7 INTERNET-DRAFT A. Melnikov (Ed.)
8 Obsoletes: RFC 2831 (if approved) Isode Ltd.
9 Intended status: Standards track March 2007
10 Expires: September 2007
12 Using Digest Authentication as a SASL Mechanism
13 draft-ietf-sasl-rfc2831bis-12.txt
17 By submitting this Internet-Draft, each author represents that any
18 applicable patent or other IPR claims of which he or she is aware
19 have been or will be disclosed, and any of which he or she becomes
20 aware will be disclosed, in accordance with Section 6 of BCP 79.
22 Internet-Drafts are working documents of the Internet
23 Engineering Task Force (IETF), its areas, and its
24 working groups. Note that other groups may also distribute
25 working documents as Internet-Drafts.
27 Internet-Drafts are draft documents valid for a maximum of
28 six months and may be updated, replaced, or obsoleted by
29 other documents at any time. It is inappropriate to use
30 Internet-Drafts as reference material or to cite them other
31 than as "work in progress."
33 The list of current Internet-Drafts can be accessed at
34 http://www.ietf.org/1id-abstracts.html
36 The list of Internet-Draft Shadow Directories can be accessed at
37 http://www.ietf.org/shadow.html
41 Copyright (C) The IETF Trust (2007).
45 This specification defines how HTTP Digest Authentication (RFC 2617)
46 can be used as a Simple Authentication and Security Layer (SASL, RFC
47 4422) mechanism for any protocol that has a SASL profile. It is
48 intended both as an improvement over CRAM-MD5 (RFC 2195) and as a
49 convenient way to support a single authentication mechanism for web,
50 mail, LDAP, and other protocols.
58 Melnikov (Ed.) Expires: September 2007 [Page 1]
64 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
69 1 INTRODUCTION.....................................................3
70 1.1 CONVENTIONS AND NOTATION......................................3
71 1.2 CHANNEL BINDINGS..............................................4
72 2 AUTHENTICATION...................................................5
73 2.1 INITIAL AUTHENTICATION........................................5
74 2.1.1 Step One...................................................5
75 2.1.2 Step Two...................................................9
76 2.1.3 Step Three................................................16
77 2.2 SUBSEQUENT AUTHENTICATION....................................17
78 2.2.1 Step one..................................................17
79 2.2.2 Step Two..................................................17
80 2.3 INTEGRITY PROTECTION.........................................18
81 2.4 CONFIDENTIALITY PROTECTION...................................18
82 3 SECURITY CONSIDERATIONS.........................................21
83 3.1 AUTHENTICATION OF CLIENTS USING DIGEST AUTHENTICATION........21
84 3.2 COMPARISON OF DIGEST WITH PLAINTEXT PASSWORDS................21
85 3.3 REPLAY ATTACKS...............................................21
86 3.4 ONLINE DICTIONARY ATTACKS....................................22
87 3.5 OFFLINE DICTIONARY ATTACKS...................................22
88 3.6 MAN IN THE MIDDLE............................................22
89 3.7 CHOSEN PLAINTEXT ATTACKS.....................................22
90 3.8 CBC MODE ATTACKS.............................................
91 3.9 SPOOFING BY COUNTERFEIT SERVERS..............................23
92 3.10 STORING PASSWORDS...........................................23
93 3.11 MULTIPLE REALMS.............................................24
94 3.12 SUMMARY.....................................................24
95 4 EXAMPLE.........................................................24
96 5 REFERENCES......................................................26
97 5.1 NORMATIVE REFERENCES.........................................26
98 5.2 INFORMATIVE REFERENCES.......................................27
99 6 IANA CONSIDERATIONS.............................................28
100 7 HBNF............................................................29
101 7.1 Enhanced BNF.................................................29
102 7.2 BASIC RULES..................................................31
103 8 SAMPLE CODE.....................................................33
104 9 AUTHORS' ADDRESSES..............................................XX
105 10 ACKNOWLEDGEMENTS..............................................34
106 11 FULL COPYRIGHT STATEMENT.......................................35
107 Appendix A: Changes from 2831.....................................36
108 Appendix B: Open Issues...........................................37
110 <<Page numbers are all wrong, sorry.
111 Section ordering should be changed too>>
118 Melnikov (Ed.) Expires: September 2007 [Page 2]
124 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
129 This specification describes the use of HTTP Digest Access
130 Authentication as a SASL mechanism. The authentication type
131 associated with the Digest SASL mechanism is "DIGEST-MD5".
133 This specification is intended to be upward compatible with the
134 "md5-sess" algorithm of HTTP/1.1 Digest Access Authentication
135 specified in [Digest]. The only difference in the "md5-sess"
136 algorithm is that some directives not needed in a SASL mechanism have
137 had their values defaulted.
139 There is <<one new feature for use as a SASL mechanism>>: integrity
140 and confidentiality protection on application protocol messages after
141 an authentication exchange.
143 Also, compared to CRAM-MD5, DIGEST-MD5 prevents chosen plaintext
144 attacks, and permits the use of third party authentication servers,
145 mutual authentication, and optimized reauthentication if a client has
146 recently authenticated to a server.
148 1.1 Conventions and Notation
150 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
151 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
152 document are to be interpreted as described in RFC 2119 [RFC 2119].
154 This specification uses the same EnHanced BNF notation (referred to
155 as HBNF in this document) and lexical conventions as HTTP/1.1
156 specification; see section 7.
158 Let { a, b, ... } be the concatenation of the octet strings a, b, ...
160 Let ** denote the power operation.
162 Let H(s) be the 16 octet MD5 hash [RFC 1321] of the octet string s.
164 Let KD(k, s) be H({k, ":", s}), i.e., the 16 octet hash of the string
165 k, a colon and the string s.
167 Let HEX(n) be the representation of the 16 octet MD5 hash n as a
168 string of 32 hex digits (with alphabetic characters always in lower
169 case, since MD5 is case sensitive).
171 Let HMAC(k, s) be the 16 octet HMAC-MD5 [RFC 2104] of the octet
172 string s using the octet string k as a key.
178 Melnikov (Ed.) Expires: September 2007 [Page 3]
184 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
187 Let unq(X) be the value of the quoted-string X without the
188 surrounding quotes and with all escape characters "\\" removed. For
189 example for the quoted-string "Babylon" the value of unq("Babylon")
190 is Babylon; for the quoted string "ABC\"123\\" the value of
191 unq("ABC\"123\\") is ABC"123\.
193 The value of a quoted string constant as an octet string does not
194 include any terminating nul (0x00) character.
196 Let prep(X) be the value returned by the preparation function (see
197 description of "prep" directive in section 2.1.1).
199 Other terms like "protocol profile" are defined in RFC4422.
204 "Channel binding" is a concept described in [GSS-API] and which
205 refers to the act of cryptographically binding authentication at one
206 network layer to a secure channel at another layer and where the end-
207 points at both layers are the same entities. In the context of the
208 DIGEST-MD5 SASL mechanism this means ensuring that the challenge and
209 response messages include the "channel bindings" of any cryptographic
210 channel (e.g. TLS) over which the DIGEST-MD5 exchange is transported,
211 and that the inputs to the digest function include the same as well.
212 The "channel bindings" of a channel here refer to information which
213 securely identifies one instance of such a channel to both endpoints
214 such that MITM attacks are detectable. For more discussions of
215 channel bindings, and the syntax of the channel binding data for
216 various security protocols, see [CHANNEL-BINDINGS].
218 Channel bindings are herein added to DIGEST-MD5 by overloading the
219 nonce and cnonce fields of the digest-challenge and digest-response
220 messages, respectively. Because these nonces are treated as opaque
221 octet strings in previous versions of this mechanism such overloading
222 is backwards compatible. Because these nonces are used in the
223 construction of the response-value (i.e., as input to the digest
224 function) using these fields for carrying channel bindings data makes
225 the channel binding operation possible without requiring incompatible
226 changes to the message formats. The fact that the odds that older
227 implementations may select random nonces that resemble actual channel
228 bindings data are so low allows new implementations to detect old
229 peers and to decide whether to allow such peers or reject them
230 according to local policy.
238 Melnikov (Ed.) Expires: September 2007 [Page 4]
244 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
249 DIGEST-MD5 can operate in two modes. Initial authentication (section
250 2.1) is usually used when a client authenticates to a server for the
251 first time. If protocol profile supports initial client response
252 (see "Protocol profile requirements" in [SASL]) and the client
253 supports reauthentication and it has successfully authenticated to
254 the server before, the client may be able to use the more efficient
255 fast reauthentication mode as described in section 2.2.
257 The following sections describe these two modes in details.
259 2.1 Initial Authentication
261 If the client has not recently authenticated to the server, then it
262 must perform "initial authentication", as defined in this section. If
263 it has recently authenticated, then a more efficient form is
264 available, defined in the next section.
268 The server starts by sending a challenge. The data encoded in the
269 challenge is formatted according to the rules for the "digest-
270 challenge" defined as follows:
298 Melnikov (Ed.) Expires: September 2007 [Page 5]
304 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
308 1#( realm / nonce / qop-options / stale / server-maxbuf /
309 charset / prep-opts / algorithm / cipher-opts /
312 realm = "realm" "=" realm-value
313 realm-value = quoted-string
314 nonce = "nonce" "=" nonce-value
315 nonce-value = quoted-string
316 ;; contains data described by "nonce-data"
317 qop-options = "qop" "=" DQUOTE qop-list DQUOTE
318 qop-list = 1#qop-value
319 qop-value = "auth" / "auth-int" / "auth-conf" /
321 ;; qop-token is reserved for identifying
322 ;; future extensions to DIGEST-MD5
324 stale = "stale" "=" "true"
325 server-maxbuf = "maxbuf" "=" maxbuf-value
326 maxbuf-value = 1*DIGIT
327 charset = "charset" "=" "utf-8"
328 prep-opts = "prep" "=" DQUOTE prep-mechs DQUOTE
329 prep-mechs = 1#prep-mech
330 prep-mech = "rfc4013"
331 algorithm = "algorithm" "=" "md5-sess"
332 cipher-opts = "cipher" "=" DQUOTE cipher-list DQUOTE
333 cipher-list = 1#cipher-value
334 cipher-value = "rc4-40" / "rc4" / "rc4-56" /
335 "aes-ctr" / cipher-token
336 ;; cipher-token is reserved for
339 auth-param = token "=" ( token / quoted-string )
340 nonce-data = new-nonce-data / obs-nonce-data
341 new-nonce-data = "CB-" channel-type ":" channel-bindings
342 ":" qop-list ":" cipher-list
344 obs-nonce-data = nonce-octets
345 ;; nonce value as defined in RFC 2831.
