Simple Authentication and Security Layer

Simple Authentication and Security Layer ( SASL ) is a framework that is used by various protocols for authentication on the Internet. It was defined in October 1997 as RFC 2222, which was replaced by RFC 4422 in June 2006.

SASL provides the application protocol so that a standard way of negotiating communications parameters. As a rule, only one authentication method is negotiated, but it can also be agreed that first on an encrypted transport protocol, such as TLS, is changed. The SASL implementations on the client and server side agree on a method, and this can then be used by the application transparent. By this standard, the development of safe application protocols is much simpler. The developer only needs to use an existing SASL implementation instead of implementing a complete method for authentication and data encryption itself.

SASL is used among other things for SMTP, IMAP, POP3, LDAP, and XMPP.

SASL authentication mechanisms

The standardized mechanisms are registered with the IANA ( see Related links ) listed. The following is a list of the known mechanisms:

• PLAIN, all data is exchanged in clear text ( here mostly TLS provides the necessary security mechanisms )
• GSSAPI is itself a framework that offers as Kerberos v5
• CRAM- MD5, avoids the transmission of the password in plain text
• DIGEST- MD5, CRAM -MD5 similar to, but with the possibility of negotiating additional parameters such as integrity assurance
• OTP provides password verification, without the server knows the password
• ANONYMOUS, the user can use the service without authentication
• EXTERNAL SASL authentication is done outside of