draft-josefsson-sasl-external-channel-01.txt   draft-josefsson-sasl-external-channel-02.txt 
Network Working Group S. Josefsson Network Working Group S. Josefsson
Internet-Draft SJD AB Internet-Draft SJD AB
Intended status: Standards Track April 14, 2009 Intended status: Standards Track April 14, 2009
Expires: October 16, 2009 Expires: October 16, 2009
SASL Mechanism for External Authentication using a Named Channel: SASL Mechanism Family for External Authentication: EXTERNAL-*
EXTERNAL-CHANNEL draft-josefsson-sasl-external-channel-02
draft-josefsson-sasl-external-channel-01
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. This document may contain material provisions of BCP 78 and BCP 79. This document may contain material
from IETF Documents or IETF Contributions published or made publicly from IETF Documents or IETF Contributions published or made publicly
available before November 10, 2008. The person(s) controlling the available before November 10, 2008. The person(s) controlling the
copyright in some of this material may not have granted the IETF copyright in some of this material may not have granted the IETF
Trust the right to allow modifications of such material outside the Trust the right to allow modifications of such material outside the
IETF Standards Process. Without obtaining an adequate license from IETF Standards Process. Without obtaining an adequate license from
skipping to change at page 2, line 13 skipping to change at page 2, line 11
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info). publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. and restrictions with respect to this document.
Abstract Abstract
This document describes a way to perform end-user authentication in This document describes a way to perform client authentication in the
the Simple Authentication and Security Layer (SASL) framework by re- Simple Authentication and Security Layer (SASL) framework by
using an external security layer (such as the Transport Layer referring to the end-user authentication provided by an external
Security (TLS) protocol) that may have already completed end-user security layer. We specify a SASL mechanism family EXTERNAL-* and
authentication. In comparison with the existing EXTERNAL mechanism, one instance EXTERNAL-TLS that rely on the Transport Layer Security
this mechanism alleviates the a priori assumptions made by the design (TLS) protocol. This mechanism differs to the existing EXTERNAL
of the EXTERNAL mechanism. This mechanism transfers an identifier of mechanism by alleviating the a priori assumptions that servers and
the external channel to be used explicitly. clients needs somehow negotiate out of band which secure channel that
is intended. This document also discuss the implementation of
authorization decisions.
See <http://josefsson.org/external-channel/> for more information. See <http://josefsson.org/external-channel/> for more information.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Technical Specification . . . . . . . . . . . . . . . . . . . . 4 2. Specification of EXTERNAL-* Mechanism Family . . . . . . . . . 4
3. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3. Specification of EXTERNAL-TLS Mechanism . . . . . . . . . . . . 6
4. Making Authorization Decisions . . . . . . . . . . . . . . . . 7 4. Making Authorization Decisions . . . . . . . . . . . . . . . . 6
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 8 5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
6. Security Considerations . . . . . . . . . . . . . . . . . . . . 8 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 8
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 7. Security Considerations . . . . . . . . . . . . . . . . . . . . 8
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8
8.1. Normative References . . . . . . . . . . . . . . . . . . . 9 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9
8.2. Informative References . . . . . . . . . . . . . . . . . . 9 9.1. Normative References . . . . . . . . . . . . . . . . . . . 9
9.2. Informative References . . . . . . . . . . . . . . . . . . 9
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 9 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 9
1. Introduction 1. Introduction
The EXTERNAL mechanism, described in Appendix A of [RFC4422] allows a The EXTERNAL mechanism, described in Appendix A of [RFC4422] allows a
client to request the server to use credentials established by means client to request the server to use credentials established by means
external to the mechanism to authenticate the client. The external external to the mechanism to authenticate the client. The external
means may be, for instance, TLS [RFC5246] or IP Security [RFC4301] means may be, for instance, TLS [RFC5246] or IP Security [RFC4301]
services. services.
