rfc2831.txt 56.8 KB
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282 1283 1284 1285 1286 1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 1297 1298 1299 1300 1301 1302 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336 1337 1338 1339 1340 1341 1342 1343 1344 1345 1346 1347 1348 1349 1350 1351 1352 1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 1363 1364 1365 1366 1367 1368 1369 1370 1371 1372 1373 1374 1375 1376 1377 1378 1379 1380 1381 1382 1383 1384 1385 1386 1387 1388 1389 1390 1391 1392 1393 1394 1395 1396 1397 1398 1399 1400 1401 1402 1403 1404 1405 1406 1407 1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 1418 1419 1420 1421 1422 1423 1424 1425 1426 1427 1428 1429 1430 1431 1432 1433 1434 1435 1436 1437 1438 1439 1440 1441 1442 1443 1444 1445 1446 1447 1448 1449 1450 1451 1452 1453 1454 1455 1456 1457 1458 1459 1460 1461 1462 1463 1464 1465 1466 1467 1468 1469 1470 1471 1472 1473 1474 1475 1476 1477 1478 1479 1480 1481 1482 1483 1484 1485 1486 1487 1488 1489 1490 1491 1492 1493 1494 1495 1496 1497 1498 1499 1500 1501 1502 1503 1504 1505 1506 1507 1508 1509 1510 1511 1512 1513 1514 1515






Network Working Group                                           P. Leach
Request for Comments: 2831                                     Microsoft
Category: Standards Track                                      C. Newman
                                                                Innosoft
                                                                May 2000


            Using Digest Authentication as a SASL Mechanism

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2000).  All Rights Reserved.

Abstract

   This specification defines how HTTP Digest Authentication [Digest]
   can be used as a SASL [RFC 2222] mechanism for any protocol that has
   a SASL profile. It is intended both as an improvement over CRAM-MD5
   [RFC 2195] and as a convenient way to support a single authentication
   mechanism for web, mail, LDAP, and other protocols.

Table of Contents

   1 INTRODUCTION.....................................................2
    1.1 CONVENTIONS AND NOTATION......................................2
    1.2 REQUIREMENTS..................................................3
   2 AUTHENTICATION...................................................3
    2.1 INITIAL AUTHENTICATION........................................3
     2.1.1 Step One...................................................3
     2.1.2 Step Two...................................................6
     2.1.3 Step Three................................................12
    2.2 SUBSEQUENT AUTHENTICATION....................................12
     2.2.1 Step one..................................................13
     2.2.2 Step Two..................................................13
    2.3 INTEGRITY PROTECTION.........................................13
    2.4 CONFIDENTIALITY PROTECTION...................................14
   3 SECURITY CONSIDERATIONS.........................................15
    3.1 AUTHENTICATION OF CLIENTS USING DIGEST AUTHENTICATION........15
    3.2 COMPARISON OF DIGEST WITH PLAINTEXT PASSWORDS................16
    3.3 REPLAY ATTACKS...............................................16



Leach & Newman              Standards Track                     [Page 1]

RFC 2831                 Digest SASL Mechanism                  May 2000


    3.4 ONLINE DICTIONARY ATTACKS....................................16
    3.5 OFFLINE DICTIONARY ATTACKS...................................16
    3.6 MAN IN THE MIDDLE............................................17
    3.7 CHOSEN PLAINTEXT ATTACKS.....................................17
    3.8 SPOOFING BY COUNTERFEIT SERVERS..............................17
    3.9 STORING PASSWORDS............................................17
    3.10 MULTIPLE REALMS.............................................18
    3.11 SUMMARY.....................................................18
   4 EXAMPLE.........................................................18
   5 REFERENCES......................................................20
   6 AUTHORS' ADDRESSES..............................................21
   7 ABNF............................................................21
    7.1 AUGMENTED BNF................................................21
    7.2 BASIC RULES..................................................23
   8 SAMPLE CODE.....................................................25
   9 FULL COPYRIGHT STATEMENT........................................27

1  Introduction

   This specification describes the use of HTTP Digest Access
   Authentication as a SASL mechanism. The authentication type
   associated with the Digest SASL mechanism is "DIGEST-MD5".

   This specification is intended to be upward compatible with the
   "md5-sess" algorithm of HTTP/1.1 Digest Access Authentication
   specified in [Digest]. The only difference in the "md5-sess"
   algorithm is that some directives not needed in a SASL mechanism have
   had their values defaulted.

