Simple Authentication and Security Layer (SASL) is a framework for Authentication and data security in Internet protocols. SASL allows authentication mechanisms to be decoupled from application protocols, in theory allowing any authentication mechanism supported by SASL to be used in any application protocol that uses SASL.

Authentication mechanisms may also support proxy authorization, a facility allowing one user to assume the identity of another. They may also provide a data security layer offering data integrity and data confidentiality services. DIGEST-MD5 provides an example of mechanisms which can provide a data-security layer.

The original SASL specification RFC 2222 while at Carnegie Mellon University. In 2006 that document was made obsolete by RFC 4422, but a number of specific SASL mechanisms are described in other specifications. [2]

As SASL Mechanisms are External to the Protocol, they maybe referred to as EXTERNAL SASL Mechanism even though the SASL Mechanism may reside on and be done on by the same server.

Generic Operation [1]#

The basic operation of SASL is straightforward. The server provides a list of supported authentication mechanisms, and then the client determines which of the supported authentication mechanisms will be used (based on the client’s capabilities and security requirements.

Protocols that contain SASL support include:

  • LDAP (Internet Standard Lightweight Directory Access Protocol)
  • SMTP (Internet Standard Simple Message Transfer Protocol)
  • POP3 (Internet Standard Post Office Protocol v3)
  • IMAP (Internet Standard Internet Mail Access Protocol)
  • XMPP: Extensible Messaging and Presence Protocol
  • Isode's SOM (Switch Operations and Management) Protocol

To be used with SASL, a new authentication mechanism needs to be registered, and any authentication mechanism specific capabilities need to be agreed upon.

Some selected SASL authentication mechanisms are listed below:

MechanismStandardizationWhat it Does
CRAM-MD5RFC 2195Use MD5 hash for client authentication
DIGEST-MD5RFC 2831Adds server authentication and confidentiality to CRAM-MD5
GSSAPIRFC 4752For supporting Kerberos authentication
EXTERNALRFC 4422For use with SSL/TLS and X.509 Digital Signatures
PLAINRFC 4616Clear text password
LOGINde factoAlternative to PLAIN
NTLMMicrosoft PropriatarySimilar to CRAM-MD5
SCRAM-SHA-1RFC 5802Salted Challenge Response Mechanism, a new standard


For LDAP, common EXTERNAL SASL Mechanisms include:
  • ANONYMOUS -- This mechanism doesn't actually authenticate users to the server, but can be used to destroy a previous authentication session.
  • CRAM-MD5 -- This mechanism provides a way for users to authenticate to the server using a password in a manner that does not expose the password itself. It is similar to, but weaker than, the DIGEST-MD5 SASL mechanism, and doesn't provide any way for ensuring connection integrity or confidentiality.
  • DIGEST-MD5 -- This mechanism provides a way for users to authenticate to the server using a password in a manner that does not expose the password itself. It is similar to, but stronger than, the CRAM-MD5 SASL mechanism, and also provides a way to ensure connection integrity and/or confidentiality.
  • GSSAPI -- This mechanism provides a way for users to authenticate to the server using a Kerberos V5 session. It also provides a mechanism that can be used to ensure connection integrity and/or confidentiality.
  • PLAIN -- This mechanism provides a way for users to authenticate to the server with a username and password. It is similar to the protection offered by Simple Authentication, but may be more convenient in that users can identify themselves with a username rather than a DN.
  • NMAS_LOGIN -- Novell Modular Authentication Service (NMAS) is a development framework that allows you to write applications that authenticate to the network using various login and authentication methods. The NMAS framework allows you to design a flexible and expandable login and authentication system using modular plug-in methods that leverage Novell International Cryptographic Infrastructure (NICI) and Novell Directory Services (eDirectory®).
  • GSS-SPNEGO - aka SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) is a GSSAPI "pseudo mechanism" that is used to negotiate one of a number of possible real mechanisms.

More Information#

There might be more information for this subject on one of the following:
[#1] Adapted from http://www.isode.com/products/sasl.html retrieved 2012-09-28 [#2] Adapted from http://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer retrieved 2012-09-28

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-5) was last changed on 2012-09-28 05:53 by jim