346 ;; SHOULD be accepted. MUST NOT be
348 <<channel-type = "TLS" / channel-type-ext
349 ;; Should be taken from
350 ;; [CHANNEL-BINDINGS].
351 channel-type-ext = 1*(ALPHA / DIGIT)
352 ;; for future channel bindings>>
353 channel-bindings = 1*TEXTCHAR
354 ;; channel binding data as defined by
358 Melnikov (Ed.) Expires: September 2007 [Page 6]
364 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
368 nonce-octets = 1*TEXTCHAR
370 The meanings of the values of the directives used above are as
374 Mechanistically, a string which enables users to decide which
375 username and password to use, in case they have different ones for
376 different servers. Conceptually, it is the name of a collection
377 of accounts that might include the user's account. This string
378 should contain the name of the host performing the authentication
379 and might additionally indicate the collection of users who might
380 have access. An example might be
381 "registered_users@gotham.news.example.com". Note that the server
382 MAY not advertise (hide) some or all realms it supports.
386 1) "dc=gotham, dc=news, dc=example, dc=com".
388 2) If there are two servers (e.g. server1.example.com and
389 server2.example.com) that share authentication database, they
390 both may advertise "example.com" as the realm.
392 A server implementation that uses a fixed string as the advertised
393 realm is compliant with this specification, however this is not
394 recommended. See also sections 3.10 "Storing passwords" and 3.11
395 "Multiple realms" for discussion.
397 The value of this directive is case-sensitive. This directive is
398 optional; if not present, the client SHOULD solicit it from the
399 user or be able to compute a default; a plausible default might be
400 the realm supplied by the user when they logged in to the client
401 system. Multiple realm directives are allowed, in which case the
402 user or client must choose one as the realm for which to supply
403 username and password.
405 Requirements on UIs: UIs MUST allow users to enter arbitrary user
406 names and realm names. In order to achieve this, UIs MAY present
407 two separate edit boxes. Alternatively, UIs MAY present a single
408 edit box and allow user to enter a special character that
409 separates user name from the realm name. In the latter case, UIs
410 MUST be able to escape the special character and they need to
411 present their escape rules to the user. UIs MUST also present the
412 list of realms advertised by the server.
418 Melnikov (Ed.) Expires: September 2007 [Page 7]
424 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
427 A server-specified string erstwhile intended to add entropy to the
428 challenge. The nonce field may be used to exchange channel
431 This directive is required and MUST appear exactly once; if not
432 present, or if multiple instances are present, the client should
433 abort the authentication exchange.
435 Older implementations typically generate some random or pseudo-
436 random data and base64 [RFC 4648] or hexadecimally encode it.
437 When channel binding is not used the nonce string MUST be
438 different each time a digest-challenge is sent as part of initial
439 authentication. It is RECOMMENDED that the random data contain at
440 least 64 bits of entropy.
442 When channel binding is performed, the nonce must be generated
443 from: the channel type, the bindings to the channel being bound
444 to, copy of the server specified qop-list (*), copy of the server
445 specified list of ciphers or empty string if none were specified
446 and an actual nonce consisting of 64-bits or more of entropy and
447 base64-encoded, and formatted as follows:
449 "CB-" <channel type> ":" <channel bindings> ":" <qop-list> ":"
450 <cipher-list> ":" <nonce octets>
452 See [CHANNEL-BINDINGS] for the syntax of the channel binding data
453 for various security protocols.
455 An actual nonce is included in order to allow for channel bindings
456 to possible future channels with channel bindings data which is
457 not necessarily unique for each instance.
459 When channel bindings are in use, clients MUST reject challenges
460 that contain server nonce values of this form and whose channel
461 bindings do not match those of the actual underlying channel as
462 observed by the client. Also clients MUST reject challenges that
463 contain server nonce values of this form and that contain qop-list
464 and/or cipher-list that don't match the values sent in the
465 qop/cipher directives respectively.
467 (*) - Note that if the server specified multiple "qop" directives,
468 this field MUST be constructed by extracting all qop-list values
469 (in the order they were specified) and inserting "," between them.
470 For example, if the server sent:
471 qop="auth",qop="auth-int" this field must have the value
472 "auth,auth-int" (with no quotes).
478 Melnikov (Ed.) Expires: September 2007 [Page 8]
484 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
487 A quoted string of one or more comma-separated tokens indicating
488 the "quality of protection" values supported by the server. The
489 value "auth" indicates authentication; the value "auth-int"
490 indicates authentication with integrity protection; the value
491 "auth-conf" indicates authentication with integrity protection and
492 encryption. This directive is optional; if not present it
493 defaults to "auth". The client MUST ignore unrecognized options;
494 if the client recognizes no option, it MUST abort the
495 authentication exchange.
497 If this directive is present multiple times the client MUST treat
498 it as if it received a single qop directive containing a comma
499 separated value from all instances. I.e., 'qop="auth",qop="auth-
500 int"' is the same as 'qop="auth,auth-int"'.
503 The "stale" directive is not used in initial authentication. See
504 the next section for its use in subsequent authentications. This
505 directive may appear at most once; if multiple instances are
506 present, the client MUST abort the authentication exchange.
508 server-maxbuf ("maximal ciphertext buffer size")
509 A number indicating the size of the largest buffer (in bytes) the
510 server is able to receive when using "auth-int" or "auth-conf".
511 The value MUST be bigger than 16 and smaller or equal to 16777215
512 (i.e. 2**24-1). If this directive is missing, the default value is
513 65536. This directive may appear at most once; if multiple
514 instances are present, or the value is out of range the client
515 MUST abort the authentication exchange.
517 Let "maximal cleartext buffer size" (or "maximal sender size") be
518 the maximal size of a cleartext buffer that, after being
519 transformed by integrity (section 2.3) or confidentiality (section
520 2.4) protection function, will produce a SASL block of the maxbuf
521 size. As it should be clear from the name, the sender MUST never
522 pass a block of data bigger than the "maximal sender size" through
523 the selected protection function. This will guarantee that the
524 receiver will never get a block bigger than the maxbuf.
527 This directive, if present, specifies that the server supports
528 UTF-8 [UTF-8] encoding for the username, realm and password. If
529 present, the username, realm and password are encoded as UTF-8
530 [UTF-8]. If not present, the username, realm and password used by
531 the client in Step 2 MUST be encoded in ISO 8859-1 [ISO-8859] (of
532 which US-ASCII [USASCII] is a subset). The directive is needed for
533 backwards compatibility with HTTP Digest<<, which only supports
534 ISO 8859-1>>. This directive may appear at most once; if multiple
538 Melnikov (Ed.) Expires: September 2007 [Page 9]
544 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
547 instances are present, the client MUST abort the authentication
550 Note, that this directive doesn't affect authorization id
554 Servers compliant with this specification MUST include this
557 If present, it contains a comma separated list of
558 username/password preparation algorithms supported by the server.
559 That is, if user credentials are stored as one or more "SS" (see
560 section 2.1.2.1) values, then the server signals to the client
561 which username/password preparation algorithms were used when the
562 "SS" value(s) were created. If cleartext user password is stored,
563 the server returns "rfc4013" (see below) as the value of this
566 This document defines only a single value "rfc4013", which means
567 that the server supports "SASLPrep" profile [SASLPrep] of the
568 "stringprep" algorithm [RFC 3454].
570 <<This directive MUST be ignored, unless the "charset" directive
571 is also present and contains the value "utf-8".
573 <<An alternative: if this directive is present and the charset is
574 not, abort authentication exchange.>>
576 <<Another alternative: this directive implies charset=utf-8.
577 However this would mean that an older client (which doesn't
578 recognize the prep-opts directive will think that the server
579 doesn't support UTF-8.>> >>
581 If this directive is missing, the server doesn't support any
582 preparation algorithm, i.e. the server is an RFC 2831 only server.
584 If this directive is present multiple times the client MUST treat
585 it as if it received a single prep-opts directive containing a
586 comma separated value from all instances.
589 This directive is required for backwards compatibility with HTTP
590 Digest, which supports other algorithms. This directive is
591 required and MUST appear exactly once; if not present, or if
592 multiple instances are present, the client SHOULD abort the
593 authentication exchange.
598 Melnikov (Ed.) Expires: September 2007 [Page 10]
604 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
608 A list of ciphers that the server supports. This directive must be
609 present exactly once if "auth-conf" is offered in the
610 "qop-options" directive, in which case the "aes-ctr" cipher is
611 mandatory-to-implement. The client MUST ignore unrecognized
612 ciphers; if the client recognizes no cipher, it MUST behave as if
613 "auth-conf" qop option wasn't provided by the server. If the
614 client recognizes no cipher and the server only advertised "auth-
615 conf" in the qop option, the client MUST abort the authentication
616 exchange. See section 2.4 for more detailed description of the
620 the RC4 cipher with a 128 bit, 40 bit, and 56 bit key,
624 the Advanced Encryption Standard (AES) cipher [AES] in counter
625 (CTR) mode with a 128 bit key. This mode requires an IV that
626 has the same size as the block size.
629 This construct allows for future extensions; it may appear more
630 than once. The client MUST ignore any unrecognized directives.
632 For use as a SASL mechanism, note that the following changes are made
633 to "digest-challenge" from HTTP: the following Digest options (called
634 "directives" in HTTP terminology) are unused (i.e., MUST NOT be sent,
635 and MUST be ignored if received):
640 The size of a "digest-challenge" MUST be less than 2048 bytes.
644 The client validates "digest-challenge" as described in the previous
645 section. In particular, when channel bindings are in use, client MUST
646 reject "digest-challenge" that contain server nonce whose channel
647 bindings do not match those of the actual underlying channel as
648 observed by the client.
