Editing Simple Authentication and Security Layer

{{short description|Framework for authentication and data security in Internet protocols}}
'''Simple Authentication and Security Layer''' ('''SASL''') is a [[Software framework|framework]] for [[authentication]] and [[data security]] in Internet [[communications protocol|protocol]]s. It decouples authentication mechanisms from [[application protocol]]s, in theory allowing any authentication mechanism supported by SASL to be used in any application protocol that uses SASL. Authentication mechanisms can also support ''proxy authorization'', a facility allowing one user to assume the identity of another. They can also provide a ''data security layer'' offering ''data integrity'' and ''data confidentiality'' services. DIGEST-MD5 provides an example of mechanisms which can provide a data-security layer. Application protocols that support SASL typically also support [[Transport Layer Security]] (TLS) to complement the services offered by SASL.

John Gardiner Myers wrote the original SASL specification (RFC 2222) in 1997. In 2006, that document was replaced by RFC 4422 authored by Alexey Melnikov and Kurt D. Zeilenga. SASL, as defined by RFC 4422 is an [[IETF]] ''Standard Track'' protocol and is, {{as of | 2006|lc=y}}, a ''[[Internet Standard|Proposed Standard]]''.

==SASL mechanisms==
A SASL mechanism implements a series of challenges and responses. Defined SASL mechanisms<ref>{{cite web|url=https://www.iana.org/assignments/sasl-mechanisms|title=Simple Authentication and Security Layer (SASL) Mechanisms|work=iana.org}}</ref> include:
{{glossary}}
{{term|EXTERNAL}} {{defn|where authentication is implicit in the context (e.g., for protocols already using [[IPsec]] or [[Transport Layer Security|TLS]])}}
{{term|ANONYMOUS}} {{defn|for unauthenticated guest access}}
{{term|PLAIN}} {{defn|a simple [[cleartext]] [[password]] mechanism, defined in RFC 4616}}
{{term|OTP}} {{defn|a [[one-time password]] mechanism.  Obsoletes the SKEY mechanism.}}
{{term|SKEY}} {{defn|an [[S/KEY]] mechanism.}}
{{term|[[CRAM-MD5]]}} {{defn|a simple challenge-response scheme based on [[HMAC|HMAC-MD5]].}}
{{term|[[Digest access authentication|DIGEST-MD5]]}} {{defn|''(historic<ref>RFC 6331</ref>)'', partially [[HTTP]] Digest compatible challenge-response scheme based upon MD5.  DIGEST-MD5 offered a data security layer.}}
{{term|[[Salted Challenge Response Authentication Mechanism|SCRAM]]}} {{defn|(RFC 5802), modern challenge-response scheme based mechanism with channel binding support}}
{{term|[[NTLM]]}} {{defn|an NT LAN Manager authentication mechanism}}
{{term|GS2-}} {{defn|family of mechanisms supports arbitrary [[GSS-API]] mechanisms in SASL.<ref>{{cite web
  |url=http://josefsson.org/sasl-gs2/
  |title=Using GSS-API Mechanisms in SASL: The GS2 Mechanism Family
  |author=Simon Josefsson
}}</ref> It is now standardized as RFC 5801.}}
{{term|[[GSSAPI]]}} {{defn|for [[Kerberos protocol|Kerberos]] V5 authentication via the [[Generic Security Services Application Program Interface|GSSAPI]].  GSSAPI offers a data-security layer.}}
{{term|BROWSERID-AES128}} {{defn|for [[Mozilla Persona]] authentication<ref>
 {{cite web
  |url=http://tools.ietf.org/id/draft-howard-gss-browserid
  |title=A SASL and GSS-API Mechanism for the BrowserID Authentication Protocol
  |author=Luke Howard
}}</ref>}}
{{term|EAP-AES128}} {{defn|for GSS EAP authentication<ref>
 {{cite web
  |url=http://tools.ietf.org/html/draft-ietf-abfab-gss-eap
  |title=A GSS-API Mechanism for the Extensible Authentication Protocol
  |author=Sam Hartman
|date=December 2013
 }}</ref>}}
{{term|[[MSN Chat#GateKeeper and GateKeeperPassport|GateKeeper]] (& [[MSN Chat#GateKeeper and GateKeeperPassport|GateKeeperPassport]])}} {{defn|a challenge-response mechanism developed by [[Microsoft]] for [[MSN Chat]]}}
{{term|[[OAuth#OAuth 2.0|OAUTHBEARER]]}} {{defn|[[OAuth#OAuth 2.0|OAuth 2.0]] bearer tokens (RFC 6750), communicated through TLS<ref name=rfc7628>{{cite IETF |title= A Set of Simple Authentication and Security Layer (SASL) Mechanisms for OAuth |rfc= 7628 |date=August 2015 |publisher= [[Internet Engineering Task Force|IETF]] |accessdate= October 7, 2016}}</ref>}}
{{term|[[OAuth|OAUTH10A]]}} {{defn|[[OAuth]] 1.0a message-authentication-code tokens (RFC 5849, Section 3.4.2)<ref name=rfc7628 />}}
{{glossary end}}

