rfc2808.txt
来自「RFC 的详细文档!」· 文本 代码 · 共 620 行 · 第 1/2 页
TXT
620 行
Network Working Group M. Nystrom
Request for Comments: 2808 RSA Laboratories
Category: Informational April 2000
The SecurID(r) SASL Mechanism
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2000). All Rights Reserved.
Abstract
SecurID is a hardware token card product (or software emulation
thereof) produced by RSA Security Inc., which is used for end-user
authentication. This document defines a SASL [RFC2222] authentication
mechanism using these tokens, thereby providing a means for such
tokens to be used in SASL environments. This mechanism is only for
authentication, and has no effect on the protocol encoding and is not
designed to provide integrity or confidentiality services.
This memo assumes the reader has basic familiarity with the SecurID
token, its associated authentication protocol and SASL.
How to read this document
The key words "MUST", "MUST NOT", "SHALL", "SHOULD" and "MAY" in this
document are to be interpreted as defined in [RFC2119].
In examples, "C:" and "S:" indicate messages sent by the client and
server respectively.
1. Introduction
The SECURID SASL mechanism is a good choice for usage scenarios where
a client, acting on behalf of a user, is untrusted, as a one-time
passcode will only give the client a single opportunity to act
maliciously. This mechanism provides authentication only.
Nystrom Informational [Page 1]
RFC 2808 The SecurID(r) SASL Mechanism April 2000
The SECURID SASL mechanism provides a formal way to integrate the
existing SecurID authentication method into SASL-enabled protocols
including IMAP [RFC2060], ACAP [RFC2244], POP3 [RFC1734] and LDAPv3
[RFC2251].
2. Authentication Model
The SECURID SASL mechanism provides two-factor based user
authentication as defined below.
There are basically three entities in the authentication mechanism
described here: A user, possessing a SecurID token, an application
server, to which the user wants to connect, and an authentication
server, capable of authenticating the user. Even though the
application server in practice may function as a client with respect
to the authentication server, relaying authentication credentials
etc. as needed, both servers are, unless explicitly mentioned,
collectively termed "the server" here. The protocol used between the
application server and the authentication server is outside the scope
of this memo. The application client, acting on behalf of the user,
is termed "the client".
The mechanism is based on the use of a shared secret key, or "seed",
and a personal identification number (PIN), which is known both by
the user and the authentication server. The secret seed is stored on
a token that the user possesses, as well as on the authentication
server. Hence the term "two-factor authentication", a user needs not
only physical access to the token but also knowledge about the PIN in
order to perform an authentication. Given the seed, current time of
day, and the PIN, a "PASSCODE(r)" is generated by the user's token
and sent to the server.
The SECURID SASL mechanism provides one service:
- User authentication where the user provides information to the
server, so that the server can authenticate the user.
This mechanism is identified with the SASL key "SECURID".
3. Authentication Procedure
a) The client generates the credentials using local information
(seed, current time and user PIN/password).
Nystrom Informational [Page 2]
RFC 2808 The SecurID(r) SASL Mechanism April 2000
b) If the underlying protocol permits, the client sends credentials
to the server in an initial response message. Otherwise, the
client sends a request to the server to initiate the
authentication mechanism, and sends credentials after the server's
response (see [RFC2222] section 5.1 for more information regarding
the initial response option).
Unless the server requests a new PIN (see below), the contents of
the client's initial response SHALL be as follows:
(1) An authorization identity. When this field is empty, it
defaults to the authentication identity. This field MAY be used
by system administrators or proxy servers to login with a
different user identity. This field MUST NOT be longer than 255
octets, SHALL be terminated by a NUL (0) octet, and MUST consist
of UTF-8-encoded [RFC2279] printable characters only (US-ASCII
[X3.4] is a subset of UTF-8).
(2) An authentication identity. The identity whose passcode will
be used. If this field is empty, it is assumed to have been
transferred by other means (e.g. if the underlying protocol has
support for this, like [RFC2251]). This field MUST NOT be longer
than 255 octets, SHALL be terminated by a NUL (0) octet, and MUST
consist of UTF-8-encoded printable characters only.
(3) A passcode. The one-time password that will be used to grant
access. This field MUST NOT be shorter than 4 octets, MUST NOT be
longer than 32 octets, SHALL be terminated by a NUL (0) octet, and
MUST consist of UTF-8-encoded printable characters only.
Passcodes usually consist of 4-8 digits.
