Password-based Authentication Protocol

From the abstract:

There is a lack of a simple, standardized, secure and modern password-based mechanism for user authentication in application protocols. This document specify a challenge/response protocol that provide password-based authentication services. We describe how the protocol may be used as a GSS-API mechanism and, using the GS2 framework, how it may be used as a SASL mechanism. The protocol supports HMAC-SHA-256 as the mandatory to implement algorithm, and it supports channel bindings. The intended use is by application protocol that today use CRAM-MD5 or DIGEST-MD5 via SASL, or by GSS- API applications that needs a password based method. The protocol is applicable to other environments, such as EAP, should the need arise.


Mailing list

Discussing and improving the protocol is suggested to take place on the password-auth mailing list. You can rearch the mailing list via although you will have to subscribe to the list in order to post. The mailing list have public archives.


Published initial -00 document.

IPR Policy

If you contribute text to the document, you'll need to agree with the IETF rules. The text is intended to be possible to include in free software, which the IETF rules does not permit, thus you must also agree to licensing your contribution under the MIT License, and agree with the following text included in the document:

   Regarding this entire document or any portion of it (including the
   pseudocode and C code), the author makes no guarantees and is not
   responsible for any damage resulting from its use.  The author grants
   irrevocable permission to anyone to use, modify, and distribute it in
   any way that does not diminish the rights of anyone else to use,
   modify, and distribute it, provided that redistributed derivative
   works do not contain misleading author or version information.
   Derivative works need not be licensed under similar terms.


This work is sponsored by Simon Josefsson Datakonsult. If you need commercial help with utilizing this technology, or have a related project that you want help with, please feel free to contact me. If you find my work in this area useful, also please consider making a donation. No amount is too small!

Simon Josefsson