   There is one new feature for use as a SASL mechanism: integrity
   protection on application protocol messages after an authentication
   exchange.

   Also, compared to CRAM-MD5, DIGEST-MD5 prevents chosen plaintext
   attacks, and permits the use of third party authentication servers,
   mutual authentication, and optimized reauthentication if a client has
   recently authenticated to a server.

1.1  Conventions and Notation

   This specification uses the same ABNF notation and lexical
   conventions as HTTP/1.1 specification; see appendix A.

   Let { a, b, ... } be the concatenation of the octet strings a, b, ...

   Let H(s) be the 16 octet MD5 hash [RFC 1321] of the octet string s.





Leach & Newman              Standards Track                     [Page 2]

RFC 2831                 Digest SASL Mechanism                  May 2000


   Let KD(k, s) be H({k, ":", s}), i.e., the 16 octet hash of the string
   k, a colon and the string s.

   Let HEX(n) be the representation of the 16 octet MD5 hash n as a
   string of 32 hex digits (with alphabetic characters always in lower
   case, since MD5 is case sensitive).

   Let HMAC(k, s) be the 16 octet HMAC-MD5 [RFC 2104] of the octet
   string s using the octet string k as a key.

   The value of a quoted string constant as an octet string does not
   include any terminating null character.

1.2  Requirements

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC 2119].

   An implementation is not compliant if it fails to satisfy one or more
   of the MUST level requirements for the protocols it implements. An
   implementation that satisfies all the MUST level and all the SHOULD
   level requirements for its protocols is said to be "unconditionally
   compliant"; one that satisfies all the MUST level requirements but
   not all the SHOULD level requirements for its protocols is said to be
   "conditionally compliant."

2  Authentication

   The following sections describe how to use Digest as a SASL
   authentication mechanism.

2.1  Initial Authentication

   If the client has not recently authenticated to the server, then it
   must perform "initial authentication", as defined in this section. If
   it has recently authenticated, then a more efficient form is
   available, defined in the next section.

2.1.1  Step One

   The server starts by sending a challenge. The data encoded in the
   challenge contains a string formatted according to the rules for a
   "digest-challenge" defined as follows:







Leach & Newman              Standards Track                     [Page 3]

RFC 2831                 Digest SASL Mechanism                  May 2000


   digest-challenge  =
         1#( realm | nonce | qop-options | stale | maxbuf | charset
               algorithm | cipher-opts | auth-param )

        realm             = "realm" "=" <"> realm-value <">
        realm-value       = qdstr-val
        nonce             = "nonce" "=" <"> nonce-value <">
        nonce-value       = qdstr-val
        qop-options       = "qop" "=" <"> qop-list <">
        qop-list          = 1#qop-value
        qop-value         = "auth" | "auth-int" | "auth-conf" |
                             token
        stale             = "stale" "=" "true"
        maxbuf            = "maxbuf" "=" maxbuf-value
        maxbuf-value      = 1*DIGIT
        charset           = "charset" "=" "utf-8"
        algorithm         = "algorithm" "=" "md5-sess"
        cipher-opts       = "cipher" "=" <"> 1#cipher-value <">
        cipher-value      = "3des" | "des" | "rc4-40" | "rc4" |
                            "rc4-56" | token
        auth-param        = token "=" ( token | quoted-string )

   The meanings of the values of the directives used above are as
   follows:

   realm
      Mechanistically, a string which can enable users to know which
      username and password to use, in case they might have different
      ones for different servers. Conceptually, it is the name of a
      collection of accounts that might include the user's account. This
      string should contain at least the name of the host performing the
      authentication and might additionally indicate the collection of
      users who might have access. An example might be
      "registered_users@gotham.news.example.com".  This directive is
      optional; if not present, the client SHOULD solicit it from the
      user or be able to compute a default; a plausible default might be
      the realm supplied by the user when they logged in to the client
      system. Multiple realm directives are allowed, in which case the
      user or client must choose one as the realm for which to supply to
      username and password.

   nonce
      A server-specified data string which MUST be different each time a
      digest-challenge is sent as part of initial authentication.  It is
      recommended that this string be base64 or hexadecimal data. Note
      that since the string is passed as a quoted string, the
      double-quote character is not allowed unless escaped (see section
      7.2). The contents of the nonce are implementation dependent. The



Leach & Newman              Standards Track                     [Page 4]

