4 INTERNET DRAFT EXPIRES JULY 1999 INTERNET DRAFT
8 INTERNET-DRAFT M. Nystrom
9 Expires: June 1999 J. Brainard
10 Intended Category: Informational RSA Laboratories
11 <draft-nystrom-securid-sasl-00.txt> January 1999
13 The SecurID(r) SASL Mechanism
17 This document is an Internet-Draft. Internet-Drafts are working
18 documents of the Internet Engineering Task Force (IETF), its areas,
19 and its working groups. Note that other groups and individuals may
20 also distribute working documents as Internet-Drafts.
22 Internet-Drafts are draft documents valid for a maximum of six months
23 and may be updated, replaced, or obsoleted by other documents at any
24 time. It is inappropriate to use Internet-Drafts as reference
25 material or to cite them other than as "work in progress."
27 To view the entire list of current Internet-Drafts, please check the
28 "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
29 Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern
30 Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific
31 Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast).
35 This document defines a SASL [SASL] authentication mechanism based on
36 Security Dynamics' SecurID authentication protocol, providing client
37 authentication. This mechanism is only for authentication, and has no
38 effect on the protocol encoding and is not designed to provide
39 integrity or confidentiality services.
41 This memo assumes the reader has basic familiarity with the SecurID
42 authentication protocol and SASL.
44 How to read this document
46 The key words "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT",
47 "RECOMMENDED" and "MAY" in this document are to be interpreted as
48 defined in "Key words for use in RFCs to Indicate Requirement Levels"
51 In examples, "C:" and "S:" indicate messages sent by the client and
60 Nystrom & Brainard Expires: July 1999 [Page 1]
62 INTERNET DRAFT SecurID SASL Mechanism January 1999
67 The SECURID SASL mechanism is a good choice for usage scenarios where
68 a client, acting on behalf of a user, is untrusted, as a one-time
69 passcode will only give the client a single opportunity to act
70 maliciously. This mechanism provides authentication only. While this
71 primarily is due to legacy reasons, it makes the mechanism very
72 simple. When confidentiality and/or integrity are provided by lower
73 layers (e.g., TLS) or by the application (e.g., signed and/or
74 encrypted data), a confidentiality and/or integrity mechanism at the
75 SASL layer may also be unnecessary or superfluous.
77 The SECURID SASL mechanism provides a formal way to integrate the
78 existing SecurID authentication method into SASL-enabled protocols
79 including IMAP [IMAP4], ACAP [ACAP], POP3 [POP3AUTH] and LDAPv3
82 2. Authentication Model
84 The SECURID SASL mechanism provides one-way two-factor based
85 authentication as defined below.
87 There are basically three entities in the authentication mechanism
88 described here: A user, possessing a SecurID token, an application
89 server, to which the user wants to connect, and an authentication
90 server, capable of authenticating the user. Even though the
91 application server in practice may function as a client with respect
92 to the authentication server, relaying authentication credentials etc
93 as needed, both servers are, unless explicitly mentioned,
94 collectively termed "the server" here. The protocol used between the
95 application server and the authentication server is outside the scope
96 of this memo. The application client, acting on behalf of the user,
97 is termed "the client".
99 The mechanism is based on the use of a shared secret key, or 'seed',
100 and a personal identification number (PIN), which is known both by
101 the user and the authentication server. The secret seed is stored on
102 a token that the client (user) possesses, as well as on the
103 authentication server, Hence the term 'two-factor authentication'.
104 Given the seed, current time of day, and the PIN, a "PASSCODE(r)" is
105 generated by the user's token and sent to the server. The protocol
106 described here is the same as the one being used in current SecurID
107 products from Security Dynamics Technologies, Inc.
109 The SECURID SASL mechanism provides one service:
111 - Client authentication where the client provides information to
112 the server, so that the server can authenticate the client.