==SASL-aware application protocols==
Application protocols define their representation of SASL exchanges with a ''profile''. A protocol has a ''service name'' such as "ldap" in a registry shared with [[Generic Security Services Application Program Interface|GSSAPI]] and [[Kerberos protocol|Kerberos]].<ref>{{cite web|url=https://www.iana.org/assignments/gssapi-service-names|title=Generic Security Service Application Program Interface (GSSAPI)/Kerberos/Simple Authentication and Security Layer (SASL) Service Names|work=iana.org}}</ref>

{{As of | 2012}} protocols currently supporting SASL include:
* [[Application Configuration Access Protocol]]
* [[Advanced Message Queuing Protocol]] (AMQP)
* [[Blocks Extensible Exchange Protocol]]
* [[Internet Message Access Protocol]] (IMAP)
* [[IMSP|Internet Message Support Protocol]]
* [[Internet Relay Chat]] (IRC) (with [[IRCX]] or the [http://ircv3.net/specs/extensions/sasl-3.1.html IRCv3 SASL extension])
* [[Lightweight Directory Access Protocol]] (LDAP)
* [[libvirt]]
* ManageSieve (RFC 5804)
* [[memcached]]
* [[Post Office Protocol]] (POP)
* [[RFB protocol|Remote framebuffer protocol]]<ref>{{cite web|url=http://realvnc.com/pipermail/vnc-list/2008-December/059462.html|title=Request for allocation of new security type code for SASL auth|work=realvnc.com}}</ref> used by [[VNC]]
* [[Simple Mail Transfer Protocol]] (SMTP)
* [[Apache Subversion|Subversion]] {{Mono|svn}} protocol
* [[Extensible Messaging and Presence Protocol]] (XMPP)

==See also==
* [[Transport Layer Security]] (TLS)

==References==
{{Reflist}}

==External links==
* {{IETF RFC|4422}} - Simple Authentication and Security Layer (SASL) - obsoletes {{IETF RFC|2222}}
* {{IETF RFC|4505}} - Anonymous Simple Authentication and Security Layer (SASL) Mechanism - obsoletes {{IETF RFC|2245}}
* {{IETF RFC|4616}} - The PLAIN Simple Authentication and Security Layer (SASL) Mechanism - updates {{IETF RFC|2595}}
* The IETF [https://datatracker.ietf.org/wg/sasl/ SASL Working Group], chartered to revise existing SASL specifications, as well as to develop a family of GSSAPI mechanisms
* [https://www.cyrusimap.org/sasl/ Cyrus SASL], a free and portable SASL library providing generic security for various applications
* [https://www.gnu.org/software/gsasl/ GNU SASL], a free and portable SASL command-line utility and library, distributed under the [[GNU]] [[GPL|GPLv3]] and [[LGPL|LGPLv2.1]], respectively
* [http://wiki.dovecot.org/Sasl Dovecot SASL], an SASL implementation
* {{IETF RFC|2831}} ''(historic)'' - Using Digest Authentication as a SASL Mechanism, obsoleted in {{IETF RFC|6331}}
* [http://download.oracle.com/javase/6/docs/technotes/guides/security/sasl/sasl-refguide.html Java SASL API] Programming and Deployment Guide

{{Authentication APIs}}

[[Category:Cryptographic protocols]]
[[Category:Internet Standards]]
[[Category:Computer access control protocols]]