RFC 2831                 Digest SASL Mechanism                  May 2000


      security of the implementation depends on a good choice. It is
      RECOMMENDED that it contain at least 64 bits of entropy. The nonce
      is opaque to the client. This directive is required and MUST
      appear exactly once; if not present, or if multiple instances are
      present, the client should abort the authentication exchange.

   qop-options
      A quoted string of one or more tokens indicating the "quality of
      protection" values supported by the server.  The value "auth"
      indicates authentication; the value "auth-int" indicates
      authentication with integrity protection; the value "auth-conf"
      indicates authentication with integrity protection and encryption.
      This directive is optional; if not present it defaults to "auth".
      The client MUST ignore unrecognized options; if the client
      recognizes no option, it should abort the authentication exchange.

   stale
      The "stale" directive is not used in initial authentication. See
      the next section for its use in subsequent authentications. This
      directive may appear at most once; if multiple instances are
      present, the client should abort the authentication exchange.

   maxbuf
      A number indicating the size of the largest buffer the server is
      able to receive when using "auth-int" or "auth-conf". If this
      directive is missing, the default value is 65536. This directive
      may appear at most once; if multiple instances are present, the
      client should abort the authentication exchange.

   charset
      This directive, if present, specifies that the server supports
      UTF-8 encoding for the username and password. If not present, the
      username and password must be encoded in ISO 8859-1 (of which
      US-ASCII is a subset). The directive is needed for backwards
      compatibility with HTTP Digest, which only supports ISO 8859-1.
      This directive may appear at most once; if multiple instances are
      present, the client should abort the authentication exchange.

   algorithm
      This directive is required for backwards compatibility with HTTP
      Digest., which supports other algorithms. . This directive is
      required and MUST appear exactly once; if not present, or if
      multiple instances are present, the client should abort the
      authentication exchange.







Leach & Newman              Standards Track                     [Page 5]

RFC 2831                 Digest SASL Mechanism                  May 2000


   cipher-opts
      A list of ciphers that the server supports. This directive must be
      present exactly once if "auth-conf" is offered in the
      "qop-options" directive, in which case the "3des" and "des" modes
      are mandatory-to-implement. The client MUST ignore unrecognized
      options; if the client recognizes no option, it should abort the
      authentication exchange.

      des
         the Data Encryption Standard (DES) cipher [FIPS] in cipher
         block chaining (CBC) mode with a 56 bit key.

      3des
         the "triple DES" cipher in CBC mode with EDE with the same key
         for each E stage (aka "two keys mode") for a total key length
         of 112 bits.

      rc4, rc4-40, rc4-56
         the RC4 cipher with a 128 bit, 40 bit, and 56 bit key,
         respectively.

   auth-param This construct allows for future extensions; it may appear
      more than once. The client MUST ignore any unrecognized
      directives.

   For use as a SASL mechanism, note that the following changes are made
   to "digest-challenge" from HTTP: the following Digest options (called
   "directives" in HTTP terminology) are unused (i.e., MUST NOT be sent,
   and MUST be ignored if received):

    opaque
    domain

   The size of a digest-challenge MUST be less than 2048 bytes.

2.1.2  Step Two

   The client makes note of the "digest-challenge" and then responds
   with a string formatted and computed according to the rules for a
   "digest-response" defined as follows:











Leach & Newman              Standards Track                     [Page 6]

RFC 2831                 Digest SASL Mechanism                  May 2000


   digest-response  = 1#( username | realm | nonce | cnonce |
                          nonce-count | qop | digest-uri | response |
                          maxbuf | charset | cipher | authzid |
                          auth-param )

       username         = "username" "=" <"> username-value <">
       username-value   = qdstr-val
       cnonce           = "cnonce" "=" <"> cnonce-value <">
       cnonce-value     = qdstr-val
       nonce-count      = "nc" "=" nc-value
       nc-value         = 8LHEX
       qop              = "qop" "=" qop-value
       digest-uri       = "digest-uri" "=" <"> digest-uri-value <">
       digest-uri-value  = serv-type "/" host [ "/" serv-name ]
       serv-type        = 1*ALPHA
       host             = 1*( ALPHA | DIGIT | "-" | "." )
       serv-name        = host
       response         = "response" "=" response-value
       response-value   = 32LHEX
       LHEX             = "0" | "1" | "2" | "3" |
                          "4" | "5" | "6" | "7" |
                          "8" | "9" | "a" | "b" |
                          "c" | "d" | "e" | "f"
       cipher           = "cipher" "=" cipher-value
       authzid          = "authzid" "=" <"> authzid-value <">
       authzid-value    = qdstr-val


   username
      The user's name in the specified realm, encoded according to the
      value of the "charset" directive. This directive is required and
      MUST be present exactly once; otherwise, authentication fails.