650 The client makes note of the "digest-challenge" and then responds
651 with a string formatted and computed according to the rules for a
652 "digest-response" defined as follows:
654 digest-response = 1#( username / realm / nonce / cnonce /
658 Melnikov (Ed.) Expires: September 2007 [Page 11]
664 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
667 nonce-count / qop / digest-uri / response /
668 response-v2 / client-maxbuf / charset / prep /
669 cipher / authzid / auth-param )
671 username = "username" "=" username-value
672 username-value = quoted-string
673 cnonce = "cnonce" "=" cnonce-value
674 cnonce-value = nonce-value
675 nonce-count = "nc" "=" nc-value
677 client-maxbuf = "maxbuf" "=" maxbuf-value
678 qop = "qop" "=" qop-value
679 digest-uri = "digest-uri" "="
680 DQUOTE digest-uri-value DQUOTE
681 digest-uri-value = serv-type "/" host [ "/" serv-name ]
684 prep = "prep" "=" prep-mech
685 response = "response" "=" response-value
686 response-v2 = "response-v2" "=" response-value
687 response-value = 32LHEX
688 LHEX = DIGIT / "a" / "b" /
689 "c" / "d" / "e" / "f"
690 cipher = "cipher" "=" cipher-value
691 authzid = "authzid" "=" authzid-value
692 authzid-value = quoted-string
694 The 'host' non-terminal is defined in [RFC 3986] as
696 host = IP-literal / IPv4address / reg-name
699 The user's name in the specified realm, encoded according to the
700 value of the "charset" directive. This directive is REQUIRED and
701 MUST be present exactly once; otherwise, authentication fails.
703 <<If the "charset" directive is also specified (which means that
704 the username is encoded as UTF-8) and the "prep" directive is not,
705 the server behaves as described in RFC 2831. This mode of
706 operation SHOULD be supported for backward compatibility with RFC
707 2831, however it is not required to be compliant with this
711 The realm containing the user's account, encoded according to the
712 value of the "charset" directive. This directive MUST appear at
713 most once and SHOULD contain one of the realms provided by the
714 server in the "digest-challenge". If the directive is missing,
718 Melnikov (Ed.) Expires: September 2007 [Page 12]
724 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
727 "realm-value" will set to the empty string when computing A1 (see
730 <<If the realm value was provided by the client, if the "charset"
731 directive is also specified (which means that the realm is encoded
732 as UTF-8) and the "prep" directive is not, the server behaves as
733 described in RFC 2831. This mode of operation SHOULD be supported
734 for backward compatibility with RFC 2831, however it is not
735 required to be compliant with this specification.>>
738 The server-specified data string received in the preceding digest-
739 challenge. This directive is required and MUST be present exactly
740 once; otherwise, authentication fails.
743 A client-specified string erstwhile intended to add entropy to the
744 challenge. The cnonce field may be used to exchange channel
747 This directive is required and MUST be present exactly once;
748 otherwise, authentication fails.
750 Older implementations typically generate some random or pseudo-
751 random data and base64 [RFC 4648] or hexadecimally encode it.
752 When channel binding is not used the cnonce string MUST be
753 different each time a digest-challenge is sent as part of initial
754 authentication. It is RECOMMENDED that the random data contain at
755 least 64 bits of entropy.
757 When channel binding is performed, the cnonce must be generated
758 from: the channel type, the bindings to the channel being bound
759 to, copy of the client selected qop, copy of the client selected
760 cipher or cipher="" if none were selected (i.e. for qop=auth or
761 qop=auth-int), and an actual nonce consisting of 64-bits or more
762 of entropy and base64-encoded, and formatted as follows:
764 "CB-" <channel type> ":" <channel bindings> ":" <qop-value> ":"
765 [<cipher-value>] ":" <nonce octets>
767 See [CHANNEL-BINDINGS] for the syntax of the channel binding data
768 for various security protocols.
770 An actual nonce is included in order to allow for channel bindings
771 to possible future channels with channel bindings data which is
772 not necessarily unique for each instance. It is used by both
773 client and server to avoid chosen plaintext attacks, and to
774 provide mutual authentication.
778 Melnikov (Ed.) Expires: September 2007 [Page 13]
784 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
787 When channel bindings are in use, servers MUST reject responses
788 that contain client nonce values of this form and whose channel
789 bindings do not match those of the actual underlying channel as
790 observed by the server. Also servers MUST reject responses that
791 contain client nonce values of this form and that contain qop-list
792 and/or cipher-list that don't match the values sent in the
793 qop/cipher directives respectively.
798 The nc-value is the hexadecimal count of the number of requests
799 (including the current request) that the client has sent with the
800 nonce value in this request. For example, in the first request
801 sent in response to a given nonce value, the client sends
802 "nc=00000001". The purpose of this directive is to allow the
803 server to detect request replays by maintaining its own copy of
804 this count - if the same nc-value is seen twice, then the request
805 is a replay. See the description below of the construction of the
806 response value. This directive is required and MUST be present
807 exactly once; otherwise, or if the value is 0, authentication
811 Indicates what "quality of protection" the client accepted. If
812 present, it may appear exactly once and its value MUST be one of
813 the alternatives in qop-options. If not present, it defaults to
814 "auth". These values affect the computation of the response. Note
815 that this is a single token, not a quoted list of alternatives.
818 Indicates the type of service, such as "http" for web service,
819 "ftp" for FTP service, "smtp" for mail delivery service, etc. The
820 service name as defined in the SASL profile for the protocol see
821 section 4 of [SASL], registered in the IANA registry of "service"
822 elements for the GSSAPI host-based service name form [GSS-API].
825 The DNS host name or IP (IPv4 or IPv6) address for the service
826 requested. The DNS host name must be the fully-qualified
827 canonical name of the host. The DNS host name is the preferred
828 form; see notes on server processing of the digest-uri.
831 Indicates the name of the service if it is replicated. The service
832 is considered to be replicated if the client's service-location
833 process involves resolution using standard DNS lookup operations,
834 and if these operations involve DNS records (such as SRV
838 Melnikov (Ed.) Expires: September 2007 [Page 14]
844 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
847 [RFC-2782], or MX) which resolve one DNS name into a set of other
848 DNS names. In this case, the initial name used by the client is
849 the "serv-name", and the final name is the "host" component. For
850 example, the incoming mail service for "example.com" may be
851 replicated through the use of MX records stored in the DNS, one of
852 which points at an SMTP server called "mail3.example.com"; it's
853 "serv-name" would be "example.com", it's "host" would be
854 "mail3.example.com". If the service is not replicated, or the
855 serv-name is identical to the host, then the serv-name component
859 Indicates the principal name of the service with which the client
860 wishes to connect, formed from the serv-type, host, and serv-name.
861 For example, the FTP service on "ftp.example.com" would have a
862 "digest-uri" value of "ftp/ftp.example.com"; the SMTP server from
863 the example above would have a "digest-uri" value of
864 "SMTP/mail3.example.com/example.com".
866 Servers SHOULD check that the supplied value is correct. This will
867 detect accidental connection to the incorrect server, as well as
868 some redirection attacks. It is also so that clients will be
869 trained to provide values that will work with implementations that
870 use a shared back-end authentication service that can provide
871 server authentication.
873 The serv-type component should match the service being offered.
874 The host component should match one of the host names of the host
875 on which the service is running, or it's IP address. Servers
876 SHOULD NOT normally support the IP address form, because server
877 authentication by IP address is not very useful; they should only
878 do so if the DNS is unavailable or unreliable. The serv-name
879 component should match one of the service's configured service
882 This directive is required and MUST be present exactly once; if
883 multiple instances are present, the server MUST abort the
884 authentication exchange.
886 Note: In the HTTP use of Digest authentication, the digest-uri is
887 the URI (usually a URL) of the resource requested -- hence the
888 name of the directive.
891 A string of 32 hex digits computed as defined below, which proves
892 that the user knows a password. This directive is REQUIRED and
893 MUST be present exactly once; otherwise, authentication fails.
898 Melnikov (Ed.) Expires: September 2007 [Page 15]
904 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
908 A string of 32 hex digits computed as defined below, which proves
909 that the user knows a password. This directive MUST be present at
910 most once; if it is present multiple times, then authentication
911 fails. If during SS calculation (see section 2.1.2.1) preparation
912 of the username and/or the password fails or results in an empty
913 string (*), then the client MUST NOT send this directive. Also, if
914 none of the values in the server's "prep-opts" directive is
915 recognized, then this directive MUST NOT be sent.
917 (*) In this case an interactive client can request a repeated
918 entry of the username and/or the password.
921 A number indicating the size of the largest ciphertext buffer the
922 client is able to receive when using "auth-int" or "auth-conf". If
923 this directive is missing, the default value is 65536. This
924 directive may appear at most once; if multiple instances are
925 present, the server MUST abort the authentication exchange. If the
926 value is less or equal to 16, or bigger than 16777215 (i.e.
927 2**24-1), the server MUST abort the authentication exchange.
929 Upon processing/sending of the client-maxbuf value both the server
930 and the client calculate their "maximal ciphertext buffer size" as
931 the minimum of the server-maxbuf (Step One) and the client-maxbuf
932 (Step Two). The "maximal sender size" can be calculated by
933 subtracting 16 from the calculated "maximal ciphertext buffer
936 When sending a block of data the client/server MUST NOT pass more
937 than the "maximal sender size" bytes of data to the selected
938 protection function (2.3 or 2.4).
941 This directive, if present, specifies that the client has used
942 UTF-8 [UTF-8] encoding for the username, realm and password. If
943 present, the username, realm and password are encoded as UTF-8
944 [UTF-8]. If not present, the username, realm and password MUST be
945 encoded in ISO 8859-1 [ISO-8859] (of which US-ASCII [USASCII] is a
946 subset). The client should send this directive only if the server
947 has indicated that it supports UTF-8 [UTF-8]. The directive is
948 needed for backwards compatibility with HTTP Digest<<, which only
949 supports ISO 8859-1>>.
951 This directive may appear at most once; if multiple instances are
952 present, the server MUST abort the authentication exchange.
954 Note, that this directive doesn't affect the authorization
958 Melnikov (Ed.) Expires: September 2007 [Page 16]
964 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
967 identity ("authzid").
