[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Updated version of "X.509 Authentication SASL Mechanism" - the document
Network Working Group S.E. Kille
INTERNET-DRAFT Isode Ltd.
Expires in six months August 1998
Intended Category: Standard
X.509 Authentication SASL Mechanism
<draft-ietf-ldapext-x509-sasl-02.txt>
1. Status of this Memo
This document is an Internet-Draft. Internet-Drafts are working docu-
ments of the Internet Engineering Task Force (IETF), its areas, and its
working groups. Note that other groups may also distribute working
documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference material
or to cite them other than as "work in progress."
To learn the current status of any Internet-Draft, please check the
"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
Directories on ds.internic.net (US East Coast), nic.nordu.net (Europe),
ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim).
2. Abstract
This document defines a SASL [1] authentication mechanism based on X.509
strong authentication [3], providing two way authentication. This
mechanism is only for authentication, and has no effect on the protocol
encodings and is not designed to provide integrity or confidentiality
services.
3. Model
The mechanism provides two way strong authentication as defined in
X.509. The encoding is based on on that used by X.500 in the DAP, DSP,
and DISP protocols.
The mechanism is based on use of an asymetric (public key) signing
mechanism. This SASL mechanism contains two authentication mechanisms:
- Client authentication is where the client provides information to
the server, so that the server can authenticate the client.
- Server authentication is where the server provides information to
the client, so that the client can authenticate the server.
Kille [Page 1]
Expires January 1999 IP X.509 SASL Authentication INTERNET DRAFT
This mechanism is given three SASL keys for different variants:
- "X509-CLIENT-<algorithm>" for client authentication only.
- "X509-SERVER-<algorithm>" for sever authentication only.
- "X509-BOTH-<algorithm>" for client and server authentication. In
this case client authentication is done prior to server authentica-
tion.
Each SASL key may be used with a list of algorithms. Supported algo-
rithms in this version are "DSS", "RSA", and "X-<private>".
Editor's Note:
It has been suggested that X-Private is not desirable, and this
should be left to the IANA. I prefer to have this extension, as it
will allow people to use non-stanard (unregistered) algorithms in a
conforming manner.
For Client Authentication ("X509-CLIENT"):
1. The client generates the credentials (SASLStrongCredentials) from
information on both parties and a random number, and signs the
enclosed token with its own private key.
2. The client sends credentials to the server.
3. The server verifies these credentials using the client's public
key, and the authentication is complete.
For Serever Authentication ("X509-SERVER"):
1. The server generates the credentials (SASLStrongCredentials) from
information on both parties and a random number, and signs the
enclosed token with its own private key.
2. The server sends credentials to the client.
3. The client verifies these credentials using the server's public
key, and the authentication is complete.
For most SASL based protocols, server only authentication will not be
useful. However, this is included here, as the definition is required
for "client and server", and it may be useful for future protocols.
For Client and Server Authentication ("X509-BOTH"), the procedure for
"X509-CLIENT" is performed and then followed by the procedure for
"X509-SERVER". The Client needs to go first, as for some protocols the
Kille [Page 2]
Expires January 1999 IP X.509 SASL Authentication INTERNET DRAFT
server will need to get information about the client from the client
authentication in order to be able to perform the server authentication.
3.1. Encoding
The SASLStrongCredentials, which is the definition of the data format
exchanged, is encoded using ASN.1 Basic Encoding Rules (BER).
4. Why this SASL Mechanism is Needed
This section discusses the requirements for this SASL mechanism.
4.1. Benefits of a Public Key Mechanism
The key benefit of asymetric (public key) security, is that the secret
(private key) only needs to be placed with the entity that is being
authenticated. Thus a private key can be issued to a client, which can
then be authenticated by ANY server based on a token generated by the
client and the generally available public key. Symmetric authentication
mechanisms (password mechanisms such as CRAM-MD5) require a shared
secret, and the need to maintain it at both endpoints. This means that
a secret key for the client needs to be maintained at every server which
may need to authenticate the client.
This is particularly an issue for protocols such as LDAP, where a client
may connect to and be authenticated by a large number of servers. In
this situation, the requirement to maintain secret keys on all possible
servers is not practical, which makes authentication mechanisms such as
CRAM-MD5 unsuitable for LDAP in many situations.
4.2. Why Authentication Only?
This service provides authentication only. The primary reason for this
is that it makes the mechanism very simple. It would be possible to
define a more complex mechanism which exchanged session keys and also
provided confidentiality and/or integrity.
There are a number of places where an authentication only service is
useful:
- Where confidentiality and integrity are provided by lower layers
(e.g., TLS or IPSec).
- Where confidentialy or integrity services are provided by the
application (e.g., X.500 signed operations).
- Where physical and other security aspects of the environment do no
require confidentiality and integrity services.
Kille [Page 3]
Expires January 1999 IP X.509 SASL Authentication INTERNET DRAFT
- For legacy applications where changes to the data exchange would be
difficult to integrate.