   realm
      The realm containing the user's account. This directive is
      required if the server provided any realms in the
      "digest-challenge", in which case it may appear exactly once and
      its value SHOULD be one of those realms. If the directive is
      missing, "realm-value" will set to the empty string when computing
      A1 (see below for details).

   nonce
      The server-specified data string received in the preceding
      digest-challenge. This directive is required and MUST be present
      exactly once; otherwise, authentication fails.






Leach & Newman              Standards Track                     [Page 7]

RFC 2831                 Digest SASL Mechanism                  May 2000


   cnonce
      A client-specified data string which MUST be different each time a
      digest-response is sent as part of initial authentication. The
      cnonce-value is an opaque quoted string value provided by the
      client and used by both client and server to avoid chosen
      plaintext attacks, and to provide mutual authentication. The
      security of the implementation depends on a good choice. It is
      RECOMMENDED that it contain at least 64 bits of entropy. This
      directive is required and MUST be present exactly once; otherwise,
      authentication fails.

   nonce-count
      The nc-value is the hexadecimal count of the number of requests
      (including the current request) that the client has sent with the
      nonce value in this request.  For example, in the first request
      sent in response to a given nonce value, the client sends
      "nc=00000001". The purpose of this directive is to allow the
      server to detect request replays by maintaining its own copy of
      this count - if the same nc-value is seen twice, then the request
      is a replay.   See the description below of the construction of
      the response value. This directive may appear at most once; if
      multiple instances are present, the client should abort the
      authentication exchange.

   qop
      Indicates what "quality of protection" the client accepted. If
      present, it may appear exactly once and  its value MUST be one of
      the alternatives in qop-options. If not present, it defaults to
      "auth". These values affect the computation of the response. Note
      that this is a single token, not a quoted list of alternatives.

   serv-type
      Indicates the type of service, such as "www" for web service,
      "ftp" for FTP service, "smtp" for mail delivery service, etc. The
      service name as defined in the SASL profile for the protocol see
      section 4 of [RFC 2222], registered in the IANA registry of
      "service" elements for the GSSAPI host-based service name form
      [RFC 2078].

   host
      The DNS host name or IP address for the service requested.  The
      DNS host name must be the fully-qualified canonical name of the
      host. The DNS host name is the preferred form; see notes on server
      processing of the digest-uri.







Leach & Newman              Standards Track                     [Page 8]

RFC 2831                 Digest SASL Mechanism                  May 2000


   serv-name
      Indicates the name of the service if it is replicated. The service
      is considered to be replicated if the client's service-location
      process involves resolution using standard DNS lookup operations,
      and if these operations involve DNS records (such as SRV, or MX)
      which resolve one DNS name into a set of other DNS names. In this
      case, the initial name used by the client is the "serv-name", and
      the final name is the "host" component. For example, the incoming
      mail service for "example.com" may be replicated through the use
      of MX records stored in the DNS, one of which points at an SMTP
      server called "mail3.example.com"; it's "serv-name" would be
      "example.com", it's "host" would be "mail3.example.com". If the
      service is not replicated, or the serv-name is identical to the
      host, then the serv-name component MUST be omitted.

   digest-uri
      Indicates the principal name of the service with which the client
      wishes to connect, formed from the serv-type, host, and serv-name.
      For example, the FTP service on "ftp.example.com" would have a
      "digest-uri" value of "ftp/ftp.example.com"; the SMTP server from
      the example above would have a "digest-uri" value of
      "smtp/mail3.example.com/example.com".

   Servers SHOULD check that the supplied value is correct. This will
   detect accidental connection to the incorrect server. It is also so
   that clients will be trained to provide values that will work with
   implementations that use a shared back-end authentication service
   that can provide server authentication.

   The serv-type component should match the service being offered. The
   host component should match one of the host names of the host on
   which the service is running, or it's IP address. Servers SHOULD NOT
   normally support the IP address form, because server authentication
   by IP address is not very useful; they should only do so if the DNS
   is unavailable or unreliable. The serv-name component should match
   one of the service's configured service names.

   This directive may appear at most once; if multiple instances are
   present, the client should abort the authentication exchange.

