SASL-Simple authentication and security layer

Transferred from: http://blog.csdn.net/id19870510/article/details/8232509

SASL-Simple authentication and security layer

SASL is a mechanism authentication mechanism used to extend the verification ability of C/s mode, the full name Simple authentication and Security Layer.

When you set up SASL, you have to decide on two things; one is the authentication mechanism used to exchange "identity information" (or "Identity certificate"), and one is the validation schema that determines the identity information store method.

The SASL authentication mechanism regulates the response process between the client and server and the encoding method of the transmitted content, and the SASL authentication architecture determines how the server itself stores the client's identity certificate and verifies the password provided by the client.

If the client can successfully authenticate, the server can determine the user's identity and determine what permissions the user has.

A more common mechanism;

4.1 Plain (more commonly used)

Plain is the simplest mechanism, but it is also the most dangerous mechanism, because the identity certificate (login name and password) is in base64 string format through the network, without any encryption protection measures. Therefore, when you use the plain mechanism, you may want to combine TLS.

4.2 Login

Login is not a formal support mechanism, but some older versions of MUA Use this mechanism, so Cyrus SASL allows you to choose whether it supports the login mechanism. If your users are still using this kind of old-fashioned MUA, you must specify the support to include login when compiling the SASL function library. Login's certificate exchange process is similar to plain.

4.3 OTP

OTP is a verification mechanism that uses a "one-time password". This mechanism does not provide any encryption protection, because it is not necessary--each password can only be used once, each time you go online, use a new password. The SMTO client must be able to generate OTP certificates.

4.4 digest-md5 (more commonly used)

With this mechanism, the client shares the same hidden password with the server, and the password is not transmitted over the network. The verification process starts with a challenge (challenge) from the server, and the client uses this challenge to calculate a response (answer) with the implicit password. Different challenge, it is impossible to calculate the same response; any party with secret password can calculate the same challenge with the same response. Therefore, the server can know whether the client has the correct password as long as the response returned by the client is the same as the response it has calculated. Because the real password does not pass through the network, therefore does not fear the network monitoring.

4.5 Kerberos

Kerberos is a network-based authentication protocol. Unless your network is already using Kerberos, you should not use the Kerberos mechanism, and if your network already has a Kerberos authentication center, SASL will be able to seamlessly integrate SMTP validation into the existing system.

4.6 Anonymous

The anonymous mechanism does not make sense for SMTP because SMTP authentication is intended to restrict the use of the forwarding service object, rather than to form open RELAY,SASL, which provides this mechanism primarily to support other protocols.
When a client links to a mail server that supports SASL, the server lists the available mechanisms for the client to select at a priority level. If the client also supports a multi-clock mechanism, the client may continue to try the second mechanism until either validation or all mechanisms fail when the first mechanism fails to validate. If both parties are unable to coordinate a common mechanism at the outset, the verification process fails.
Once the two sides agree on which mechanism to use, the verification process begins. The actual interaction process varies depending on the mechanism, but usually contains one or more response processes. The authentication protocol itself also specifies the encoding format of the answer content.

5. Summary

Digital certificate, is the Cascade certification distributed, the top level is the root CA certification Center. The fundamental role of digital certificates is to ensure the security and authenticity of all public keys. The approximate authentication process is to use the public key of the CA to solve the public key (user or institution) contained in the certificate distributed by the CA. The public key is passed to verify the authenticity of the certificate holder. (because the holder is not necessarily the certificate owner)

Through the above analysis of SSL, we can see that SSL does not prevent others to obtain the data you transmit, but because you transmit the data are encrypted, others get useless, as can protect the information security. It is also important to emphasize that SSL does not depend on TCP, it can be built on any reliable Transport layer protocol (such as TCP). This means that SSL cannot be built on top of UDP. This is obvious, if the transmission is unreliable, occasionally lost two packets or the order of the package for a change, how to ensure security?

SASL is a user authentication mechanism that you can simply assume is used to authenticate whether the user's account/password is running into the system or using the system's services. Generally longer use DIGEST-MD5, this kind of mechanism, the password can not be transmitted on the network, also do not fear the password is bugged.

SASL-Simple authentication and security layer