The ABNF [RFC2234] form of this message is as follows:
credential-pdu = authorization-id authentication-id passcode [pin]
authorization-id = 0*255VUTF8 %x00
authentication-id = 0*255VUTF8 %x00
passcode = 4*32VUTF8 %x00
pin ::= 4*32VUTF8 %x00
VUTF8 = <Visible (printable) UTF8-encoded characters>
Regarding the <pin> rule, see d) below.
Nystrom Informational [Page 3]
RFC 2808 The SecurID(r) SASL Mechanism April 2000
c) The server verifies these credentials using its own information.
If the verification succeeds, the server sends back a response
indicating success to the client. After receiving this response,
the client is authenticated. Otherwise, the verification either
failed or the server needs an additional set of credentials from
the client in order to authenticate the user.
d) If the server needs an additional set of credentials, it requests
them now. This request has the following format, described in ABNF
notation:
server-request = passcode | pin
passcode = "passcode" %x00
pin = "pin" %x00 [suggested-pin]
suggested-pin = 4*32VUTF8 %x00 ; Between 4 and 32 UTF-8 characters
The 'passcode' choice will be sent when the server requests
another passcode. The 'pin' choice will be sent when the server
requests a new user PIN. The server will either send an empty
string or suggest a new user PIN in this message.
e) The client generates a new set of credentials using local
information and depending on the server's request and sends them
to the server. Authentication now continues as in c) above.
Note 1: Case d) above may occur e.g. when the clocks on which the
server and the client relies are not synchronized.
Note 2: If the server requests a new user PIN, the client MUST
respond with a new user PIN (together with a passcode), encoded as a
UTF-8 string. If the server supplies the client with a suggested PIN,
the client accepts this by replying with the same PIN, but MAY
replace it with another one. The length of the PIN is application-
dependent as are any other requirements for the PIN, e.g. allowed
characters. If the server for some reason does not accept the
received PIN, the client MUST be prepared to receive either a message
indicating the failure of the authentication or a repeated request
for a new PIN. Mechanisms for transferring knowledge about PIN
requirements from the server to the client are outside the scope of
this memo. However, some information MAY be provided in error
messages transferred from the server to the client when applicable.
Nystrom Informational [Page 4]
RFC 2808 The SecurID(r) SASL Mechanism April 2000
4. Examples
4.1 IMAP4
The following example shows the use of the SECURID SASL mechanism
with IMAP4. The example is only designed to illustrate the protocol
interaction but do provide valid encoding examples.
The base64 encoding of the last client response, as well as the "+ "
preceding the response, is part of the IMAP4 profile, and not a part
of this specification itself.
S: * OK IMAP4 server ready
C: A001 CAPABILITY
S: * CAPABILITY IMAP4 AUTH=CRAM-MD5 AUTH=SECURID
S: A001 OK done
C: A002 AUTHENTICATE SECURID
S: +
C: AG1hZ251cwAxMjM0NTY3OAA=
S: A002 OK Welcome, SECURID authenticated user: magnus
4.2 LDAPv3
The following examples show the use of the SECURID SASL mechanism
with LDAPv3. The examples are only designed to illustrate the
protocol interaction, but do provide valid encoding examples.
Usernames, passcodes and PINs are of course fictitious. For
readability, all messages are shown in the value-notation defined in
[X680]. <credential-pdu> values are shown hex-encoded in the
'credentials' field of LDAP's 'BindRequest' and <server-request>
values are shown hex-encoded in the 'serverSaslCreds' field of LDAP's
'BindResponse'.
4.2.1 LDAPv3 Example 1
Initial response message, successful authentication.
C: { messageID 1,
protocolOp bindRequest :
{ version 1,
name '434E3D4D41474E5553'H, -- "CN=MAGNUS"
authentication sasl :
{ mechanism '53454355524944'H, -- "SECURID"
credentials '006d61676e757300313233343536373800'H
}
}
}
Nystrom Informational [Page 5]
RFC 2808 The SecurID(r) SASL Mechanism April 2000
S: { messageID 1,
protocolOp bindResponse :
{ resultCode success,
matchedDN ''H,
errorMessage ''H,
}
}
4.2.2 LDAPv3 Example 2
Initial response message, server requires second passcode.
C: {
messageID 1,
protocolOp bindRequest : {
version 1,
name '434E3D4D41474E5553'H, -- "CN=MAGNUS"
authentication sasl : {
mechanism '53454355524944'H, -- "SECURID"
credentials '006d61676e757300313233343536373800'H
}
}
}
⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?