The EXTERNAL mechanism requires some a prior agreement between the The EXTERNAL mechanism requires some a prior agreement between the
client and the server regarding which external channel, and client and the server regarding which external channel, and
consequently which external credentials, should be used for consequently which external credentials, should be used for
authentication. In practice this has often meant that the EXTERNAL authentication. In practice this has often meant that the EXTERNAL
mechanism is only used when there is tight out of band interaction mechanism is only used when there is tight out of band interaction
between the server administration and client user. This has impacted between the server administration and client user. This has impacted
the interoperability of the EXTERNAL mechanism. the interoperability of the EXTERNAL mechanism.
The EXTERNAL-CHANNEL mechanism, specified in this document, is The EXTERNAL-* mechanism family, specified in this document, is
similar to the EXTERNAL mechanism in that it relies on an external similar to the EXTERNAL mechanism in that it relies on an external
channel to perform the user authentication. However, EXTERNAL- channel to perform the user authentication. However, EXTERNAL-*
CHANNEL provides a way for the client to provide an identifier of the provides a way for the client to provide an identifier of the
external channel that provides the user credentials. The intention external channel that is intended to provide the user credentials.
is that the server need not rely on a priori arrangement to identify The intention is that the server need not rely on a priori
the secure channel that was used, but can automatically find the arrangement to identify the secure channel that was used, but can
intended channel and re-use its credentials for the SASL automatically find the intended channel and re-use its credentials
authentication. for the SASL authentication. Further, upon successful
authentication, the client knows that the server used credentials
from the indicated security channel.
In the EXTERNAL-CHANNEL mechanism, the external channel is identified In the EXTERNAL-* mechanism family, the external channel is
using the "Channel binding unique prefix" string as defined in identified through the SASL mechanism name.
[RFC5056].
2. Technical Specification 2. Specification of EXTERNAL-* Mechanism Family
The name of this mechanism is "EXTERNAL-CHANNEL". The name of the mechanism family is "EXTERNAL-".
The mechanism does not provide a security layer. It provides similar The mechanism family does not provide a security layer. It provides
functionality by relying on an external channel. similar functionality by relying on an external channel.
The mechanism is capable of transferring a channel name and an The mechanism is capable of transferring an authorization identity
authorization identity string. If the authorization identity string string. If the authorization identity string is empty, the client is
is empty, the client is requesting to act as the identity the server requesting to act as the identity the server has associated with the
has associated with the client's credentials. If the authorization client's credentials. If the authorization identity string is non-
identity string is non-empty, the client is requesting to act as the empty, the client is requesting to act as the identity represented by
identity represented by the string. The channel name cannot be the string.
empty.
The client is expected to send data first in the authentication The client is expected to send data first in the authentication
exchange. Where the client does not provide an initial response data exchange. Where the client does not provide an initial response data
in its request to initiate the authentication exchange, the server is in its request to initiate the authentication exchange, the server is
to respond to the request with an empty initial challenge and then to respond to the request with an empty initial challenge and then
the client is to provide its initial response. the client is to provide its initial response.
The client sends the initial response containing the channel name, The client sends the initial response containing a UTF-8 [RFC3629]
and a UTF-8 [RFC3629] encoding of the requested authorization encoding of the requested authorization identity string.
identity string.
The authorization identity is non-empty when the client is requesting The authorization identity is non-empty when the client is requesting
to act as the identity represented by the (non-empty) string. The to act as the identity represented by the (non-empty) string. The
authorization identity is empty when the client is requesting to act authorization identity is empty when the client is requesting to act
as the identity the server associates with the external as the identity the server associates with the external
authentication credentials. authentication credentials.
The syntax of the initial response is specified as a value of the The syntax of the initial response is specified as a value of the
<extern-initial-resp> production detailed below using the Augmented <extern-initial-resp> production detailed below using the Augmented
Backus-Naur Form (ABNF) [RFC5234] notation. Backus-Naur Form (ABNF) [RFC5234] notation.
external-initial-resp = cb-name " " authz-id-string external-initial-resp = authz-id-string
cb-name = 1*( US-ASCII / "." / "-")
;; Based on RFC 5056: "There is no naming convention for channel
;; bindings: any string composed of US-ASCII alphanumeric
;; characters, period ('.'), and dash ('-') will suffice."
authz-id-string = *( UTF8-char-no-nul ) authz-id-string = *( UTF8-char-no-nul )
UTF8-char-no-nul = UTF8-1-no-nul / UTF8-2 / UTF8-3 / UTF8-4 UTF8-char-no-nul = UTF8-1-no-nul / UTF8-2 / UTF8-3 / UTF8-4
;; where the UTF8-2, UTF8-3, and UTF8-4 productions are ;; where the UTF8-2, UTF8-3, and UTF8-4 productions are
;; as defined in RFC 3629. ;; as defined in RFC 3629.