970 This directive, if present, specifies which username/password
971 preparation algorithms has been used by the client when
972 calculating response-v2. This directive MUST contain one of the
973 values specified in the "prep-opts" directive from the digest-
974 challenge, or authentication exchange fails. This document
975 defines only a single possible value "rfc4013", which means
976 support for [SASLPrep]. Future Standard Track or Experimantal
977 documents may define other values for this directive. <<If this
978 directive is missing, then the "response-v2" directive MUST be
981 <<This directive MUST be ignored, unless the "charset" directive
984 <<Alternative: if this directive is present, but the "charset"
985 directive is not, then charset=utf-8 is implied. However this
986 might be bad when dealing with old (2831) servers which don't
987 recognize the "prep" directive.>>
989 This directive may appear at most once; if multiple instances are
990 present, the server MUST abort the authentication exchange.
993 32 hex digits, where the alphabetic characters MUST be lower case,
994 because MD5 is case sensitive.
997 The cipher chosen by the client. This directive MUST appear
998 exactly once if "auth-conf" is negotiated; if required and not
999 present, authentication fails. If the cipher chosen by the client
1000 is not one of the ciphers advertised by the server, authentication
1004 The "authorization ID" (authzid) directive may appear at most
1005 once; if multiple instances are present, the server MUST abort the
1006 authentication exchange. If present, and the authenticating user
1007 has sufficient privilege, and the server supports it, then after
1008 authentication the server will use this identity for making all
1009 accesses and access checks. If the client specifies it, and the
1010 server does not support it, then the response-value calculated on
1011 the server will not match the one calculated on the client and
1012 authentication will fail.
1014 The authorization identifier is always in UTF-8, in particular the
1018 Melnikov (Ed.) Expires: September 2007 [Page 17]
1024 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
1027 "charset" directive doesn't affect how this value is encoded.
1029 The authzid MUST NOT be an empty string.
1031 Upon the receipt of this value the server verifies its correctness
1032 according to the used SASL protocol profile.
1034 The size of a digest-response MUST be less than 4096 bytes.
1036 2.1.2.1 Response-value
1038 The definition of "response-value" above indicates the encoding for
1039 its value -- 32 lower case hex characters. The following definitions
1040 show how the value is computed.
1042 Note that the algorithm described below applies to both "response"
1043 and "response-v2" options. The only difference between the two is in
1044 how "SS" value is calculated.
1046 Although qop-value and components of digest-uri-value may be
1047 case-insensitive, the case which the client supplies in step two is
1048 preserved for the purpose of computing and verifying the
1052 HEX( KD ( HEX(H(A1)),
1053 { unq(nonce-value), ":" nc-value, ":",
1054 unq(cnonce-value), ":", qop-value, ":",
1057 If authzid is specified, then A1 is
1059 A1 = { SS, ":", unq(nonce-value), ":",
1060 unq(cnonce-value), ":", unq(authzid-value) }
1062 If authzid is not specified, then A1 is
1064 A1 = { SS, ":", unq(nonce-value), ":", unq(cnonce-value) }
1070 For "response" option, SS is calculated as follows:
1072 SS = H( { unq(username-value), ":",
1073 unq(realm-value), ":", password } )
1078 Melnikov (Ed.) Expires: September 2007 [Page 18]
1084 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
1087 For "response-v2" option, SS is calculated as follows:
1089 SS = H( { prep(unq(username-value)), ":",
1090 unq(realm-value)), ":", prep(password) } )
1092 where prep(X) is the preparation function described by the "prep"
1094 <<This assumes that both input and result are in UTF-8>>
1096 <<Note that client/server behavior in absence of the "prep-
1097 opts"/"prep" directive is described in RFC 2831. This behavior SHOULD
1098 be supported for backward compatibility with RFC 2831, however it is
1099 not required for compliance with this specification.>>
1101 If the "qop" directive's value is "auth", then A2 is:
1103 A2 = { "AUTHENTICATE:", digest-uri-value }
1138 Melnikov (Ed.) Expires: September 2007 [Page 19]
1144 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
1147 If the "qop" value is "auth-int" or "auth-conf" then A2 is:
1149 A2 = { "AUTHENTICATE:", digest-uri-value,
1150 ":00000000000000000000000000000000" }
1152 Note that "AUTHENTICATE:" must be in upper case, and the second
1153 string constant is a string with a colon followed by 32 zeros.
1155 These apparently strange values of A2 are for compatibility with
1156 HTTP; they were arrived at by setting "Method" to "AUTHENTICATE" and
1157 the hash of the entity body to zero in the HTTP digest calculation of
1160 Also, in the HTTP usage of Digest, several directives in the
1161 "digest-challenge" sent by the server have to be returned by the
1162 client in the "digest-response". These are:
1167 These directives are not needed when Digest is used as a SASL
1168 mechanism (i.e., MUST NOT be sent, and MUST be ignored if received).
1172 The server receives and validates the "digest-response". In
1173 particular, the server verifies that all required directives are
1174 present and they don't appear more times than expected. See section
1177 The server also does the following checks:
1179 1) When channel bindings are in use, server MUST reject "digest-
1180 response" that contain client nonce whose channel bindings do not
1181 match those of the actual underlying channel as observed by the
1184 2) The server checks that the nonce-count is "00000001". If it
1185 supports subsequent authentication (see section 2.2), it saves the
1186 value of the "nonce-octets" part of the nonce and the nonce-count.
1188 3) The server verifies the received "response" and "response-v2"
1189 values. (Note that the "response-v2" might be absent). If either
1190 one of them matches the corresponding value calculated by the server,
1191 then the server can assume that the client proved that it knows its
1194 4) If the client sent the "authzid" directive, the server verifies
1198 Melnikov (Ed.) Expires: September 2007 [Page 20]
1204 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
1207 its correctness according to the used SASL protocol profile. If the
1208 "authzid" directive is not present or its correctness is verified,
1209 then the server can consider the client to be successfully
1212 Upon successful client authentication the server sends a message
1213 formatted as follows:
1215 auth-info = 1#( response-auth / response-v2-auth / auth-param )
1217 response-auth = "rspauth" "=" response-value
1218 response-v2-auth = "rspauth-v2" "=" response-value
1220 where response-value is calculated as above (the "rspauth" is
1221 calculated as client's "response" and the "rspauth-v2" is calculated
1222 as client's "response-v2"), using the values sent in step two, except
1223 that if qop is "auth", then A2 is
1225 A2 = { ":", digest-uri-value }
1227 And if qop is "auth-int" or "auth-conf" then A2 is
1229 A2 = { ":", digest-uri-value,
1230 ":00000000000000000000000000000000" }
1232 The server sends one of response-auth, response-v2-auth, depending on
1233 whether it was able to match client's "response" or "response-v2".
1234 Note that only one occurance of the "response-auth"/"response-
1235 v2-auth" is allowed. If more than one is found, the client MUST
1236 treat this as an authentication error.
1238 Compared to its use in HTTP, the following Digest directives in the
1239 "auth-info" are unused:
1246 The size of an auth-info MUST be less than 2048 bytes.
1248 2.2 Subsequent Authentication
1250 If the client has previously authenticated to the server, and
1251 remembers the values of username, realm, nonce, nonce-count, cnonce,
1252 and qop that it used in that authentication, and the SASL profile for
1253 a protocol permits an initial client response, then it MAY perform
1254 "subsequent authentication" (also known as "fast reauthentication"),
1258 Melnikov (Ed.) Expires: September 2007 [Page 21]
1264 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
1267 as defined in this section. Note, that a subsequent authentication
1268 can be done on a different connection, or on the same connection, if
1269 the protocol profile also permits multiple authentications.
1273 The client uses the values from the previous authentication and sends
1274 an initial response with a string formatted and computed according to
1275 the rules for a "digest-response", as defined in section 2.1.2, after
1276 applying the following changes:
1278 1) the nonce-count value is one greater than used in the last
1281 2) if nonce/cnonce values contained any channel bindings information,
1283 MUST be replaced with the channel bindings, qop and cipher lists
1285 for the new connection.
1286 In other words, only the "nonce-octets" part of nonce/cnonce
1288 MUST be preserved on reauthentication.
1292 The server receives the "digest-response". If the server does not
1293 support subsequent authentication, then it sends a
1294 "digest-challenge", and authentication proceeds as in initial
1295 authentication. If the server has no saved nonce, cnone and nonce-
1296 count from a previous authentication, then it sends a "digest-
1297 challenge", and authentication proceeds as in initial authentication.
1298 Otherwise, the server validates the "digest-response"; checks that
1299 values of the username, the realm, the qop and nonce-octets part of
1300 the nonce and the cnonce are the same as in the original
1301 authentication attempt; checks that the nonce-count is one greater
1302 than that used in the previous authentication using that nonce, and
1303 saves the new value of nonce-count.
1305 If the response is invalid, then the server sends a
1306 "digest-challenge", and authentication proceeds as in initial
1307 authentication (and should be configurable to log an authentication
1308 failure in some sort of security audit log, since the failure may be
1309 a symptom of an attack). The nonce-count MUST NOT be incremented in
1310 this case: to do so would allow a denial of service attack by sending
1311 an out-of-order nonce-count.
1313 If the response is valid, the server MAY choose to deem that
1314 authentication has succeeded. However, if it has been too long since
1318 Melnikov (Ed.) Expires: September 2007 [Page 22]
1324 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
1327 the previous authentication, or for any other reason, the server MAY
1328 send a new "digest-challenge" with a new value for nonce. The
1329 challenge MAY contain a "stale" directive with value "true", which
1330 says that the client may respond to the challenge using the password
1331 it used in the previous response; otherwise, the client must solicit
1332 the password anew from the user. This permits the server to make sure
1333 that the user has presented their password recently. (The directive
1334 name refers to the previous nonce being stale, not to the last use of
1335 the password.) Except for the handling of "stale", after sending the
1336 "digest-challenge" authentication proceeds as in the case of initial
1339 2.3 Integrity Protection
1341 If the server offered "qop=auth-int" and the client responded
1342 "qop=auth-int", then subsequent messages, up to but not including the
1343 next subsequent authentication, between the client and the server
1344 MUST be integrity protected. Using as a base session key the value of
1345 H(A1), as defined above the client and server calculate a pair of
1346 message integrity keys as follows.
