draft-josefsson-sasl-external-channel-00.txt   draft-josefsson-sasl-external-channel-01.txt 
Network Working Group S. Josefsson Network Working Group S. Josefsson
Internet-Draft SJD Internet-Draft SJD AB
Intended status: Standards Track August 5, 2008 Intended status: Standards Track April 14, 2009
Expires: February 6, 2009 Expires: October 16, 2009
SASL Mechanism for External Authentication using Channel Bindings: SASL Mechanism for External Authentication using a Named Channel:
EXTERNAL-CHANNEL EXTERNAL-CHANNEL
draft-josefsson-sasl-external-channel-00 draft-josefsson-sasl-external-channel-01
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any This Internet-Draft is submitted to IETF in full conformance with the
applicable patent or other IPR claims of which he or she is aware provisions of BCP 78 and BCP 79. This document may contain material
have been or will be disclosed, and any of which he or she becomes from IETF Documents or IETF Contributions published or made publicly
aware will be disclosed, in accordance with Section 6 of BCP 79. available before November 10, 2008. The person(s) controlling the
copyright in some of this material may not have granted the IETF
Trust the right to allow modifications of such material outside the
IETF Standards Process. Without obtaining an adequate license from
the person(s) controlling the copyright in such materials, this
document may not be modified outside the IETF Standards Process, and
derivative works of it may not be created outside the IETF Standards
Process, except to format it for publication as an RFC or to
translate it into languages other than English.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on February 6, 2009. This Internet-Draft will expire on October 16, 2009.
Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
Abstract Abstract
This document describes a way to perform end-user authentication in This document describes a way to perform end-user authentication in
the Simple Authentication and Security Layer (SASL) framework which the Simple Authentication and Security Layer (SASL) framework by re-
re-use an external security layer (such as the Transport Layer using an external security layer (such as the Transport Layer
Security (TLS) protocol) that may have already completed end-user Security (TLS) protocol) that may have already completed end-user
authentication. In comparison with the existing EXTERNAL mechanism, authentication. In comparison with the existing EXTERNAL mechanism,
this mechanism offers a way to cryptographically bind the this mechanism alleviates the a priori assumptions made by the design
authentication to the security layer via a channel binding. The of the EXTERNAL mechanism. This mechanism transfers an identifier of
EXTERNAL-CHANNEL mechanism alleviates the a priori assumptions made the external channel to be used explicitly.
by the design of the EXTERNAL mechanism.
See <http://josefsson.org/external-channel/> for more information. See <http://josefsson.org/external-channel/> for more information.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Technical Specification . . . . . . . . . . . . . . . . . . . 3 2. Technical Specification . . . . . . . . . . . . . . . . . . . . 4
3. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4. Making Authorization Decisions . . . . . . . . . . . . . . . . 6 4. Making Authorization Decisions . . . . . . . . . . . . . . . . 7
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 8
6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 6. Security Considerations . . . . . . . . . . . . . . . . . . . . 8
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9
8.1. Normative References . . . . . . . . . . . . . . . . . . . 8 8.1. Normative References . . . . . . . . . . . . . . . . . . . 9
8.2. Informative References . . . . . . . . . . . . . . . . . . 8 8.2. Informative References . . . . . . . . . . . . . . . . . . 9
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 9 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 9
Intellectual Property and Copyright Statements . . . . . . . . . . 10
1. Introduction 1. Introduction
The EXTERNAL mechanism, described in Appendix A of [RFC4422] allows a The EXTERNAL mechanism, described in Appendix A of [RFC4422] allows a
client to request the server to use credentials established by means client to request the server to use credentials established by means
external to the mechanism to authenticate the client. The external external to the mechanism to authenticate the client. The external
means may be, for instance, TLS [RFC4346] or IP Security [RFC4301] means may be, for instance, TLS [RFC5246] or IP Security [RFC4301]
services. services.
The EXTERNAL mechanism requires some a prior agreement between the The EXTERNAL mechanism requires some a prior agreement between the
client and the server regarding which external channel, and client and the server regarding which external channel, and
consequently which external credentials, should be used for consequently which external credentials, should be used for
authentication. In practice this has often meant that the EXTERNAL authentication. In practice this has often meant that the EXTERNAL
mechanism is only used when there is tight out of band interaction mechanism is only used when there is tight out of band interaction
between the server administration and client user. This has an between the server administration and client user. This has impacted
impact of the interoperability of the EXTERNAL mechanism. the interoperability of the EXTERNAL mechanism.