UTF8-1-no-nul = %x01-7F UTF8-1-no-nul = %x01-7F
There are no additional challenges and responses. There are no additional challenges and responses.
Hence, the server is to return the outcome of the authentication Hence, the server is to return the outcome of the authentication
exchange. exchange.
The exchange fails if The external security channel to use is implied by the SASL mechanism
name.
- the cb-name denote an (to the server implementation) unknown or The exchange fails if
end-point channel binding type,
- the client has not established its credentials via the indicated - the client has not established its credentials via the indicated
external channel, external channel,
- the client's credentials are inadequate, - the client's credentials are inadequate,
- the client provided an empty authorization identity string and the - the client provided an empty authorization identity string and the
server is unwilling or unable to associate an authorization identity server is unwilling or unable to associate an authorization identity
with the client's credentials, with the client's credentials,
skipping to change at page 6, line 10 skipping to change at page 6, line 4
- the client's credentials are inadequate, - the client's credentials are inadequate,
- the client provided an empty authorization identity string and the - the client provided an empty authorization identity string and the
server is unwilling or unable to associate an authorization identity server is unwilling or unable to associate an authorization identity
with the client's credentials, with the client's credentials,
- the client provided a non-empty authorization identity string that - the client provided a non-empty authorization identity string that
is invalid per the syntax requirements of the applicable application is invalid per the syntax requirements of the applicable application
protocol specification, protocol specification,
- the client provided a non-empty authorization identity string - the client provided a non-empty authorization identity string
representing an identity that the client is not allowed to act as, or representing an identity that the client is not allowed to act as, or
- the server is unwilling or unable to provide service to the client - the server is unwilling or unable to provide service to the client
for any other reason. for any other reason.
Otherwise the exchange is successful. When indicating a successful Otherwise the exchange is successful. When indicating a successful
outcome, additional data is not provided. outcome, additional data is not provided.
3. Examples 3. Specification of EXTERNAL-TLS Mechanism
This section provides examples of EXTERNAL-CHANNEL authentication
exchanges. The examples are intended to help the readers understand
the above text. The examples are not definitive. The Application
Configuration Access Protocol (ACAP) [RFC2244] is used in the
examples because ACAP sends the SASL tokens without additional
encoding.
The first example shows use of EXTERNAL-CHANNEL with an empty
authorization identity and an external "tls-unique" channel. In this
example, the initial response is not sent in the client's request to
initiate the authentication exchange.
S: * ACAP (SASL "DIGEST-MD5")
C: a001 STARTTLS
S: a001 OK "Begin TLS negotiation now"
<TLS negotiation, further commands are under TLS layer>
S: * ACAP (SASL "DIGEST-MD5" "EXTERNAL-CHANNEL")
C: a002 AUTHENTICATE "EXTERNAL-CHANNEL"
S: + "tls-unique "
C: + ""
S: a002 OK "Authenticated"
Note how the string ends with a " ", it needs to be present even if
the authorization identity is empty.
The second example shows use of EXTERNAL-CHANNEL with an
authorization identity of "simon" bound to an external "tls-unique"
channel. In this example, the initial response is sent with the
client's request to initiate the authentication exchange. This saves
a round-trip.
S: * ACAP (SASL "DIGEST-MD5") The EXTERNAL-TLS mechanism uses client credentials established by the
C: a001 STARTTLS outer TLS [RFC5246] channel. Only the inner-most TLS channel is
S: a001 OK "Begin TLS negotiation now" intended. For example, if an application opens up a TLS channel and
<TLS negotiation, further commands are under TLS layer> starts SASL negotiation, and if that communication happens to be sent
S: * ACAP (SASL "DIGEST-MD5" "EXTERNAL-CHANNEL") over a TLS-based VPN, the credentials for the TLS-based VPN is not
C: a002 AUTHENTICATE "EXTERNAL-CHANNEL" {16+} considered.