1348 The key for integrity protecting messages from client to server is:
1351 "Digest session key to client-to-server signing key magic constant"})
1353 The key for integrity protecting messages from server to client is:
1356 "Digest session key to server-to-client signing key magic constant"})
1358 where MD5 is as specified in [RFC 1321]. If message integrity is
1359 negotiated, a MAC block for each message is appended to the message.
1360 The MAC block is 16 bytes: the first 10 bytes of the HMAC-MD5 [RFC
1361 2104] of the message, a 2-byte message type number in network byte
1362 order with value 1, and the 4-byte sequence number in network byte
1363 order. The message type is to allow for future extensions such as
1366 MAC(Ki, SeqNum, msg) = (HMAC(Ki, {SeqNum, msg})[0..9], 0x0001,
1369 where Ki is Kic for messages sent by the client and Kis for those
1370 sent by the server. The sequence number (SeqNum) is an unsigned
1371 number initialized to zero after initial or subsequent
1372 authentication, and incremented by one for each message
1373 sent/successfully verified. (Note, that there are two independent
1374 counters for sending and receiving.) The sequence number wraps around
1378 Melnikov (Ed.) Expires: September 2007 [Page 23]
1384 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
1389 Upon receipt, MAC(Ki, SeqNum, msg) is computed and compared with the
1390 received value; the message is discarded if they differ and as the
1391 result the connection being used MUST be dropped. The receiver's
1392 sequence counter is incremented if they match.
1394 2.4 Confidentiality Protection
1396 If the server sent a "cipher-opts" directive and the client responded
1397 with a "cipher" directive, then subsequent messages between the
1398 client and the server MUST be confidentiality protected. Using as a
1399 base session key the value of H(A1) as defined above the client and
1400 server calculate a pair of message integrity keys as follows.
1402 The key for confidentiality protecting messages from client to server
1405 Kcc = H({H(A1)[0..n-1],
1406 "Digest H(A1) to client-to-server sealing key magic constant"})
1408 The key for confidentiality protecting messages from server to client
1411 Kcs = H({H(A1)[0..n-1],
1412 "Digest H(A1) to server-to-client sealing key magic constant"})
1414 where MD5 is as specified in [RFC 1321]. For cipher "rc4-40" n is 5;
1415 for "rc4-56" n is 7; for the rest n is 16. The key for the "rc4-*"
1416 and "aes-ctr" ciphers is all 16 bytes of Kcc or Kcs.
1418 "aes-ctr" cipher works as described in section 2.4.1.
1420 rc4 cipher state MUST NOT be reset before sending/receiving a next
1421 buffer of protected data.
1424 If the blocksize of the chosen cipher is not 1 byte, the padding
1425 prefix is one or more octets each containing the number of padding
1426 bytes, such that the total length of the encrypted part of the
1427 message is a multiple of the blocksize.
1429 The MAC block is 16 bytes formatted as follows: the first 10 bytes of
1430 the HMAC-MD5 [RFC 2104] of the message, a 2-byte message type number
1431 in network byte order with value 1, and the 4-byte sequence number in
1434 The padding and first 10 bytes of the MAC block are encrypted with
1438 Melnikov (Ed.) Expires: September 2007 [Page 24]
1444 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
1447 the chosen cipher along with the message.
1449 SEAL(Ki, Kc, SeqNum, msg) = CIPHER(Kc, {msg, pad, MAC})
1451 MAC(Ki, SeqNum, msg) = {HMAC(Ki, {SeqNum, msg})[0..9],
1452 packet_type_data, SeqNum}
1454 packet_type_data = 0x0001
1456 where CIPHER is the chosen cipher, Ki and Kc are Kic and Kcc for
1457 messages sent by the client and Kis and Kcs for those sent by the
1458 server. The sequence number (SeqNum) is an unsigned number
1459 initialized to zero after initial or subsequent authentication, and
1460 incremented by one for each message sent/successfully verified.
1461 (Note, that there are two independent counters for sending and
1462 receiving.) The sequence number wraps around to 0 after 2**32-1.
1464 Upon receipt, the message is decrypted, HMAC(Ki, {SeqNum, msg}) is
1465 computed and compared with the received value; the padding and the
1466 packet type are verified. The message is discarded if the received
1467 and the calculated HMACs differ and/or the padding is invalid. See
1468 also section 3.8 for important information about MAC and padding
1469 verification. The receiver's sequence counter is then compared with
1470 the received SeqNum value; the message is discarded if they differ
1471 and, as the result, the connection being used MUST be dropped. The
1472 receiver's sequence counter is incremented if they match.
1474 2.4.1 AES cipher in "stateful-decryption counter" mode ("aes-ctr")
1476 In stateful-decryption counter mode, both the sender and the receiver
1477 maintain an internal 128-bit counter CTRBLK.
1479 The initial value of the CTRLBLK is calculated as follows:
1481 The counter for the first SASL packet going from the client
1482 to the server consists of 16 bytes calculated as follows:
1484 CTRBLK = H({H(A1), "aes-128 counter client-to-server", nc-value})
1486 The counter for the first SASL packet going from the server
1487 to the client consists of 16 bytes calculated as follows:
1489 CTRBLK = H({H(A1), "aes-128 counter server-to-client", nc-value})
1491 <<An alternative is to add a new option containing 128bit of random
1492 data, which is sent with successful authentication and is used to
1493 construct the initial counter.>>
1498 Melnikov (Ed.) Expires: September 2007 [Page 25]
1504 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
1507 For each buffer of cleartext data to be encrypted the sender performs
1508 the following procedure:
1510 1) padding and MAC block are constructed (see section 2.4) and
1511 appended to the end of the plaintext. After this step the data
1512 to be encrypted will look like:
1516 As the total length of the data will be multiple of AES block size
1517 (i.e. 128 bit), this can also be represented as
1519 {P[1], P[2], P[3], ..., P[m]}
1521 where P[i] is a chunk of data of the length 128 bit.
1523 2) Data is encrypted as follows:
1526 E[i] := P[i] XOR CIPHER ( Kc, CTRBLK )
1527 CTRBLK := CTRBLK + 1
1530 This will generate ciphertext {E[1], ..., E[m]} to be sent as a
1534 The initial CTRBLK value is constructed as described at the
1536 this section. The last CTRBLK value produced after encrypting P[m]
1538 used to encrypt the first 128bit chunk of the next sent SASL
1540 (if any), end so on.
1542 If CTRBLK = (2**128)-1, then "CTRBLK + 1" has the traditional
1543 semantics of "set CTRBLK to 0."
1546 The receiver performs the following steps:
1548 1) Data is decrypted as follows:
1551 P[i] := E[i] XOR CIPHER ( Kc, CTRBLK )
1552 CTRBLK := CTRBLK + 1
1558 Melnikov (Ed.) Expires: September 2007 [Page 26]
1564 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
1567 This will generate plaintext {P[1], ..., P[m]}, which is
1570 The initial CTRBLK value is constructed as described at the
1572 this section. The last CTRBLK value produced after decrypting P[m]
1573 is used to decrypt the first 128bit chunk of the next received
1575 (if any), end so on.
1577 If CTRBLK = (2**128)-1, then "CTRBLK + 1" has the traditional
1578 semantics of "set CTRBLK to 0."
1580 2) pad and MAC block are verified as described in section 2.4.
1618 Melnikov (Ed.) Expires: September 2007 [Page 27]
1624 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
1627 3 Security Considerations
1629 General SASL security considerations apply to this mechanism.
1630 "stringprep" and Unicode security considerations also apply.
1632 Detailed discussion of other DIGEST-MD5 specific security issues is
1635 3.1 Authentication of Clients using Digest Authentication
1637 Digest Authentication does not provide a strong authentication
1638 mechanism, when compared to public key based mechanisms, for example.
1639 However, since it prevents chosen plaintext attacks, it is stronger
1640 than (e.g.) CRAM-MD5, which has been proposed for use with ACAP
1641 [RFC-2244], POP and IMAP [RFC 2195]. It is intended to replace the
1642 much weaker and even more dangerous use of plaintext passwords;
1643 however, since it is still a password based mechanism it avoids some
1644 of the potential deployability issues with public-key, OTP or similar
1647 Digest Authentication offers no confidentiality protection beyond
1648 protecting the actual password. All of the rest of the challenge and
1649 response are available to an eavesdropper, including the user's name
1650 and authentication realm.
1652 3.2 Comparison of Digest with Plaintext Passwords
1654 The greatest threat to the type of transactions for which these
1655 protocols are used is network snooping. This kind of transaction
1656 might involve, for example, online access to a mail service whose use
1657 is restricted to paying subscribers. With plaintext password
1658 authentication an eavesdropper can obtain the password of the user.
1659 This not only permits him to access anything in the database, but,
1660 often worse, will permit access to anything else the user protects
1661 with the same password.
1665 Replay attacks are defeated if the client or the server chooses a
1666 fresh nonce for each authentication, as this specification requires.
1668 As a security precaution, the server, when verifying a response from
1669 the client, must use the original server nonce ("nonce") it sent, not
1670 the one returned by the client in the response, as it might have been
1671 modified by an attacker.
1673 To prevent some redirection attacks it is recommended that the server
1674 verifies that the "serv-type" part of the "digest-uri" matches the
1678 Melnikov (Ed.) Expires: September 2007 [Page 28]
1684 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
1687 service name and that the hostname/IP address belongs to the server.
1689 3.4 Online dictionary attacks
1691 If the attacker can eavesdrop, then it can test any overheard
1692 nonce/response pairs against a (potentially very large) list of
1693 common words. Such a list is usually much smaller than the total
1694 number of possible passwords. The cost of computing the response for
1695 each password on the list is paid once for each challenge.
1697 The server can mitigate this attack by not allowing users to select
1698 passwords that are in a dictionary.
1700 3.5 Offline dictionary attacks
1702 If the attacker can choose the challenge, then it can precompute the
1703 possible responses to that challenge for a list of common words. Such
1704 a list is usually much smaller than the total number of possible
1705 passwords. The cost of computing the response for each password on
1706 the list is paid just once.
1708 Offline dictionary attacks are defeated if the client chooses a fresh
1709 nonce for each authentication, as this specification requires.