   Note: In the HTTP use of Digest authentication, the digest-uri is the
   URI (usually a URL) of the resource requested -- hence the name of
   the directive.

   response
      A string of 32 hex digits computed as defined below, which proves
      that the user knows a password. This directive is required and
      MUST be present exactly once; otherwise, authentication fails.



Leach & Newman              Standards Track                     [Page 9]

RFC 2831                 Digest SASL Mechanism                  May 2000


   maxbuf
      A number indicating the size of the largest buffer the client is
      able to receive. If this directive is missing, the default value
      is 65536. This directive may appear at most once; if multiple
      instances are present, the server should abort the authentication
      exchange.

   charset
      This directive, if present, specifies that the client has used
      UTF-8 encoding for the username and password. If not present, the
      username and password must be encoded in ISO 8859-1 (of which
      US-ASCII is a subset). The client should send this directive only
      if the server has indicated it supports UTF-8. The directive is
      needed for backwards compatibility with HTTP Digest, which only
      supports ISO 8859-1.

   LHEX
      32 hex digits, where the alphabetic characters MUST be lower case,
      because MD5 is not case insensitive.

   cipher
      The cipher chosen by the client. This directive MUST appear
      exactly once if "auth-conf" is negotiated; if required and not
      present, authentication fails.

   authzid
      The "authorization ID" as per RFC 2222, encoded in UTF-8. This
      directive is optional. If present, and the authenticating user has
      sufficient privilege, and the server supports it, then after
      authentication the server will use this identity for making all
      accesses and access checks. If the client specifies it, and the
      server does not support it, then the response-value will be
      incorrect, and authentication will fail.

   The size of a digest-response MUST be less than 4096 bytes.

2.1.2.1   Response-value

   The definition of "response-value" above indicates the encoding for
   its value -- 32 lower case hex characters. The following definitions
   show how the value is computed.

   Although qop-value and components of digest-uri-value may be
   case-insensitive, the case which the client supplies in step two is
   preserved for the purpose of computing and verifying the
   response-value.

      response-value  =



Leach & Newman              Standards Track                    [Page 10]

RFC 2831                 Digest SASL Mechanism                  May 2000


         HEX( KD ( HEX(H(A1)),
                 { nonce-value, ":" nc-value, ":",
                   cnonce-value, ":", qop-value, ":", HEX(H(A2)) }))

   If authzid is specified, then A1 is


      A1 = { H( { username-value, ":", realm-value, ":", passwd } ),
           ":", nonce-value, ":", cnonce-value, ":", authzid-value }

   If authzid is not specified, then A1 is


      A1 = { H( { username-value, ":", realm-value, ":", passwd } ),
           ":", nonce-value, ":", cnonce-value }

   where

         passwd   = *OCTET

   The "username-value", "realm-value" and "passwd" are encoded
   according to the value of the "charset" directive. If "charset=UTF-8"
   is present, and all the characters of either "username-value" or
   "passwd" are in the ISO 8859-1 character set, then it must be
   converted to ISO 8859-1 before being hashed. This is so that
   authentication databases that store the hashed username, realm and
   password (which is common) can be shared compatibly with HTTP, which
   specifies ISO 8859-1. A sample implementation of this conversion is
   in section 8.

   If the "qop" directive's value is "auth", then A2 is:

      A2       = { "AUTHENTICATE:", digest-uri-value }

   If the "qop" value is "auth-int" or "auth-conf" then A2 is:

      A2       = { "AUTHENTICATE:", digest-uri-value,
               ":00000000000000000000000000000000" }

   Note that "AUTHENTICATE:" must be in upper case, and the second
   string constant is a string with a colon followed by 32 zeros.

   These apparently strange values of A2 are for compatibility with
   HTTP; they were arrived at by setting "Method" to "AUTHENTICATE" and
   the hash of the entity body to zero in the HTTP digest calculation of
   A2.

   Also, in the HTTP usage of Digest, several directives in the



Leach & Newman              Standards Track                    [Page 11]

RFC 2831                 Digest SASL Mechanism                  May 2000


   "digest-challenge" sent by the server have to be returned by the
   client in the "digest-response". These are:

    opaque
    algorithm

   These directives are not needed when Digest is used as a SASL
   mechanism (i.e., MUST NOT be sent, and MUST be ignored if received).