116 Nystrom & Brainard Expires: July 1999 [Page 2]
118 INTERNET DRAFT SecurID SASL Mechanism January 1999
121 This mechanism is identified with the SASL key "SECURID".
123 3. Authentication Procedure
125 1. The client generates the credentials using local information
126 (seed, current time and user PIN).
128 2. If the underlying protocol permits, the client sends credentials
129 to the server in an initial response message. Otherwise, the
130 client sends a request to the server to initiate the
131 authentication mechanism, and sends credentials after the server's
134 3. The server verifies these credentials using its own information.
135 If the verification succeeds, the server sends back a
136 response indicating success to the client. After receiving this
137 response, the client is authenticated. Otherwise, the verification
138 either failed or the server needs an additional set of credentials
139 from the client in order to authenticate the user.
141 4. If the server needs an additional set of credentials, it requests
144 5. The client generates a new set of credentials using the local
145 information and sends them to the server.
147 6. The server verifies these credentials using its copy of the shared
148 seed. If the verification succeeds, the server sends back a
149 response indicating success to the client. Otherwise, the
150 authentication failed and the server sends back a response
153 Note 1: Case 4 above can occur e.g. when the clocks on which the
154 server and the client relies are not synchronized.
156 Note 2: In some cases, the initial server request may be a request
157 for a new user PIN (or a suggestion for a new user PIN). In those
158 cases, a different server request is transferred, and the clients
159 response shall be the user's new PIN. After this, authentication
160 proceeds as described above (the server sends a request for client
165 Unless the underlying protocol supports the initial response message
166 alternative, the servers initial message (its response to the clients
167 request for authentication) is always "Username:", encoded in US-
172 Nystrom & Brainard Expires: July 1999 [Page 3]
174 INTERNET DRAFT SecurID SASL Mechanism January 1999
177 The clients response to this message SHOULD be a US-ASCII encoded
178 username. It MAY be a UTF8 [UTF8] encoded username. Only UTF8 or US-
179 ASCII encoded usernames are allowed. Since US-ASCII is a true subset
180 of UTF8, this will not affect the protocol.
182 The next message from the server will either be "Password:<STRING>"
183 or "Passcode:", UTF8 encoded. The former will be sent if the server
184 wants the user to enter a new PIN ("<STRING>" is either empty or a
185 suggested new PIN), the latter (normal) case is when the server
186 simply wants the user's passcode.
188 If the server did send the "Password:" message, the client MUST
189 respond with a new user PIN. This PIN shall be encoded in UTF8. If
190 the server supplied the client with a suggested PIN, the client
191 accepts this by replying with the same PIN, but MAY replace it with
192 another one. The length of the PIN is application-dependent as is any
193 other requirements for the PIN, e.g. allowed characters. After having
194 received the PIN, the server responds with a "Passcode:" message. If
195 the server for some reason does not accept the received PIN, the
196 client must be prepared to receive either a message indicating the
197 failure of the authentication or a repeated request for a new PIN.
198 Mechanisms for transferring knowledge about PIN requirements from the
199 server to the client is outside of the scope for this memo. However,
200 some information MAY be provided in error messages transferred from
201 the server to the client when applicable.
203 When the client receives the "Passcode:" message, it responds with
204 the passcode. The passcode MUST be UTF8 encoded (it will normally
205 consist only of digits, and therefore, in those cases, be equivalent
206 to a US-ASCII encoding).
208 After having received the passcode, the server verifies the passcode.
209 If the verification indicates that the client's clock is out of synch
210 with the server's, the server requests a second passcode by sending
211 the "Passcode:" message to the client once more. Otherwise the
212 verification either fails or succeeds. The server notifies the client
213 of the outcome through the underlying protocol.
215 If the client receives a second "Passcode:" message, it responds with
216 a new UTF8 encoded passcode. After having received a message
217 indicating successful verification of a sent passcode, the client is
218 considered authenticated.
220 4. LDAPv3 Considerations
222 In LDAPv3 the username SHALL always be provided in the "name" field
223 of the BindRequest. The authenticating server does not therefore need
224 to ask for usernames.