1711 3.6 Man in the Middle
1713 Digest authentication is vulnerable to "man in the middle" (MITM)
1714 attacks. Clearly, a MITM would present all the problems of
1715 eavesdropping. But it also offers some additional opportunities to
1718 A possible man-in-the-middle attack would be to substitute a weaker
1719 qop scheme for the one(s) sent by the server; the server will not be
1720 able to detect this attack. For this reason, the client should always
1721 use the strongest scheme that it understands from the choices
1722 offered, and should never choose a scheme that does not meet its
1723 minimum requirements.
1725 A man-in-the-middle attack may also make the client and the server
1726 that agreed to use confidentiality protection to use different (and
1727 possibly weaker) cipher's. This is because the chosen cipher is not
1728 used in the shared secret calculation.
1730 3.7 Chosen plaintext attacks
1732 A chosen plaintext attack is where a MITM or a malicious server can
1733 arbitrarily choose the challenge that the client will use to compute
1734 the response. The ability to choose the challenge is known to make
1738 Melnikov (Ed.) Expires: September 2007 [Page 29]
1744 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
1747 cryptanalysis much easier [MD5].
1749 However, Digest does not permit the attack to choose the challenge as
1750 long as the client chooses a fresh nonce for each authentication, as
1751 this specification requires.
1753 3.8 Attacks on padding
1755 In the past, implementations that treated bad padding differently
1756 from bad MACs during decryption were subject to different attacks.
1757 Note that such attacks are known for block ciphers in CBC mode, e.g.
1758 [VAUDENAY]. Even though this document doesn't define any ciphers in
1759 CBC mode, similar attacks might be used in the future against other
1762 In order to mitigate risks of such attacks, it is recommended that
1763 implementations don't skip MAC verification when bad padding is found
1764 in order to obtain (nearly) uniform timing of sending failure
1767 3.9 Spoofing by Counterfeit Servers
1769 If a user can be led to believe that she is connecting to a host
1770 containing information protected by a password she knows, when in
1771 fact she is connecting to a hostile server, then the hostile server
1772 can obtain challenge/response pairs where it was able to partly
1773 choose the challenge. There is no known way that this can be
1776 3.10 Storing passwords
1778 Digest authentication requires that the authenticating agent (usually
1779 the server) store some data derived from the user's name and password
1780 in a "password file" associated with a given realm. Normally this
1781 might contain pairs consisting of username and H({ username-value,
1782 ":", realm-value, ":", password }), which is adequate to compute
1783 H(A1) as described above without directly exposing the user's
1786 The security implications of this are that if this password file is
1787 compromised, then an attacker gains immediate access to documents on
1788 the server using this realm. Unlike, say a standard UNIX password
1789 file, this information need not be decrypted in order to access
1790 documents in the server realm associated with this file. On the other
1791 hand, decryption, or more likely a brute force attack, would be
1792 necessary to obtain the user's password. This is the reason that the
1793 realm is part of the digested data stored in the password file. It
1794 means that if one Digest authentication password file is compromised,
1798 Melnikov (Ed.) Expires: September 2007 [Page 30]
1804 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
1807 it does not automatically compromise others with the same username
1808 and password (though it does expose them to brute force attack).
1810 There are two important security consequences of this. First the
1811 password file must be protected as if it contained plaintext
1812 passwords, because for the purpose of accessing documents in its
1813 realm, it effectively does.
1815 A second consequence of this is that the realm string should be
1816 unique among all realms that any single user is likely to use. In
1817 particular a realm string should include the name of the host doing
1858 Melnikov (Ed.) Expires: September 2007 [Page 31]
1864 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
1867 3.11 Multiple realms
1869 Use of multiple realms may mean both that compromise of a the
1870 security database for a single realm does not compromise all
1871 security, and that there are more things to protect in order to keep
1872 the whole system secure.
1876 By modern cryptographic standards Digest Authentication is weak,
1877 compared to (say) public key based mechanisms. But for a large range
1878 of purposes it is valuable as a replacement for plaintext passwords.
1879 Its strength may vary depending on the implementation.
1884 This example shows the use of the Digest SASL mechanism with the
1885 IMAP4 AUTHENTICATE command [RFC 3501].
1887 In this example, "C:" and "S:" represent a line sent by the client or
1888 server respectively including a CRLF at the end. Linebreaks and
1889 indentation within a "C:" or "S:" are editorial and not part of the
1890 protocol. The password in this example was "secret". Note that the
1891 base64 encoding of the challenges and responses is part of the IMAP4
1892 AUTHENTICATE command, not part of the Digest specification itself.
1894 S: * OK elwood.innosoft.com PMDF IMAP4rev1 V6.0-9
1896 S: * CAPABILITY IMAP4 IMAP4rev1 ACL LITERAL+ NAMESPACE QUOTA
1897 UIDPLUS AUTH=CRAM-MD5 AUTH=DIGEST-MD5 AUTH=PLAIN
1899 C: a AUTHENTICATE DIGEST-MD5
1900 S: + cmVhbG09ImVsd29vZC5pbm5vc29mdC5jb20iLG5vbmNlPSJPQTZNRzl0
1901 RVFHbTJoaCIscW9wPSJhdXRoIixhbGdvcml0aG09bWQ1LXNlc3MsY2hh
1903 C: Y2hhcnNldD11dGYtOCx1c2VybmFtZT0iY2hyaXMiLHJlYWxtPSJlbHdvb2
1904 QuaW5ub3NvZnQuY29tIixub25jZT0iT0E2TUc5dEVRR20yaGgiLG5jPTAw
1905 MDAwMDAxLGNub25jZT0iT0E2TUhYaDZWcVRyUmsiLGRpZ2VzdC11cmk9Im
1906 ltYXAvZWx3b29kLmlubm9zb2Z0LmNvbSIscmVzcG9uc2U9ZDM4OGRhZDkw
1907 ZDRiYmQ3NjBhMTUyMzIxZjIxNDNhZjcscW9wPWF1dGg=
1908 S: + cnNwYXV0aD1lYTQwZjYwMzM1YzQyN2I1NTI3Yjg0ZGJhYmNkZmZmZA==
1910 S: a OK User logged in
1913 The base64-decoded version of the SASL exchange is:
1918 Melnikov (Ed.) Expires: September 2007 [Page 32]
1924 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
1927 S: realm="elwood.innosoft.com",nonce="OA6MG9tEQGm2hh",qop="auth",
1928 algorithm=md5-sess,charset=utf-8
1929 C: charset=utf-8,username="chris",realm="elwood.innosoft.com",
1930 nonce="OA6MG9tEQGm2hh",nc=00000001,cnonce="OA6MHXh6VqTrRk",
1931 digest-uri="imap/elwood.innosoft.com",
1932 response=d388dad90d4bbd760a152321f2143af7,qop=auth
1933 S: rspauth=ea40f60335c427b5527b84dbabcdfffd
1935 The password in this example was "secret".
1937 This example shows the use of the Digest SASL mechanism with the
1938 ACAP, using the same notational conventions and password as in the
1939 previous example. Note that ACAP does not base64 encode and uses
1940 fewer round trips that IMAP4.
1942 S: * ACAP (IMPLEMENTATION "Test ACAP server") (SASL "CRAM-MD5"
1943 "DIGEST-MD5" "PLAIN")
1944 C: a AUTHENTICATE "DIGEST-MD5"
1946 S: realm="elwood.innosoft.com",nonce="OA9BSXrbuRhWay",qop="auth",
1947 algorithm=md5-sess,charset=utf-8
1949 C: charset=utf-8,username="chris",realm="elwood.innosoft.com",
1950 nonce="OA9BSXrbuRhWay",nc=00000001,cnonce="OA9BSuZWMSpW8m",
1951 digest-uri="acap/elwood.innosoft.com",
1952 response=6084c6db3fede7352c551284490fd0fc,qop=auth
1954 S: rspauth=2f0b3d7c3c2e486600ef710726aa2eae) "AUTHENTICATE
1958 The server uses the values of all the directives, plus knowledge of
1959 the users password (or the hash of the user's name, server's realm
1960 and the user's password) to verify the computations above. If they
1961 check, then the user has authenticated.
1978 Melnikov (Ed.) Expires: September 2007 [Page 33]
1984 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
1989 5.1 Normative references
1991 [Digest] Franks, J., et al., "HTTP Authentication: Basic and Digest
1992 Access Authentication", RFC 2617, June 1999.
1994 [ISO-8859] ISO-8859. International Standard--Information Processing--
1995 8-bit Single-Byte Coded Graphic Character Sets --
1996 Part 1: Latin alphabet No. 1, ISO-8859-1:1987.
1997 Part 2: Latin alphabet No. 2, ISO-8859-2, 1987.
1998 Part 3: Latin alphabet No. 3, ISO-8859-3, 1988.
1999 Part 4: Latin alphabet No. 4, ISO-8859-4, 1988.
2000 Part 5: Latin/Cyrillic alphabet, ISO-8859-5, 1988.
2001 Part 6: Latin/Arabic alphabet, ISO-8859-6, 1987.
2002 Part 7: Latin/Greek alphabet, ISO-8859-7, 1987.
2003 Part 8: Latin/Hebrew alphabet, ISO-8859-8, 1988.
2004 Part 9: Latin alphabet No. 5, ISO-8859-9, 1990.
2006 [RFC 1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
2009 [RFC 2104] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC: Keyed-
2010 Hashing for Message Authentication", RFC 2104, February
2013 [RFC 2119] Bradner, S., "Key words for use in RFCs to Indicate
2014 Requirement Levels", BCP 14, RFC 2119, March 1997.
2016 [SASL] Melnikov, A. (editor) and K. Zeilenga "Simple Authentication
2017 and Security Layer (SASL)", RFC 4422, June 2006.
2019 [RFC 3454] Hoffman, P., Blanchet, M., "Preparation of
2020 Internationalized Strings ("stringprep")", RFC 3454,
2023 [Unicode] The Unicode Consortium, "The Unicode Standard, Version
2024 3.2.0", defined by: The Unicode Standard, Version 3.0
2025 (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-61633-5),
2026 as amended by the Unicode Standard Annex #28: Unicode 3.2
2027 (http://www.unicode.org/reports/tr28/tr28-3.html).