C: tls-unique simon
S: a002 NO "Cannot assume requested authorization identity"
Note how the server rejects the authentication attempt with an The server MUST NOT advertise the EXTERNAL-TLS mechanism if the
authorization-related error message. Presumably the client client did not provided any supported form of client-side
credentials presented in the TLS session does not give the client authentication in the TLS channel, e.g., X.509 client certificate,
authority to assume the identity of "simon". OpenPGP client key [RFC5081], or SRP [RFC5054]. The client MUST only
request the EXTERNAL-TLS if it wishes to re-use the TLS client
credentials for the SASL application.
4. Making Authorization Decisions 4. Making Authorization Decisions
The server may use any mechanism to make authorization decisions. The server may use any mechanism to make authorization decisions.
For illustration, we want to give some ideas on how this may work in For illustration, we want to give some ideas on how this may work in
practice. This section is not normative. practice. This section is not normative.
Typically the external channel will not use authentication identities Typically external channels will not use authentication identities
that can be used by the application protocol that uses the SASL that can be used by the application protocol that uses an instance of
EXTERNAL-CHANNEL mechanism. Thus, a mapping is normally required. the SASL EXTERNAL-* mechanism. Thus, a mapping is normally required.
There may be mappings from the external credential to a set of There may be mappings from the external credential to a set of
permitted identifiers, and a "default" identifier can be provided in permitted identifiers, and a "default" identifier can be provided in
the mapping table if the client do not specify a particular the mapping table if the client do not specify a particular
authorization identity. authorization identity.
For example, when mapping from X.509 credentials used in TLS For example, when mapping from X.509 credentials used in TLS
connections to simple usernames, a table stored on the server can connections to simple usernames, a table stored on the server can
contain hex-encoded hashes of client X.509 certificates and a set of contain hex-encoded hashes of client X.509 certificates and a set of
usernames. usernames.
skipping to change at page 8, line 13 skipping to change at page 7, line 22
set of permitted usernames, such as the following table. set of permitted usernames, such as the following table.
0424D4EE81A0E3D119C6F835EDA21E94B565716F simon jas admin 0424D4EE81A0E3D119C6F835EDA21E94B565716F simon jas admin
A4D94E92B0986AB5EE9DCD755DE249965B0358A2 werner A4D94E92B0986AB5EE9DCD755DE249965B0358A2 werner
90A79E2FC6F4AAB5B604974FE15DD857B15C37D1 nikos 90A79E2FC6F4AAB5B604974FE15DD857B15C37D1 nikos
When SRP authentication with TLS [RFC5054] is used, the username When SRP authentication with TLS [RFC5054] is used, the username
provided may be the same as the application username, and no mapping provided may be the same as the application username, and no mapping
would be necessary. would be necessary.
5. IANA Considerations 5. Examples
This section provides examples of EXTERNAL-TLS authentication
exchanges. The examples are intended to help the readers understand
the above text. The examples are not definitive. The Application
Configuration Access Protocol (ACAP) [RFC2244] is used in the
examples because ACAP sends the SASL tokens without additional
encoding.
The first example shows use of EXTERNAL-TLS with an empty
authorization identity. In this example, the initial response is not
sent in the client's request to initiate the authentication exchange.
S: * ACAP (SASL "GSSAPI")
C: a001 STARTTLS
S: a001 OK "Begin TLS negotiation now"
<TLS negotiation, further commands are under TLS layer>
S: * ACAP (SASL "GSSAPI" "PLAIN" "EXTERNAL-TLS")
C: a002 AUTHENTICATE "EXTERNAL-TLS"
S: + ""
C: + ""
S: a002 OK "Authenticated"
The second example shows use of EXTERNAL-TLS with an authorization
identity of "simon". In this example, the initial response is sent
with the client's request to initiate the authentication exchange.
This saves a round-trip.