228 Nystrom & Brainard Expires: July 1999 [Page 4]
230 INTERNET DRAFT SecurID SASL Mechanism January 1999
233 LDAPv3 supports the initial response binding mechanism, and the use
234 of this mechanism is the preferred way of authenticating to an LDAPv3
235 server which supports the SECURID SASL mechanism.
237 The SecurIDSASLCredentials is defined in ASN.1 [X680] as follows:
239 SecurIDSASLCredentials ::= CHOICE {
240 passcode [0] IMPLICIT UTF8String,
241 pin [1] IMPLICIT UTF8String,
242 ... -- Allow for future expansion
245 This type is then BER-encoded and encapsulated within the
246 "credentials" OCTET STRING. E.g., when sending the initial
247 BindRequest, a passcode of "12345678" yields a value for the
248 "credentials" type equal to (using the value notation defined in
249 X.680 [X680]) '80083132333435363738'H.
251 If the server is unable to process the initial response BindRequest,
252 for example due to the fact that it needs a new user PIN, it simply
253 responds with a BindResponse with resultCode "saslBindInProgress" and
254 a "serverSaslCreds" containing a "SecurIDSASLCredentials" indicating
255 the type of credential it needs. The value MAY be empty in this case.
256 E.g., when requesting a second passcode from the client, the value of
257 the "serverSaslCreds" will be '8000'H.
263 The following example shows the use of the SECURID SASL mechanism
264 with IMAP4. The example is only designed to illustrate the protocol
265 interaction but does provide valid encoding examples.
267 S: * OK IMAP4 server ready
269 S: * CAPABILITY IMAP4 AUTH=CRAM-MD5 AUTH=SECURID
271 C: AOO2 AUTHENTICATE SECURID
272 S: + VXNlcm5hbWU6Cg==
274 S: + UGFzc2NvZGU6Cg==
276 S: AOO2 OK Welcome, SECURID authenticated user: magnus
280 The following examples show the use of the SECURID SASL mechanism
284 Nystrom & Brainard Expires: July 1999 [Page 5]
286 INTERNET DRAFT SecurID SASL Mechanism January 1999
289 with LDAPv3. The examples are only designed to illustrate the
290 protocol interaction, but does provide valid encoding examples.
291 Usernames, passcodes and PINs are of course fictitious. For
292 readability, all messages is shown in the value-notation defined in
295 5.2.1 LDAPv3 Example 1
297 Initial response message, successful authentication.
300 protocolOp bindRequest :
302 name '434E3D4D41474E5553'H,
303 authentication sasl :
304 { mechanism '53454355524944'H,
305 credentials '80083132333435363738'H
311 protocolOp bindResponse :
312 { resultCode success,
318 5.2.2 LDAPv3 Example 2
320 Initial response message, server requires second passcode.
323 protocolOp bindRequest :
325 name '434E3D4D41474E5553'H,
326 authentication sasl :
327 { mechanism '53454355524944'H,
328 credentials '80083132333435363738'H
334 protocolOp bindResponse :
335 { resultCode saslBindInProgress,
340 Nystrom & Brainard Expires: July 1999 [Page 6]
342 INTERNET DRAFT SecurID SASL Mechanism January 1999
346 serverSaslCreds '8000'H
351 protocolOp bindRequest :
353 name '434E3D4D41474E5553'H,
354 authentication sasl :
355 { mechanism '53454355524944'H,
356 credentials '80083131323233333434'H
362 protocolOp bindResponse :
363 { resultCode success,
369 5.2.3 LDAPv3 Example 3
371 Initial response message, server requires new PIN and passcode, and
372 supplies client with a suggested new PIN (which the client accepts).
