Browse Prior Art Database

The SecurID(r) SASL Mechanism (RFC2808)

IP.com Disclosure Number: IPCOM000003406D
Original Publication Date: 2000-Apr-01
Included in the Prior Art Database: 2000-Sep-13
Document File: 9 page(s) / 19K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

M. Nystrom: AUTHOR

Abstract

SecurID is a hardware token card product (or software emulation thereof) produced by RSA Security Inc., which is used for end-user authentication. This document defines a SASL [RFC2222] authentication mechanism using these tokens, thereby providing a means for such tokens to be used in SASL environments. This mechanism is only for authentication, and has no effect on the protocol encoding and is not designed to provide integrity or confidentiality services.

This text was extracted from a ASCII document.
This is the abbreviated version, containing approximately 14% of the total text.

Network Working Group M. Nystrom

Request for Comments: 2808 RSA Laboratories

Category: Informational April 2000

The SecurID(r) SASL Mechanism

Status of this Memo

This memo provides information for the Internet community. It does

not specify an Internet standard of any kind. Distribution of this

memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (2000). All Rights Reserved.

Abstract

SecurID is a hardware token card product (or software emulation

thereof) produced by RSA Security Inc., which is used for end-user

authentication. This document defines a SASL [RFC2222] authentication

mechanism using these tokens, thereby providing a means for such

tokens to be used in SASL environments. This mechanism is only for

authentication, and has no effect on the protocol encoding and is not

designed to provide integrity or confidentiality services.

This memo assumes the reader has basic familiarity with the SecurID

token, its associated authentication protocol and SASL.

How to read this document

The key words "MUST", "MUST NOT", "SHALL", "SHOULD" and "MAY" in this

document are to be interpreted as defined in [RFC2119].

In examples, "C:" and "S:" indicate messages sent by the client and

server respectively.

1. Introduction

The SECURID SASL mechanism is a good choice for usage scenarios where

a client, acting on behalf of a user, is untrusted, as a one-time

passcode will only give the client a single opportunity to act

maliciously. This mechanism provides authentication only.

The SECURID SASL mechanism provides a formal way to integrate the

existing SecurID authentication method into SASL-enabled protocols

including IMAP [RFC2060], ACAP [RFC2244], POP3 [RFC1734] and LDAPv3

[RFC2251].

2. Authentication Model

The SECURID SASL mechanism provides two-factor based user

authentication as defined below.

There are basically three entities in the authentication mechanism

described here: A user, possessing a SecurID token, an application

server, to which the user wants to connect, and an authentication

server, capable of authenticating the user. Even though the

application server in practice may function as a client with respect

to the authentication server, relaying authentication credentials

etc. as needed, both servers are, unless explicitly mentioned,

collectively termed "the server" here. The protocol used between the

application server and the authentication server is outside the scope

of this memo. Th...