The EXTERNAL-CHANNEL mechanism, specified in this document, is The EXTERNAL-CHANNEL mechanism, specified in this document, is
similar to the EXTERNAL mechanism in that it relies on an external similar to the EXTERNAL mechanism in that it relies on an external
channel to perform the user authentication. However, EXTERNAL- channel to perform the user authentication. However, EXTERNAL-
CHANNEL provides a way for the client to provide an identifier of the CHANNEL provides a way for the client to provide an identifier of the
external channel that provides the user credentials. The intention external channel that provides the user credentials. The intention
is that the server need not rely on a priori arrangement to identify is that the server need not rely on a priori arrangement to identify
the secure channel that was used, but can automatically find the the secure channel that was used, but can automatically find the
intended channel and re-use its credentials for the SASL intended channel and re-use its credentials for the SASL
authentication. authentication.
In the EXTERNAL-CHANNEL mechanism the external channel is identified In the EXTERNAL-CHANNEL mechanism, the external channel is identified
using the "Channel binding unique prefix" string as defined in using the "Channel binding unique prefix" string as defined in
[RFC5056]. A channel bindings is transferred, so that the server can [RFC5056].
verify that the client is a peer of the same secure channel as the
server.
Binding authentication to a specific encrypted session can protect
from certain attacks [MITM]. It can also help to improve performance
by having peers agree to re-use a secure channel rather than to set
up a new.
2. Technical Specification 2. Technical Specification
The name of this mechanism is "EXTERNAL-CHANNEL". The name of this mechanism is "EXTERNAL-CHANNEL".
The mechanism does not provide a security layer. It provides similar The mechanism does not provide a security layer. It provides similar
functionality by relying on an external channel. functionality by relying on an external channel.
The mechanism is capable of transferring a channel binding and an The mechanism is capable of transferring a channel name and an
authorization identity string. If the authorization identity string authorization identity string. If the authorization identity string
is empty, the client is requesting to act as the identity the server is empty, the client is requesting to act as the identity the server
has associated with the client's credentials. If the authorization has associated with the client's credentials. If the authorization
identity string is non-empty, the client is requesting to act as the identity string is non-empty, the client is requesting to act as the
identity represented by the string. The channel binding name cannot identity represented by the string. The channel name cannot be
be empty. empty.
The client is expected to send data first in the authentication The client is expected to send data first in the authentication
exchange. Where the client does not provide an initial response data exchange. Where the client does not provide an initial response data
in its request to initiate the authentication exchange, the server is in its request to initiate the authentication exchange, the server is
to respond to the request with an empty initial challenge and then to respond to the request with an empty initial challenge and then
the client is to provide its initial response. the client is to provide its initial response.
The client sends the initial response containing the channel binding The client sends the initial response containing the channel name,
name, a base64 [RFC4648] encoded channel bindings, and a UTF-8 and a UTF-8 [RFC3629] encoding of the requested authorization
[RFC3629] encoding of the requested authorization identity string. identity string.
The authorization identity is non-empty when the client is requesting The authorization identity is non-empty when the client is requesting
to act as the identity represented by the (non-empty) string. The to act as the identity represented by the (non-empty) string. The
authorization identity is empty when the client is requesting to act authorization identity is empty when the client is requesting to act
as the identity the server associates with the external as the identity the server associates with the external
authentication credentials. authentication credentials.
The syntax of the initial response is specified as a value of the The syntax of the initial response is specified as a value of the
<extern-initial-resp> production detailed below using the Augmented <extern-initial-resp> production detailed below using the Augmented
Backus-Naur Form (ABNF) [RFC4234] notation. Backus-Naur Form (ABNF) [RFC5234] notation.
external-initial-resp = cb-name " " b64-cb-data " " authz-id-string external-initial-resp = cb-name " " authz-id-string
cb-name = 1*( US-ASCII / "." / "-") cb-name = 1*( US-ASCII / "." / "-")
;; Based on RFC 5056: "There is no naming convention for channel ;; Based on RFC 5056: "There is no naming convention for channel
;; bindings: any string composed of US-ASCII alphanumeric ;; bindings: any string composed of US-ASCII alphanumeric
;; characters, period ('.'), and dash ('-') will suffice." ;; characters, period ('.'), and dash ('-') will suffice."
b64-cb-data = *( ALPHA / DIGIT / "+" / "/" / "=" )
;; Base64 encoding of the channel bindings, the format
;; of the decoded data depends on the cb-name.
authz-id-string = *( UTF8-char-no-nul ) authz-id-string = *( UTF8-char-no-nul )
UTF8-char-no-nul = UTF8-1-no-nul / UTF8-2 / UTF8-3 / UTF8-4 UTF8-char-no-nul = UTF8-1-no-nul / UTF8-2 / UTF8-3 / UTF8-4
;; where the UTF8-2, UTF8-3, and UTF8-4 productions are ;; where the UTF8-2, UTF8-3, and UTF8-4 productions are
;; as defined in RFC 3629. ;; as defined in RFC 3629.
