Simple Authentication and Security Layer (SASL) is aframework forauthentication anddata security in Internetprotocols. It decouples authentication mechanisms fromapplication protocols, in theory allowing any authentication mechanism supported by SASL to be used in any application protocol that uses SASL. Authentication mechanisms can also supportproxy authorization, a facility allowing one user to assume the identity of another. They can also provide adata security layer offeringdata integrity anddata confidentiality services. DIGEST-MD5 provides an example of mechanisms which can provide a data-security layer. Application protocols that support SASL typically also supportTransport Layer Security (TLS) to complement the services offered by SASL.

John Gardiner Myers wrote the original SASL specification (RFC 2222) in 1997. In 2006, that document was replaced by RFC 4422 authored by Alexey Melnikov and Kurt D. Zeilenga. SASL, as defined by RFC 4422 is anIETFStandard Track protocol and is, as of 2006^[update], aProposed Standard.

A SASL mechanism implements a series of challenges and responses. Defined SASL mechanisms^[1] include:

EXTERNAL

where authentication is implicit in the context (e.g., for protocols already usingIPsec orTLS)

ANONYMOUS

for unauthenticated guest access

PLAIN

a simplecleartextpassword mechanism, defined in RFC 4616

OTP

aone-time password mechanism. Obsoletes the SKEY mechanism.

SKEY

anS/KEY mechanism.

CRAM-MD5

a simple challenge-response scheme based onHMAC-MD5.

DIGEST-MD5

(historic^[2]), partiallyHTTP Digest compatible challenge-response scheme based upon MD5. DIGEST-MD5 offered a data security layer.

SCRAM

(RFC 5802), modern challenge-response scheme based mechanism with channel binding support

NTLM

an NT LAN Manager authentication mechanism

GS2-

family of mechanisms supports arbitraryGSS-API mechanisms in SASL.^[3] It is now standardized as RFC 5801.

GSSAPI

forKerberos V5 authentication via theGSSAPI. GSSAPI offers a data-security layer.

BROWSERID-AES128

forMozilla Persona authentication^[4]

EAP-AES128

for GSS EAP authentication^[5]

MSN Chat GateKeeper (& GateKeeperPassport)

a challenge-response mechanism developed byMicrosoft forMSN Chat

OAUTHBEARER

OAuth 2.0 bearer tokens (RFC 6750), communicated through TLS^[6]

OAUTH10A

OAuth 1.0a message-authentication-code tokens (RFC 5849, Section 3.4.2)^[6]

Application protocols define their representation of SASL exchanges with aprofile. A protocol has aservice name such as "ldap" in a registry shared withGSSAPI andKerberos.^[7]

As of 2012^[update] protocols currently supporting SASL include:

• Application Configuration Access Protocol
• Advanced Message Queuing Protocol (AMQP)
• Blocks Extensible Exchange Protocol
• Internet Message Access Protocol (IMAP)
• Internet Message Support Protocol
• Internet Relay Chat (IRC) (withIRCX or theIRCv3 SASL extension)
• Lightweight Directory Access Protocol (LDAP)
• libvirt
• ManageSieve (RFC 5804)
• memcached
• Post Office Protocol (POP)
• Remote framebuffer protocol^[8] used byVNC
• Simple Mail Transfer Protocol (SMTP)
• Subversionsvn protocol
• Extensible Messaging and Presence Protocol (XMPP)

• Transport Layer Security (TLS)

• RFC 4422 - Simple Authentication and Security Layer (SASL) - obsoletesRFC 2222
• RFC 4505 - Anonymous Simple Authentication and Security Layer (SASL) Mechanism - obsoletesRFC 2245
• RFC 4616 - The PLAIN Simple Authentication and Security Layer (SASL) Mechanism - updatesRFC 2595
• The IETFSASL Working Group, chartered to revise existing SASL specifications, as well as to develop a family of GSSAPI mechanisms
• Cyrus SASL, a free and portable SASL library providing generic security for various applications
• GNU SASL, a free and portable SASL command-line utility and library, distributed under theGNUGPLv3 andLGPLv2.1, respectively
• Dovecot SASL, an SASL implementation
• RFC 2831(historic) - Using Digest Authentication as a SASL Mechanism, obsoleted inRFC 6331
• Java SASL API Programming and Deployment Guide

• Cryptographic protocols
• Internet Standards
• Computer access control protocols

• Articles with short description
• Short description matches Wikidata
• Articles containing potentially dated statements from 2006
• All articles containing potentially dated statements
• Articles containing potentially dated statements from 2012