375 protocolOp bindRequest :
377 name '434E3D4D41474E5553'H,
378 authentication sasl :
379 { mechanism '53454355524944'H,
380 credentials '80083132333435363738'H
387 protocolOp bindResponse :
388 { resultCode saslBindInProgress,
391 serverSaslCreds '810431323334'H
396 Nystrom & Brainard Expires: July 1999 [Page 7]
398 INTERNET DRAFT SecurID SASL Mechanism January 1999
404 protocolOp bindRequest :
406 name '434E3D4D41474E5553'H,
407 authentication sasl :
408 { mechanism '53454355524944'H,
409 credentials '810431323334'H
415 protocolOp bindResponse :
416 { resultCode saslBindInProgress,
419 serverSaslCreds '8000'H
424 protocolOp bindRequest :
426 name '434E3D4D41474E5553'H,
427 authentication sasl :
428 { mechanism '53454355524944'H,
429 credentials '80083131323233333434'H
435 protocolOp bindResponse :
436 { resultCode success,
443 6. Security Considerations
445 This mechanism does not provide session privacy, server
446 authentication or protection from active attacks.
448 In order not to expose user PINs, the server SHOULD make sure that
452 Nystrom & Brainard Expires: July 1999 [Page 8]
454 INTERNET DRAFT SecurID SASL Mechanism January 1999
457 the authentication takes place on a confidentiality-protected
458 connection in those cases where user PINs are requested.
460 Server implementations MUST protect against replay attacks.
462 7. Multinational Considerations
464 Usernames may be UTF-8 encoded as long as the underlying protocol
467 8. IANA Considerations
469 By registering the SecurID protocol as a SASL mechanism, implementers
470 will have a well-defined way of adding this authentication mechanism
471 to their product. Here is the registration template for the SECURID
474 SASL mechanism name: SECURID
475 Security Considerations: See corresponding section of this memo
476 Published specification: This memo
477 Person & email address to
479 information: See author's address section below
480 Intended usage: COMMON
481 Author/Change controller: See author's address section below
483 9. Intellectual Property Considerations
485 Neither RSA Data Security Inc. or Security Dynamics Technologies Inc.
486 makes any claims on the general constructions described in this memo,
487 although underlying techniques may be covered. Among the underlying
488 techniques, the SecurID technology is covered by a number of US
489 patents, in particular US patent no. 4,885,778, no. 5,097,505, no.
490 5,168,520, and 5,657,388.
492 Security Dynamics and SecurID are registered trademarks, and PASSCODE
493 is a trademark, of Security Dynamics Technologies, Inc.
497 [ACAP] Newman, C., "ACAP -- Application Configuration Access
498 Protocol", RFC 2244, November 1997.
500 [ASCII] "ANSI X3.4: Information Systems - Coded Character Sets - 7-
501 Bit American National Standard Code for Information Interchange (7-
502 Bit ASCII)", American National Standards Institute.
504 [IMAP4] Crispin, M., "Internet Message Access Protocol - Version
508 Nystrom & Brainard Expires: July 1999 [Page 9]
510 INTERNET DRAFT SecurID SASL Mechanism January 1999
513 4rev1", RFC 2060, December 1996.
515 [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate
516 Requirement Levels", RFC 2119, March 1997.
518 [LDAPv3] Wahl, M., et al, "Lightweight Directory Access Protocol
519 (v3)", RFC 2252, December 1997.
521 [POP3AUTH] Myers, J., "POP3 AUTHentication command", RFC 1734,
524 [SASL] Meyers, J., "Simple Authentication and Security Layer", RFC
527 [UTF8] Yergeau, F., "UTF-8, a transformation format of ISO 10646",
528 RFC 2279, January 1998.
530 [X680] "Information technology - Abstract Syntax Notation One
531 (ASN.1): Specification of basic notation", ITU-T Recommendation
541 Phone: +1-781-687-7000
542 Email: magnus@rsa.com
549 Phone: +1-781-687-7000
550 Email: jbrainard@rsa.com
564 Nystrom & Brainard Expires: July 1999 [Page 10]
566 INTERNET DRAFT EXPIRES JULY 1999 INTERNET DRAFT