S: * ACAP (SASL "GSSAPI")
C: a001 STARTTLS
S: a001 OK "Begin TLS negotiation now"
<TLS negotiation, further commands are under TLS layer>
S: * ACAP (SASL "GSSAPI" "PLAIN" "EXTERNAL-TLS")
C: a002 AUTHENTICATE "EXTERNAL-TLS" {5+}
C: simon
S: a002 NO "Cannot assume requested authorization identity"
Note how the server rejects the authentication attempt with an
authorization-related error message. Presumably the client
credentials presented in the TLS session does not give the client
authority to assume the identity of "simon".
6. IANA Considerations
The IANA is request to add to the SASL mechanisms registry the The IANA is request to add to the SASL mechanisms registry the
following entry. following entry.
Subject: Registration of SASL mechanism EXTERNAL-CHANNEL Subject: Registration of SASL mechanism family EXTERNAL-*
SASL mechanism name (or prefix for the family): EXTERNAL-CHANNEL SASL family name (or prefix for the family): EXTERNAL-
Security considerations: See security considerations in RFC XXXX. Security considerations: [THIS-DOC]
Published specification (recommended): RFC XXXX. Published specification (recommended): [THIS-DOC]
Person & email address to contact for further information: Person & email address to contact for further information:
Simon Josefsson <simon@josefsson.org> Simon Josefsson <simon@josefsson.org>
Intended usage: COMMON Intended usage: COMMON
Owner/Change controller: Simon Josefsson <simon@josefsson.org> Owner/Change controller: Simon Josefsson <simon@josefsson.org>
6. Security Considerations 7. Security Considerations
The EXTERNAL-CHANNEL mechanism does not authenticate users itself, it The security of external channel is critical to the security of this
relies on implementation to perform the authentication as part of the mechanism. It is important that the client authentication that
external channel. Care must be taken to ensure that the client occurs in the outer security channel is cryptographically bound to
the confidentiality or integrity services that protects the security
channel.
The EXTERNAL-* mechanism family does not authenticate users itself,
it relies on implementation to perform the authentication as part of
the external channel. Care must be taken to ensure that the client
credential has been authenticated, rather than just blindly accepted credential has been authenticated, rather than just blindly accepted
as part of a leap-of-faith setup. as part of a leap-of-faith setup.
The security of external channel is critical to the security of this 8. Acknowledgements
mechanism. The connection between the authentication and the
external channel is made by sending the name of the channel, so the
security considerations related to channel bindings are also
relevant, see [RFC5056].
7. Acknowledgements
The EXTERNAL-CHANNEL mechanism, and significant amount of text in The EXTERNAL-* mechanism family, and significant amount of text in
this document, is based on the EXTERNAL mechanism in Appendix A of this document, is based on the EXTERNAL mechanism in Appendix A of
SASL [RFC4422]. SASL [RFC4422].
8. References 9. References
8.1. Normative References 9.1. Normative References
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, November 2003. 10646", STD 63, RFC 3629, November 2003.
[RFC4422] Melnikov, A. and K. Zeilenga, "Simple Authentication and [RFC4422] Melnikov, A. and K. Zeilenga, "Simple Authentication and
Security Layer (SASL)", RFC 4422, June 2006. Security Layer (SASL)", RFC 4422, June 2006.
[RFC5056] Williams, N., "On the Use of Channel Bindings to Secure
Channels", RFC 5056, November 2007.
[RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234, January 2008. Specifications: ABNF", STD 68, RFC 5234, January 2008.
8.2. Informative References 9.2. Informative References
[RFC2244] Newman, C. and J. Myers, "ACAP -- Application [RFC2244] Newman, C. and J. Myers, "ACAP -- Application
Configuration Access Protocol", RFC 2244, November 1997. Configuration Access Protocol", RFC 2244, November 1997.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, December 2005. Internet Protocol", RFC 4301, December 2005.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008. (TLS) Protocol Version 1.2", RFC 5246, August 2008.
 End of changes. 29 change blocks. 
125 lines changed or deleted 128 lines changed or added

This html diff was produced by rfcdiff 1.29, available from http://www.levkowetz.com/ietf/tools/rfcdiff/