World Library  
Flag as Inappropriate
Email this Article

Simple Authentication and Security Layer


Simple Authentication and Security Layer

Simple Authentication and Security Layer (SASL) is a framework for authentication and data security in Internet protocols. It decouples authentication mechanisms from application protocols, in theory allowing any authentication mechanism supported by SASL to be used in any application protocol that uses SASL. Authentication mechanisms can also support proxy authorization, a facility allowing one user to assume the identity of another. They can also provide a data security layer offering data integrity and data confidentiality services. DIGEST-MD5 provides an example of mechanisms which can provide a data-security layer. Application protocols that support SASL typically also support Transport Layer Security (TLS) to complement the services offered by SASL. In 1997, John Gardiner Myers wrote the original SASL specification (RFC 2222) while at Carnegie Mellon University. In 2006 that document was made obsolete by RFC 4422.

SASL is an IETF Standard Track protocol and is, as of 2010, a Proposed Standard.


  • SASL mechanisms 1
  • SASL-aware application protocols 2
  • See also 3
  • References 4
  • External links 5

SASL mechanisms

A SASL mechanism implements a series of challenges and responses. Defined SASL mechanisms[1] include:

  • "EXTERNAL", where authentication is implicit in the context (e.g., for protocols already using IPsec or TLS)
  • "ANONYMOUS", for unauthenticated guest access
  • "PLAIN", a simple cleartext password mechanism.
  • "OTP", a one-time password mechanism. OTP obsoleted the SKEY Mechanism.
  • "SKEY", an S/KEY mechanism.
  • "CRAM-MD5", a simple challenge-response scheme based on HMAC-MD5.
  • "DIGEST-MD5" (historic[2]), partially HTTP Digest compatible challenge-response scheme based upon MD5. DIGEST-MD5 offered a data security layer.
  • "SCRAM" (RFC 5802), modern challenge-response scheme based mechanism with channel binding support
  • "NTLM", an NT LAN Manager authentication mechanism
  • "GSSAPI", for Kerberos V5 authentication via the GSSAPI. GSSAPI offers a data-security layer.
  • "BROWSERID-AES128", for Mozilla Persona authentication[3]
  • "EAP-AES128", for GSS EAP authentication[4]
  • GateKeeper (& GateKeeperPassport), a challenge-response mechanism developed by Microsoft for MSN Chat

The GS2 family of mechanisms supports arbitrary GSS-API mechanisms in SASL.[5] It is now standardized as RFC 5801.

SASL-aware application protocols

Application protocols define their representation of SASL exchanges with a profile. A protocol has a service name such as "ldap" in a registry shared with GSSAPI and Kerberos.[6]

As of 2012 protocols currently supporting SASL include:

See also


  1. ^
  2. ^ RFC 6331
  3. ^
  4. ^
  5. ^
  6. ^
  7. ^

External links

  • RFC 4422 - Simple Authentication and Security Layer (SASL) - obsoletes RFC 2222
  • RFC 4505 - Anonymous Simple Authentication and Security Layer (SASL) Mechanism - obsoletes RFC 2245
  • The IETF SASL Working Group, chartered to revise existing SASL specifications, as well as to develop a family of GSSAPI mechanisms
  • Cyrus SASL, a free and portable SASL library providing generic security for various applications[1]
  • GNU SASL, a free and portable SASL command-line utility and library, distributed under the GNU GPLv3 and LGPLv2.1, respectively
  • Dovecot SASL, an SASL implementation
  • RFC 2831 (historic) - Using Digest Authentication as a SASL Mechanism, obsoleted in RFC 6331
  • Java SASL API Programming and Deployment Guide
This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.

Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.