UTF8-1-no-nul = %x01-7F UTF8-1-no-nul = %x01-7F
There are no additional challenges and responses. There are no additional challenges and responses.
Hence, the server is to return the outcome of the authentication Hence, the server is to return the outcome of the authentication
exchange. exchange.
The exchange fails if The exchange fails if
- the cb-name denote an (to the server implementation) unknown or - the cb-name denote an (to the server implementation) unknown or
end-point channel binding type, end-point channel binding type,
- the client has not established its credentials via the indicated - the client has not established its credentials via the indicated
external channel, external channel,
- the channel bindings data does not match,
- the client's credentials are inadequate, - the client's credentials are inadequate,
- the client provided an empty authorization identity string and the - the client provided an empty authorization identity string and the
server is unwilling or unable to associate an authorization identity server is unwilling or unable to associate an authorization identity
with the client's credentials, with the client's credentials,
- the client provided a non-empty authorization identity string that - the client provided a non-empty authorization identity string that
is invalid per the syntax requirements of the applicable application is invalid per the syntax requirements of the applicable application
protocol specification, protocol specification,
skipping to change at page 5, line 44 skipping to change at page 6, line 30
3. Examples 3. Examples
This section provides examples of EXTERNAL-CHANNEL authentication This section provides examples of EXTERNAL-CHANNEL authentication
exchanges. The examples are intended to help the readers understand exchanges. The examples are intended to help the readers understand
the above text. The examples are not definitive. The Application the above text. The examples are not definitive. The Application
Configuration Access Protocol (ACAP) [RFC2244] is used in the Configuration Access Protocol (ACAP) [RFC2244] is used in the
examples because ACAP sends the SASL tokens without additional examples because ACAP sends the SASL tokens without additional
encoding. encoding.
The first example shows use of EXTERNAL-CHANNEL with an empty The first example shows use of EXTERNAL-CHANNEL with an empty
authorization identity bound to an external "tls-unique" channel. In authorization identity and an external "tls-unique" channel. In this
this example, the initial response is not sent in the client's example, the initial response is not sent in the client's request to
request to initiate the authentication exchange. initiate the authentication exchange.
S: * ACAP (SASL "DIGEST-MD5") S: * ACAP (SASL "DIGEST-MD5")
C: a001 STARTTLS C: a001 STARTTLS
S: a001 OK "Begin TLS negotiation now" S: a001 OK "Begin TLS negotiation now"
<TLS negotiation, further commands are under TLS layer> <TLS negotiation, further commands are under TLS layer>
S: * ACAP (SASL "DIGEST-MD5" "EXTERNAL-CHANNEL") S: * ACAP (SASL "DIGEST-MD5" "EXTERNAL-CHANNEL")
C: a002 AUTHENTICATE "EXTERNAL-CHANNEL" C: a002 AUTHENTICATE "EXTERNAL-CHANNEL"
S: + "tls-unique rvOng1J3oo2oMQBc " S: + "tls-unique "
C: + "" C: + ""
S: a002 OK "Authenticated" S: a002 OK "Authenticated"
Note how the string ends with a " ", it needs to be present even if Note how the string ends with a " ", it needs to be present even if
the authorization identity is empty. the authorization identity is empty.
The second example shows use of EXTERNAL-CHANNEL with an The second example shows use of EXTERNAL-CHANNEL with an
authorization identity of "simon" bound to an external "tls-unique" authorization identity of "simon" bound to an external "tls-unique"
channel. In this example, the initial response is sent with the channel. In this example, the initial response is sent with the
client's request to initiate the authentication exchange. This saves client's request to initiate the authentication exchange. This saves
a round-trip. a round-trip.
S: * ACAP (SASL "DIGEST-MD5") S: * ACAP (SASL "DIGEST-MD5")
C: a001 STARTTLS C: a001 STARTTLS
S: a001 OK "Begin TLS negotiation now" S: a001 OK "Begin TLS negotiation now"
<TLS negotiation, further commands are under TLS layer> <TLS negotiation, further commands are under TLS layer>
S: * ACAP (SASL "DIGEST-MD5" "EXTERNAL-CHANNEL") S: * ACAP (SASL "DIGEST-MD5" "EXTERNAL-CHANNEL")
C: a002 AUTHENTICATE "EXTERNAL-CHANNEL" {31+} C: a002 AUTHENTICATE "EXTERNAL-CHANNEL" {16+}
C: tls-unique CI4WoQGSd7FdWPrw simon C: tls-unique simon
S: a002 NO "Cannot assume requested authorization identity" S: a002 NO "Cannot assume requested authorization identity"
Note how the server rejects the authentication attempt with an Note how the server rejects the authentication attempt with an
authorization-related error message. Presumably the client authorization-related error message. Presumably the client
credentials presented in the TLS session does not give the client credentials presented in the TLS session does not give the client
authority to assume the identity of "simon". authority to assume the identity of "simon".