4.3. Relationship to TLS
The functionality defined here can be provided by TLS, and it is impor-
tant to consider why it is useful to have it in both places. There are
a number of reasons for this:
- SASL. SASL also duplicates TLS functionality, and the rationale
for this is clearly given in RFC 2222 [1]. These arguments apply
here.
- Simplicity. This mechanism is a great deal simpler than TLS. If
there is only a requirement for this functionality (as distinct
from all of TLS), this simplicity will facilitate deployment.
- Layering. The SASL mechanism to establish authentication works
cleanly with most protocols. TLS often layers awkwardly, and does
not provide the authentication dialogue at the right stage in the
protocol negotiation.
- Proxy support. Proxys can be cleanly supported with this mechan-
ism, but not with TLS. This works because the proxy can authenti-
cate the client, and then simply pass the credentials on the the
server.
- No Data Confidentiality and integrity required. In many situa-
tions, the data confidentiality and integrity provided by TLS is
not needed, and in this situation use of TLS provides an unecessary
overhead and complexity.
- Export. Because of its data confidentiality functionality, TLS
will often have export problems. When used with a signing algo-
rithm such as DSS that cannot be used for data confidentiality,
export problems for this mechanism will be much less. For this
reason, it will be much easier to globally deploy this mechanism
than TLS. It is also useful that if an "export product" uses
"weak" data confidentiality, that a separate authentication mechan-
ism will mean that authentication does not need to be weakened.
5. Token Definition
The SASLStrongCredentials defined here are based on the StrongCreden-
tials defined in X.511, making use of the SIGNED Macro and Certification
Path definitions of X.509. Two optional fields have been added, the
second of which makes use of GeneralName defined in X.509 [6]. The
credentials definition is given here for clarity. The formal
Kille [Page 4]
Expires January 1999 IP X.509 SASL Authentication INTERNET DRAFT
definitions of CertificationPath, AlgorithmIdentifier, and Dis-
tinguishedName are by reference to X.511. The formal definition of Gen-
eralName is given in X.509.
SASLStrongCredentials::= SET {
certification-path [0] CertificationPath OPTIONAL,
bind-token [1] SASLToken,
name [2] DistinguishedName OPTIONAL}
SASLToken::= SIGNED { SEQUENCE {
algorithm [0] AlgorithmIdentifier,
name [1] DistinguishedName,
time [2] UTCTime,
random [3] BITSTRING,
response [4] BITSTRING OPTIONAL,
subject-name [20] GeneralName OPTIONAL,
previous-token [21] PreviousToken OPTIONAL}}
PreviousToken::= SEQUENCE {
token [0] SASLToken,
protocol [1] INTEGER OPTIONAL }
GeneralName::= CHOICE {
otherName [0] OtherName,
rfc822Name [1] IA5String,
dNSName [2] IA5String,
x400Address [3] ORAddress,
directoryName [4] Name,
edipartyname [5] EDIPartyName,
uniformresouceidentifier [6] IA5String,
iPAddress [7] OCTET STRING,
registeredID [8] OBJECT IDENTIFIER }
The elemements of SASLStrongCredentials are as follows:
certification-path:
This provides a mechanism for exchange of certificates, which may
help the recipient to verify the credentials. If this is included,
it must be consistent with the name in SASLStrongCredentials.name.
This information is provided by the entity generating the token to
facilitate verification. The entity verifying the token is not
required to use this information.
bind-token:
This is the signed token, which is the core of the credentials.
name:This is the distinguished name of the signer of the token. For
client authentication, this will need to be included unless the
Kille [Page 5]
Expires January 1999 IP X.509 SASL Authentication INTERNET DRAFT
information is carried in another protocol element of the exchange
(which will typically not be the case). For server authentication,
this will not normally be needed, as the client will have a priori
knowledge of the server it is connecting to.
The entity verifying the token shall ensure that this name is con-
sistent with the certificate, as a part of the verification pro-
cess.
Note that there must be distinguished names for both parties of the
authentication.
The signed token contains the following elements.
algorithm:
This is the algorithm used to sign the token. This is included for
compatibility with X.509. The value SHALL be consistent with the
algorithm defined by the SASL mechanism (e.g., DSS).
name:This is the distinguished name of the object that is verifying the
token. For client authentication, this will be the name of the
server.
time:This is the time that the token expires.
random:
This is a random number, which must be unique for the target over
the valid life of the token. This is included to prevent replay
attack.
EDITOR'S NOTE:
It has been suggested that a minimum length is required for random.
Input is requested as to whether this is a good idea, and what the
minimum should be?
response:
This is used to carry a number derived from random if challenge
response of authentication is required. This shall be used in the
client phase of X509-BOTH and in no other circumstances. In this
case, the value used in this field in the client authentication
shall be used in the SASLToken.random field of the server authenti-
cation.
items 5-19:
There is a gap in the sequence numbering. Items 6-9 are used in
X.500 DAP, but are not appropriate here.
subject-name:
Kille [Page 6]
Expires January 1999 IP X.509 SASL Authentication INTERNET DRAFT
This is a very general definition of a name, taken from X.509(v3).
