and verifies the contained checksum. The server must verify that the principal identified in the Kerberos ticket is authorized to connect as that authorization identiy. After these verifications, the authentication process is complete. The protection mechanisms and their corresponding bit-masks are as follows: 1 No protection mechanism 2 Integrity (krb_mk_safe) protection 4 Privacy (krb_mk_priv) protection EXAMPLE: The following are two Kerberos version 4 login scenarios to the IMAP4 protocol (note that the line breaks in the sample authenticators are for editorial clarity and are not in real authenticators) S: * OK IMAP4 Server C: A001 AUTHENTICATE KERBEROS_V4 S: + AmFYig== C: BAcAQU5EUkVXLkNNVS5FRFUAOCAsho84kLN3/IJmrMG+25a4DT +nZImJjnTNHJUtxAA+o0KPKfHEcAFs9a3CL5Oebe/ydHJUwYFd WwuQ1MWiy6IesKvjL5rL9WjXUb9MwT9bpObYLGOKi1Qh S: + or//EoAADZI= C: DiAF5A4gA+oOIALuBkAAmw== S: A001 OK Kerberos V4 authentication successful S: * OK IMAP4 Server C: A001 AUTHENTICATE KERBEROS_V4 S: + gcfgCA== C: BAcAQU5EUkVXLkNNVS5FRFUAOCAsho84kLN3/IJmrMG+25a4DT +nZImJjnTNHJUtxAA+o0KPKfHEcAFs9a3CL5Oebe/ydHJUwYFd WwuQ1MWiy6IesKvjL5rL9WjXUb9MwT9bpObYLGOKi1Qh S: A001 NO Kerberos V4 authentication failed J. Myers [Page 7] Internet DRAFT SASL June 3, 1996 6.2. GSSAPI mechanism The mechanism name associated with all mechanisms employing the GSSAPI [GSSAPI] is "GSSAPI". The first challenge issued by the server contains no data. The client calls GSS_Init_sec_context, passing in 0 for input_context_handle (initially) and a targ_name equal to output_name from GSS_Import_Name called with input_name_type of GSS_C_NT_HOSTBASED_SERVICE and input_name_string of "service@hostname" where "service" is the service name specified in the protocol's profile, and "hostname" is the fully qualified host name of the server. The client then responds with the resulting output_token. If GSS_Init_sec_context returns GSS_CONTINUE_NEEDED, then the client should expect the server to issue a token in a subsequent challenge. The client must pass the token to another call to GSS_Init_sec_context. If GSS_Init_sec_context returns GSS_COMPLETE, then the client responds with any resulting output_token. If there is no output_token, the client responds with no data. The client should then expect the server to issue a token in a subsequent challenge. The client passes this token to GSS_Unseal and interprets the first octet of resulting cleartext as a bit-mask specifying the protection mechanisms supported by the server and the second through fourth octets as the maximum size output_message to send to the server. The client then constructs data, with the first octet containing the bit-mask specifying the selected protection mechanism, the second through fourth octets containing in network byte order the maximum size output_message the client is able to receive, and the remaining octets containing the authorization identity. The client passs the data to GSS_Seal with conf_flag set to FALSE, and responds with the generated output_message. The client can then consider the server authenticated. The server starts by issuing a challenge with no data. It passes the resulting client response to GSS_Accept_sec_context as input_token, setting acceptor_cred_handle to NULL (for "use default credentials"), and 0 for input_context_handle (initially). If GSS_Accept_sec_context returns GSS_CONTINUE_NEEDED, the server returns the generated output_token to the client in challenge and passes the resulting response to another call to GSS_Accept_sec_context. If GSS_Accept_sec_context returns GSS_COMPLETE, then if an output_token is returned, the server returns it to the client in a challenge and expects a reply from the client with no data. Whether or not an output_token was returned, the server then constructs 4 J. Myers [Page 8] Internet DRAFT SASL June 3, 1996 octets of data, with the first octet containing a bit-mask specifying the protection mechanisms supported by the server and the second through fourth octets containing in network byte order the maximum size output_token the server is able to receive. The server must then pass the plaintext to GSS_Seal with conf_flag set to FALSE and issue the generated output_message to the client in a challenge. The server must then pass the resulting response to GSS_Unseal and interpret the first octet of resulting cleartext as the bit-mask for the selected protection mechanism, the second through fourth octets as the maximum size output_message to send to the client, and the remaining octets as the authroization identity. Upon verifying the src_name is authorized to authenticate as the authorization