4. Making Authorization Decisions 4. Making Authorization Decisions
The server may use any mechanism to make authorization decisions. The server may use any mechanism to make authorization decisions.
skipping to change at page 8, line 8 skipping to change at page 8, line 37
6. Security Considerations 6. Security Considerations
The EXTERNAL-CHANNEL mechanism does not authenticate users itself, it The EXTERNAL-CHANNEL mechanism does not authenticate users itself, it
relies on implementation to perform the authentication as part of the relies on implementation to perform the authentication as part of the
external channel. Care must be taken to ensure that the client external channel. Care must be taken to ensure that the client
credential has been authenticated, rather than just blindly accepted credential has been authenticated, rather than just blindly accepted
as part of a leap-of-faith setup. as part of a leap-of-faith setup.
The security of external channel is critical to the security of this The security of external channel is critical to the security of this
mechanism. The connection between the authentication and the mechanism. The connection between the authentication and the
external channel is made via a channel binding, thus the security external channel is made by sending the name of the channel, so the
considerations related to channel bindings are also critical, see security considerations related to channel bindings are also
[RFC5056]. relevant, see [RFC5056].
We claim that by appropriately using a channel binding an application
can protect itself from the attacks in [MITM]. To guarantee this
property, the derived data is only to be used for the intended
purpose.
7. Acknowledgements 7. Acknowledgements
The EXTERNAL-CHANNEL mechanism, and significant amount of text in The EXTERNAL-CHANNEL mechanism, and significant amount of text in
this document, is based on the EXTERNAL mechanism in Appendix A of this document, is based on the EXTERNAL mechanism in Appendix A of
SASL [RFC4422]. SASL [RFC4422].
8. References 8. References
8.1. Normative References 8.1. Normative References
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, November 2003. 10646", STD 63, RFC 3629, November 2003.
[RFC4234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", RFC 4234, October 2005.
[RFC4422] Melnikov, A. and K. Zeilenga, "Simple Authentication and [RFC4422] Melnikov, A. and K. Zeilenga, "Simple Authentication and
Security Layer (SASL)", RFC 4422, June 2006. Security Layer (SASL)", RFC 4422, June 2006.
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, October 2006.
[RFC5056] Williams, N., "On the Use of Channel Bindings to Secure [RFC5056] Williams, N., "On the Use of Channel Bindings to Secure
Channels", RFC 5056, November 2007. Channels", RFC 5056, November 2007.
[RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234, January 2008.
8.2. Informative References 8.2. Informative References
[RFC2244] Newman, C. and J. Myers, "ACAP -- Application [RFC2244] Newman, C. and J. Myers, "ACAP -- Application
Configuration Access Protocol", RFC 2244, November 1997. Configuration Access Protocol", RFC 2244, November 1997.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, December 2005. Internet Protocol", RFC 4301, December 2005.
[RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.1", RFC 4346, April 2006. (TLS) Protocol Version 1.2", RFC 5246, August 2008.
[RFC5054] Taylor, D., Wu, T., Mavrogiannopoulos, N., and T. Perrin, [RFC5054] Taylor, D., Wu, T., Mavrogiannopoulos, N., and T. Perrin,
"Using the Secure Remote Password (SRP) Protocol for TLS "Using the Secure Remote Password (SRP) Protocol for TLS
Authentication", RFC 5054, November 2007. Authentication", RFC 5054, November 2007.
[RFC5081] Mavrogiannopoulos, N., "Using OpenPGP Keys for Transport [RFC5081] Mavrogiannopoulos, N., "Using OpenPGP Keys for Transport
Layer Security (TLS) Authentication", RFC 5081, Layer Security (TLS) Authentication", RFC 5081,
November 2007. November 2007.
[MITM] Asokan, N., Niemi, V., and K. Nyberg, "Man-in-the-Middle
in Tunneled Authentication",
WWW http://www.saunalahti.fi/~asokan/research/mitm.html.
Author's Address Author's Address
Simon Josefsson Simon Josefsson
SJD SJD AB
Email: simon@josefsson.org Email: simon@josefsson.org
Full Copyright Statement
Copyright (C) The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
 End of changes. 32 change blocks. 
79 lines changed or deleted 71 lines changed or added

This html diff was produced by rfcdiff 1.29, available from http://www.levkowetz.com/ietf/tools/rfcdiff/