This definition is being used by ongoing work on PKI. This enables
authentication identifiers other than distinguished names to be
used.
This field is needed when access control is to be applied on the
basis of a name different to the one doing the signing. The name
of the entity doing the signing is in SASLStrongCredentials.name,
and this is verified by the signing process. This field, verified
by the signature, is an alternate name to be used for access con-
trol purposes in the authentication and for ongoing purposes with
the association established. In SASL terminlogy, this is the
"authorization entity".
Note that this description is for tutorial purposes only, and the
formal definition is taken from X.511.
previous-token
This gives a mechanism to include a previous token, which includes
a SASLToken, and optionally a protocol (identified by the TCP Port
Number) if this is different from the current protocol. The
mechanism might be used in a firewall, which does protocol relay.
The intial token is generated by the client, which is then encapsu-
lated in another token generated by the firewall. This enables a
signed trust chain to be built. The "change of protocol" enables
a server to use a different protocol on behalf of its client (e.g.,
an ACAP server performing a directory lookup on behalf of the ACAP
client).
6. Distinguished Names
The X.509 strong authentication mechanism makes use of distinguished
names to identify the target. For some protocols, such as LDAP [2],
this is natural. For protocols which make use of internet domain names
to identify objects, the representation defined in RFC 2247 [5] MAY be
used as an alternative to subject-name in the token. For an Internet
Mailbox the local part must be encoded as a domain component. For exam-
ple "J.Bloggs@widget.com" is represented as the distinguished name
"DC=J.Bloggs,DC=widget,DC=com".
7. Supported Algorithms
The following algorithms are recognised for use with this mechanism:
1. DSS. (X509-CLIENT-DSS, X509-SERVER-DSS, X509-BOTH-DSS).
2. RSA. (X509-CLIENT-RSA, X509-SERVER-RSA, X509-BOTH-RSA).
Kille [Page 7]
Expires January 1999 IP X.509 SASL Authentication INTERNET DRAFT
The set of supported algorithms is handled by the SASL negotiation. Sup-
port of the DSS algorithm is recommended for use with this mechanism.
Editor's Note:
Include the OIDs for each of these algorithms in a future version
of this document.
8. Example
The following example shows use with IMAP4. The example is designed to
illustrate the protocol interaction and does not provide valid encoding
examples.
S: * OK IMAP4 server ready
C: AOO1 CAPABILITY
S: * CAPABILITY IMAP4 AUTH=CRAM-MD5 AUTH=X509-CLIENT-RSA AUTH=X509-CLIENT-DSS
S: A001 OK done
C: AOO2 AUTHENTICATE X509-CLIENT-DSS
S: +
C: AE31FF05.......==
S: + 13c3FF44.......==
S: AOO3 OK Welcome, authenticated user: CN=Joe Bloggs,O=Widget,C=GB
Editor's Note:
The ASN.1 values here are fake. A real example should be used
(perhaps include ASN.1 value notation), when one can be generated
from a prototype implementation.
9. Security Considerations
These algorithms are designed to be used for authentication where the
underlying transport service cannot guarantee confidentiality. These
mechanisms do not prevent an authenticated association from being
hijacked.
10. Acknowledgements
Design ideas included in this document are based on those from ITU and
ISO, and the IETF ASID Working Groups. Useful ideas were taken from a
note "X.500 Strong Authentication Mechanisms for LDAPv3" by Mark Wahl.
The contributions of individuals in these working groups, including
Harald Alvestrand (Maxware), Alexis Bor (Directory Works), William Cur-
tin (DISA), Bruce Greenblatt (RSA), Steve Hole (Esys), Tim Howes
(Netscape), John Myers (Netscape), Chris Newman (Innosoft), and Sean
Turner (IECA) are gratefully acknowledged.
Kille [Page 8]
Expires January 1999 IP X.509 SASL Authentication INTERNET DRAFT
11. Bibliography
[1] J. Meyers, "Simple Authentication and Security Layer", RFC 2222,
October 1997.
[2] M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access Protocol
(v3)", RFC 2252, December 1997.
[3] ITU-T Recommendation X.509 (1997) | ISO/IEC 9594-8:1997, Information
Technology - Open Systems Interconnection - The Directory: Authentica-
tion Framework.
[4] ITU-T Recommendation X.511 (1997) | ISO/IEC 9594-8:1997, Information
Technology - Open Systems Interconnection - The Directory: Abstract
Service Definition.
[5] S. Kille, M.Wahl, A. Grimstad, R. Huber, S. Sataluri, "Using Domains
in LDAP/X.500 Distinguished Names", RFC 2247, January 1998.
12. Author's Address
Steve Kille
Isode Ltd
The Dome, The Square
Richmond, Surrey,
TW9 1DT, UK
Phone: +44-181-332-9091
Email: S.Kille@isode.com
Kille [Page 9]