2029 [UTF-8] Yergeau, "UTF-8, a transformation format of ISO 10646",
2030 STD 63, RFC 3629, November 2003.
2032 [USASCII] US-ASCII. Coded Character Set - 7-Bit American Standard
2033 Code for Information Interchange. Standard ANSI X3.4-1986,
2038 Melnikov (Ed.) Expires: September 2007 [Page 34]
2044 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
2047 [SASLPrep] Zeilenga, K., "SASLprep: Stringprep profile for user names
2048 and passwords", RFC 4013, February 2005.
2050 [RFC 3986] Berners-Lee, T., Fielding, R. and L. Masinter, "Uniform
2051 Resource Identifier (URI): Generic Syntax", RFC 3986,
2054 [AES] Daemen, J., Rijmen, V., "The Rijndael Block Cipher",
2055 http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf,
2058 [GSS-API] Linn, J., "Generic Security Service Application Program
2059 Interface Version 2, Update 1", RFC 2743, January 2000.
2061 [ABNF] Crocker, D. (Ed.) and P. Overell , "Augmented BNF for Syntax
2062 Specifications: ABNF", RFC 4234, October 2005.
2064 [CHANNEL-BINDINGS] Williams, N., "On the Use of Channel Bindings to
2065 Secure Channels", work in progress, draft-williams-on-
2066 channel-binding-00.txt.
2068 5.2 Informative references
2070 [RFC-2782] Gulbrandsen, A., Vixie, P. and L. Esibov, "A DNS RR for
2071 specifying the location of services (DNS SRV)", RFC 2782,
2074 [RFC 2195] Klensin, J., Catoe, R. and P. Krumviede, "IMAP/POP
2075 AUTHorize Extension for Simple Challenge/Response", RFC
2076 2195, September 1997.
2078 [MD5] Kaliski, B.,Robshaw, M., "Message Authentication with
2079 MD5", CryptoBytes, Sping 1995, RSA Inc,
2080 (ftp://ftp.rsasecurity.com/pub/cryptobytes/crypto1n1.pdf)
2082 [RFC 3501] Crispin, M., "Internet Message Access Protocol - Version
2083 4rev1", RFC 3501, March 2003.
2085 [RFC-2244] Newman, C., Myers, J., "ACAP -- Application Configuration
2086 Access Protocol", RFC 2244, November 1997.
2088 [RFC 2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
2089 Masinter, L., Leach, P., Berners-Lee, T., "Hypertext
2090 Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
2092 [VAUDENAY] Serge Vaudenay, "Security Flaws Induced by CBC Padding -
2093 Applications to SSL, IPSEC, WTLS ...". L.R. Knudsen (Ed.):
2094 EUROCRYPT 2002, LNCS 2332, pp. 534-545, 2002.
2098 Melnikov (Ed.) Expires: September 2007 [Page 35]
2104 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
2107 [RFC 4648] Josefsson, S., "The Base16, Base32, and Base64 Data
2108 Encodings", RFC 4648, October 2006.
2110 [IANA-SASL] IANA, "SIMPLE AUTHENTICATION AND SECURITY LAYER (SASL)
2111 MECHANISMS", <http://www.iana.org/assignments/sasl-
2158 Melnikov (Ed.) Expires: September 2007 [Page 36]
2164 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
2167 6 IANA Considerations
2169 It is requested that the SASL Mechanism registry [IANA-SASL] entry
2170 for the DIGEST-MD5 mechanism be updated to reflect that this document
2171 now provides its technical specification.
2174 Subject: Updated Registration of SASL mechanism DIGEST-MD5
2176 Family of SASL mechanisms: NO
2177 SASL mechanism name: DIGEST-MD5
2178 Security considerations: See RFC XXXX.
2179 Published specification (optional, recommended): RFC XXXX
2180 Person & email address to contact for further information:
2181 Alexey Melnikov <alexey.melnikov@isode.com>
2182 IETF SASL WG <ietf-sasl@imc.org>
2183 Intended usage: COMMON
2184 Author/Change controller: IESG <iesg@ietf.org>
2185 Note: Updates existing entry for DIGEST-MD5
2218 Melnikov (Ed.) Expires: September 2007 [Page 37]
2224 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
2229 <<What follows is the definition of the notation as is used in the
2230 HTTP/1.1 specification [RFC 2616] and the HTTP authentication
2231 specification [Digest]; it is reproduced here for ease of reference.
2232 Since it is intended that a single Digest implementation can support
2233 both HTTP and SASL-based protocols, the same notation is used in both
2234 to facilitate comparison and prevention of unwanted differences.
2235 Since it is cut-and-paste from the HTTP specifications, not all
2236 productions may be used in this specification.>>
2240 All of the mechanisms specified in this document are described in
2241 both prose and an EnHanced Backus-Naur Form (HBNF) which is a
2242 superset of the ABNF defined in [ABNF]. The Enhanced BNF used by this
2243 document defines the following extra syntactic rule:
2246 A construct "#" is defined, similar to "*", for defining lists of
2247 elements. The full form is "<n>#<m>element" indicating at least
2248 <n> and at most <m> elements, each separated by one or more commas
2249 (",") and OPTIONAL linear white space (LWSP). This makes the usual
2250 form of lists very easy; a rule such as
2251 ( LWSP element *( LWSP "," LWSP [element] ) LWSP )
2254 Wherever this construct is used, null elements are allowed, but do
2255 not contribute to the count of elements present. That is,
2256 "(element), , (element) " is permitted, but counts as only two
2257 elements. Therefore, where at least one element is required, at
2258 least one non-null element MUST be present. Default values are 0
2259 and infinity so that "#element" allows any number, including zero;
2260 "1#element" requires at least one; and "1#2element" allows one or
2264 Other differences from [ABNF]:
2267 The grammar described by this specification is word-based. Except
2268 where noted otherwise, linear white space (LWSP) can be included
2269 between any two adjacent words (token or quoted-string), and
2270 between adjacent words and separators, without changing the
2271 interpretation of a field. At least one delimiter (LWSP and/or
2272 separators) MUST exist between any two tokens (for the definition
2273 of "token" below), since they would otherwise be interpreted as a
2278 Melnikov (Ed.) Expires: September 2007 [Page 38]
2284 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
2287 Implementations SHOULD NOT insert LWSP when generating challenges/
2288 responses, but MUST accept them in any received data.
2291 The following rules are used throughout this specification to
2292 describe basic parsing constructs. The US-ASCII coded character set
2293 is defined by ANSI X3.4-1986 [USASCII]. Non-terminals not defined in
2294 this document can be found in [ABNF].
2296 TEXTCHAR = <any OCTET except CTLs, but including HTAB>
2298 All linear white space, including folding, has the same semantics as
2299 SP. A recipient MAY replace any linear white space with a single SP
2300 before interpreting the field value or forwarding the message
2303 LWSP = *(WSP / CRLF WSP)
2305 Many HTTP/1.1 header field values consist of words separated by LWSP
2306 or special characters. These special characters MUST be in a quoted
2307 string to be used within a parameter value.
2312 separators = "(" / ")" / "<" / ">" / "@"
2313 / "," / ";" / ":" / BACKSLASH / DQUOTE
2314 / "/" / "[" / "]" / "?" / "="
2315 / "{" / "}" / SP / HTAB
2316 TOKENCHAR = <any CHAR except CTLs or separators>
2318 A string of text is parsed as a single word if it is quoted using
2321 quoted-string = DQUOTE qdstr-val DQUOTE
2322 qdstr-val = *( qdtext / quoted-pair )
2323 qdtext = <any TEXTCHAR except DQUOTE and BACKSLASH>
2325 Note that LWSP is NOT implicit between the double-quote marks
2326 (DQUOTE) surrounding a qdstr-val and the qdstr-val; any LWSP will be
2327 considered part of the qdstr-val. This is also the case for
2328 quotation marks surrounding any other construct.
2330 The backslash character (BACKSLASH) MAY be used as a single-character
2331 quoting mechanism only within qdstr-val and comment constructs.
2333 quoted-pair = BACKSLASH CHAR
2338 Melnikov (Ed.) Expires: September 2007 [Page 39]
2344 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
2347 The value of this construct is CHAR. Note that an effect of this rule
2348 is that backslash itself MUST be quoted.
2350 7.3 Collected grammar in ABNF
2352 <<This section is Informative in this revision. It was not checked
2357 digest-challenge = LWSP d-c-e *(LWSP "," LWSP [d-c-e]) LWSP
2358 d-c-e = realm / nonce / qop-options / stale
2359 / server-maxbuf / charset / prep-opts / algorithm
2360 / cipher-opts / auth-param
2362 realm = "realm" EQU realm-value
2363 realm-value = quoted-string
2364 nonce = "nonce" EQU nonce-value
2365 nonce-value = quoted-string
2366 ;; contains data described by "nonce-data"
2367 qop-options = "qop" EQU DQUOTE qop-list DQUOTE
2368 qop-list = LWSP qop-value *(LWSP "," LWSP [qop-value]) LWSP
2369 qop-value = "auth" / "auth-int" / "auth-conf" /
2371 ;; qop-token is reserved for identifying
2372 ;; future extensions to DIGEST-MD5
2374 stale = "stale" EQU "true"
2375 server-maxbuf = "maxbuf" EQU maxbuf-value
2376 maxbuf-value = 1*DIGIT
2377 charset = "charset" EQU "utf-8"
2378 prep-opts = "prep" EQU DQUOTE prep-mechs DQUOTE
2379 prep-mechs = LWSP prep-mech *(LWSP "," LWSP [prep-mech]) LWSP
2380 prep-mech = "rfc4013"
2381 algorithm = "algorithm" EQU "md5-sess"
2382 cipher-opts = "cipher" EQU DQUOTE cipher-list DQUOTE
2383 cipher-list = LWSP cipher-value
2384 *(LWSP "," LWSP [cipher-value]) LWSP
2385 cipher-value = "rc4-40" / "rc4" / "rc4-56" /
2386 "aes-ctr" / cipher-token
2387 ;; cipher-token is reserved for
2389 cipher-token = token
2390 auth-param = token EQU ( token / quoted-string )
2391 nonce-data = new-nonce-data / obs-nonce-data
2392 new-nonce-data = "CB-" channel-type ":" channel-bindings
2393 ":" qop-list ":" cipher-list
2398 Melnikov (Ed.) Expires: September 2007 [Page 40]
2404 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
2407 obs-nonce-data = nonce-octets
2408 ;; nonce value as defined in RFC 2831.