identity, The server should then consider the client authenticated. The protection mechanisms and their corresponding bit-masks are as follows: 1 No protection mechanism 2 Integrity protection. Sender calls GSS_Seal with conf_flag set to FALSE 4 Privacy protection. Sender calls GSS_Seal with conf_flag set to TRUE J. Myers [Page 9] Internet DRAFT SASL June 3, 1996 6.4. S/Key mechanism The mechanism name associated with S/Key [SKEY] is "SKEY". The challenge issued by the server contains no data. The client responds with the authorization identity. The data encoded in the second ready response contains the decimal sequence number followed by a single space and the seed string for the indicated authorization identity. The client responds with the one-time-password, as either a 64-bit value in network byte order or encoded in the "six English words" format. Upon successful verification of the one-time-password, the server should consider the client authenticated. S/Key authentication does not provide for any protection mechanisms. EXAMPLE: The following are two S/Key login scenarios in the IMAP4 protocol. S: * OK IMAP4 Server C: A001 AUTHENTICATE SKEY S: + C: bW9yZ2Fu S: + OTUgUWE1ODMwOA== C: Rk9VUiBNQU5OIFNPT04gRklSIFZBUlkgTUFTSA== S: A001 OK S/Key authentication successful S: * OK IMAP4 Server C: A001 AUTHENTICATE SKEY S: + C: c21pdGg= S: + OTUgUWE1ODMwOA== C: BsAY3g4gBNo= S: A001 NO S/Key authentication failed J. Myers [Page 10] Internet DRAFT SASL June 3, 1996 7. References [IMAP4] Crispin, M., "Internet Message Access Protocol - Version 4", RFC 1730, University of Washington, December 1994. [GSSAPI] Linn, J., "Generic Security Service Application Program Interface, Version 2", draft-ietf-cat-gssv2-XX, Geer Zolot Associates, May 1996 [RFC-1543] Postel, J., "Instructions to RFC Authors", RFC 1543, October 1993 [SKEY] Haller, Neil M. "The S/Key One-Time Password System", RFC 1760, Bellcore, February 1995 8. Security Considerations Security issues are discussed throughout this memo. The mechanisms that support integrity protection are designed such that the negotiation of the session layer and authorization identity is integrity protected. When the client selects a session layer with at least integrity protection, this protects against an active attacker hijacking the connection and modifying the authentication exchange to negotiate a plaintext connection. The client's selection of an mechanism is done in the clear and may be modified by an active attacker. It is important for any new authentiction mechanisms to be designed such that credentials for existing mechanisms are not usable. Any protocol interactions prior to authentication are performed in the clear and may be modified by an active attacker. In the case where a client selects integrity protection, it is important that any security-sensitive protocol negotiations be performed after authenticaiton is complete. Protocols should be designed such that negotiations performed prior to authentication should be ignored once authentication is complete. 9. Author's Address John G. Myers Carnegie-Mellon University 5000 Forbes Ave. Pittsburgh PA, 15213-3890 EMail: jgm+@cmu.edu J. Myers [Page 11] Internet DRAFT SASL June 3, 1996 Table of Contents Status of this Memo ............................................... i 1. Abstract ..................................................... 2 2. Organization of this Document ................................ 2 2.1. How to Read This Document .................................... 2 2.2. Conventions Used in this Document ............................ 2 2.3. Examples ..................................................... 2 3. Introduction and Overview .................................... 2 4. Profiling requirements ....................................... 4 5. Registration procedures ...................................... 4 5.1. Comments on SASL mechanism registrations ..................... 4 5.2. Location of Registered SASL Mechanism List .................. 5 5.2. Change Control .............................................. 5 5.3. Registration Template ....................................... 5 6. Mechanism definitions ........................................ 6 6.1. Kerberos version 4 mechanism ................................. 6 6.2. GSSAPI mechanism ............................................. 8 6.4. S/Key mechanism .............................................. 10 7. References ................................................... 11 8. Security Considerations ...................................... 11 9. Author's Address ............................................. 11 J. Myers [Page ii]