2409 ;; SHOULD be accepted. MUST NOT be
2411 channel-type = "TLS" / channel-type-ext
2412 ;; Should be taken from
2413 ;; [CHANNEL-BINDINGS].
2414 channel-type-ext = 1*(ALPHA / DIGIT)
2415 ;; for future channel bindings>>
2416 channel-bindings = 1*TEXTCHAR
2417 ;; channel binding data as defined by
2420 nonce-octets = 1*TEXTCHAR
2424 digest-response = LWSP d-r-e *(LWSP "," LWSP [d-r-e]) LWSP
2425 d-r-e = username / realm / nonce / cnonce
2426 / nonce-count / qop / digest-uri / response
2427 / response-v2 / client-maxbuf / charset
2428 / prep / cipher / authzid / auth-param
2430 username = "username" EQU username-value
2431 username-value = quoted-string
2432 cnonce = "cnonce" EQU cnonce-value
2433 cnonce-value = nonce-value
2434 nonce-count = "nc" EQU nc-value
2436 client-maxbuf = "maxbuf" EQU maxbuf-value
2437 qop = "qop" EQU qop-value
2438 digest-uri = "digest-uri" EQU
2439 DQUOTE digest-uri-value DQUOTE
2440 digest-uri-value = serv-type "/" host [ "/" serv-name ]
2443 prep = "prep" EQU prep-mech
2444 response = "response" EQU response-value
2445 response-v2 = "response-v2" EQU response-value
2446 response-value = 32LHEX
2447 LHEX = DIGIT / "a" / "b" /
2448 "c" / "d" / "e" / "f"
2449 cipher = "cipher" EQU cipher-value
2450 authzid = "authzid" EQU authzid-value
2451 authzid-value = quoted-string
2453 host = IP-literal / IPv4address / reg-name
2454 IP-literal = <see RFC 3986>
2458 Melnikov (Ed.) Expires: September 2007 [Page 41]
2464 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
2467 IPv4address = <see RFC 3986>
2468 reg-name = <see RFC 3986>
2470 ;;; 2.1.2.1 Response-value
2474 ;;; 2.1.3 Step Three
2476 auth-info = LWSP a-i-e *(LWSP "," LWSP [a-i-e]) LWSP
2477 a-i-e = response-auth / response-v2-auth / auth-param
2479 response-auth = "rspauth" EQU response-value
2480 response-v2-auth = "rspauth-v2" EQU response-value
2484 TEXTCHAR = HTAB / %x20-7E / %x80-FF
2485 LWSP = *(WSP / CRLF WSP)
2490 separators = "(" / ")" / "<" / ">" / "@"
2491 / "," / ";" / ":" / BACKSLASH / DQUOTE
2492 / "/" / "[" / "]" / "?" / "="
2493 / "{" / "}" / SP / HTAB
2494 TOKENCHAR = <any CHAR except CTLs or separators>
2496 quoted-string = DQUOTE qdstr-val DQUOTE
2497 qdstr-val = *( qdtext / quoted-pair )
2498 qdtext = HTAB / %x20-21 / %x23-5B / %x5D-7E / %x80-FF
2500 quoted-pair = BACKSLASH CHAR
2504 ;;; The following non-terminals were imported from RFC 4234:
2505 ;;DIGIT, DQUOTE, ALPHA, OCTET, WSP, CRLF, HTAB, SP, CHAR and CTL
2518 Melnikov (Ed.) Expires: September 2007 [Page 42]
2524 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
2527 8 Authors' Addresses
2532 Redmond, WA 98052, USA
2534 EMail: paulle@microsoft.com
2540 West Covina, CA 91790, USA
2542 EMail: Chris.Newman@Sun.COM
2547 5 Castle Business Village,
2554 Email: Alexey.Melnikov@isode.com
2559 The following people had substantial contributions to the development
2560 and/or refinement of this document:
2572 Hallvard B. Furuseth
2578 Melnikov (Ed.) Expires: September 2007 [Page 43]
2584 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
2592 as well as other members of the SASL mailing list.
2638 Melnikov (Ed.) Expires: September 2007 [Page 44]
2644 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
2647 10 Full Copyright Statement
2649 Copyright (C) The IETF Trust (2007).
2651 This document is subject to the rights, licenses and restrictions
2652 contained in BCP 78, and except as set forth therein, the authors
2653 retain all their rights.
2655 This document and the information contained herein are provided on an
2656 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
2657 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
2658 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
2659 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
2660 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
2661 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
2665 Funding for the RFC Editor function is currently provided by the
2668 11 Intellectual Property
2670 The IETF takes no position regarding the validity or scope of any
2671 Intellectual Property Rights or other rights that might be claimed to
2672 pertain to the implementation or use of the technology described in
2673 this document or the extent to which any license under such rights
2674 might or might not be available; nor does it represent that it has
2675 made any independent effort to identify any such rights. Information
2676 on the procedures with respect to rights in RFC documents can be
2677 found in BCP 78 and BCP 79.
2679 Copies of IPR disclosures made to the IETF Secretariat and any
2680 assurances of licenses to be made available, or the result of an
2681 attempt made to obtain a general license or permission for the use of
2682 such proprietary rights by implementers or users of this
2683 specification can be obtained from the IETF on-line IPR repository at
2684 http://www.ietf.org/ipr.
2686 The IETF invites any interested party to bring to its attention any
2687 copyrights, patents or patent applications, or other proprietary
2688 rights that may cover technology that may be required to implement
2689 this standard. Please address the information to the IETF at ietf-
2698 Melnikov (Ed.) Expires: September 2007 [Page 45]
2704 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
2707 Appendix A: Changes from 2831
2709 1). Fixed various typos in formulas.
2711 2). Tighten ABNF. Fixed some bugs.
2713 3). Replace RFC 822 ABNF with [ABNF].
2715 4). Clarified nc-value verification and which side is aborting
2718 5). Removed downconversion to ISO-8859-1.
2720 6). Clarified that unquoted version of the username, etc. used in A1
2723 7). Various cleanup to References section. Split all references into
2724 Normative and Informative.
2726 8). Added minimal and maximal limits on maxbuf. Clarified how to
2727 calculate "maximal sender size".
2729 9). Change ABNF for host to allow for IPv6 addresses. ABNF now
2730 references RFC 3986.
2732 10). Added man-in-the-middle considerations for ciphers.
2734 11). Clarified how sequence counters are updated.
2736 12). Addition warnings about preventing reply/redirection attacks.
2738 13). Specified that "charset" directive affects "realm" and doesn't
2741 14). Removed text that described that "authzid" is in Unicode in
2742 Normalization Form KC, encoded as UTF-8.
2744 15). Clarified that rc4 state is not reset between two consecutive
2745 sent/received buffers of protected data.
2747 16). Allow for extensibility in step 3. Use "auth-info" as in RFC
2750 17). Prohibit an empty authzid, as this caused interoperability
2753 18). Clarified that 'qop="auth",qop="auth-int"' is the same as
2754 'qop="auth,auth-int"'.
2758 Melnikov (Ed.) Expires: September 2007 [Page 46]
2764 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
2767 19). Clarified client behavior, if it recognizes no ciphers.
2769 20). Clarified that the server is not required to advertise all
2772 21). Clarified how UIs should present realms.
2774 22). Changed some informative text to normative MUST/SHOULDs.
2776 23). Changed nonce/cnonce to allow for channel bindings.
2778 24). Added new "prep" directive, that allows to specify preparation
2779 algorithms for username/password. Defined a single preparation
2780 mechanism - SASLPrep [SASLPrep].
2781 Added another directive (response-v2) confirming that a user
2783 its password. A corresponding directive (rspauth-v2) was added
2787 25). Cleaned up Confidentiality protection section.
2789 26). Added AES cipher defined in "AES Ciphersuite for DIGEST-MD5 SASL
2790 mechanism" document (expired draft-ietf-sasl-digest-aes-00.txt).
2791 Use aes cipher in CTR mode ("aes-ctr").
2793 27). Dropped DES as mandatory to implement cipher (aes-ctr is
2795 implement). Removed "des" and "3des" ciphers because of known
2796 interoperability problems and vulnerability to CBC mode attack.
2799 And other minor text clarifications.
2801 Appendix B: Differences between HTTP Digest and DIGEST-MD5
2803 <<The following list is probably not complete>>
2805 1) On reauthentication, DIGEST-MD5 requires that cnonce is to be the
2806 same, while HTTP Digest doesn't have this restriction
2808 2) Integrity and confidentiality security layers are very specific to
2811 3) HTTP Digest doesn't support channel bindings
2813 4) HTTP Digest doesn't have the "charset" and the "prep" options
2818 Melnikov (Ed.) Expires: September 2007 [Page 47]
2824 INTERNET DRAFT DIGEST-MD5 SASL Mechanism March 2007
2827 5) DIGEST-MD5 doesn't use the following HTTP Digest options in
2828 "digest-challenge": "opaque" and "domain"
2830 6) DIGEST-MD5 doesn't use the following HTTP Digest options in
2831 "digest-response": "opaque" and "algorithm"
2833 7) DIGEST-MD5 doesn't use the following HTTP Digest options in "auth-
2834 info": "nextnonce", "qop", "cnonce" and "nonce-count"
2836 8) A second directive (response-v2) confirming that a user knows its
2837 password was added. A corresponding directive (rspauth-v2) was added
2840 Appendix C: Open Issues/ToDo List
2842 1). Normative vs. Informative references must be carefully rechecked.
2844 2). The charset directive is kind of optional, but in practice it is
2846 Should it just be made mandatory?
2848 3). Need to clarify behaviour when the prep directive is present,
2849 but the charset directive is not.
2851 4). Update example to match the updated draft, in particular need
2852 to add channel binding, qop & cipher lists into nonce/cnonce.
2853 Also need to use example.{com|net} in examples.
2855 5). Frank Ellermann asked if the procedure for unescaping is actually
2856 correct and consistent with HTTP Digest.
2857 He suggested that simple removal of surrounding quotes is what
2858 people actually implement. Need to perform some interop testing.
2860 6). Need to clarify backward compatibility with RFC 2831 in several
2878 Melnikov (Ed.) Expires: September 2007 [Page 48]