2.1.3  Step Three

   The server receives and validates the "digest-response". The server
   checks that the nonce-count is "00000001". If it supports subsequent
   authentication (see section 2.2), it saves the value of the nonce and
   the nonce-count. It sends a message formatted as follows:

    response-auth = "rspauth" "=" response-value

   where response-value is calculated as above, using the values sent in
   step two, except that if qop is "auth", then A2 is

       A2 = { ":", digest-uri-value }

   And if qop is "auth-int" or "auth-conf" then A2 is

       A2 = { ":", digest-uri-value, ":00000000000000000000000000000000" }

   Compared to its use in HTTP, the following Digest directives in the
   "digest-response" are unused:

       nextnonce
       qop
       cnonce
       nonce-count

2.2  Subsequent Authentication

   If the client has previously authenticated to the server, and
   remembers the values of username, realm, nonce, nonce-count, cnonce,
   and qop that it used in that authentication, and the SASL profile for
   a protocol permits an initial client response, then it MAY perform
   "subsequent authentication", as defined in this section.









Leach & Newman              Standards Track                    [Page 12]

RFC 2831                 Digest SASL Mechanism                  May 2000


2.2.1  Step one

   The client uses the values from the previous authentication and sends
   an initial response with a string formatted and computed according to
   the rules for a "digest-response", as defined above, but with a
   nonce-count one greater than used in the last "digest-response".

2.2.2  Step Two

   The server receives the "digest-response". If the server does not
   support subsequent authentication, then it sends a
   "digest-challenge", and authentication proceeds as in initial
   authentication. If the server has no saved nonce and nonce-count from
   a previous authentication, then it sends a "digest-challenge", and
   authentication proceeds as in initial authentication. Otherwise, the
   server validates the "digest-response", checks that the nonce-count
   is one greater than that used in the previous authentication using
   that nonce, and saves the new value of nonce-count.

   If the response is invalid, then the server sends a
   "digest-challenge", and authentication proceeds as in initial
   authentication (and should be configurable to log an authentication
   failure in some sort of security audit log, since the failure may be
   a symptom of an attack). The nonce-count MUST NOT be incremented in
   this case: to do so would allow a denial of service attack by sending
   an out-of-order nonce-count.

   If the response is valid, the server MAY choose to deem that
   authentication has succeeded. However, if it has been too long since
   the previous authentication, or for any other reason, the server MAY
   send a new "digest-challenge" with a new value for nonce. The
   challenge MAY contain a "stale" directive with value "true", which
   says that the client may respond to the challenge using the password
   it used in the previous response; otherwise, the client must solicit
   the password anew from the user. This permits the server to make sure
   that the user has presented their password recently. (The directive
   name refers to the previous nonce being stale, not to the last use of
   the password.) Except for the handling of "stale", after sending the
   "digest-challenge" authentication proceeds as in the case of initial
   authentication.

2.3   Integrity Protection

   If the server offered "qop=auth-int" and the client responded
   "qop=auth-int", then subsequent messages, up to but not including the
   next subsequent authentication, between the client and the server





Leach & Newman              Standards Track                    [Page 13]

RFC 2831                 Digest SASL Mechanism                  May 2000


   MUST be integrity protected. Using as a base session key the value of
   H(A1) as defined above the client and server calculate a pair of
   message integrity keys as follows.

   The key for integrity protecting messages from client to server is:

   Kic = MD5({H(A1),
   "Digest session key to client-to-server signing key magic constant"})

   The key for integrity protecting messages from server to client is:

   Kis = MD5({H(A1),
   "Digest session key to server-to-client signing key magic constant"})

   where MD5 is as specified in [RFC 1321]. If message integrity is
   negotiated, a MAC block for each message is appended to the message.
   The MAC block is 16 bytes: the first 10 bytes of the HMAC-MD5 [RFC
   2104] of the message, a 2-byte message type number in network byte
   order with value 1, and the 4-byte sequence number in network byte
   order. The message type is to allow for future extensions such as
   rekeying.

   MAC(Ki, SeqNum, msg) = (HMAC(Ki, {SeqNum, msg})[0..9], 0x0001,
   SeqNum)

   where Ki is Kic for messages sent by the client and Kis for those
   sent by the server. The sequence number is initialized to zero, and
   incremented by one for each message sent.

   Upon receipt, MAC(Ki, SeqNum, msg) is computed and compared with the
   received value; the message is discarded if they differ.

2.4   Confidentiality Protection

   If the server sent a "cipher-opts" directive and the client responded
   with a "cipher" directive, then subsequent messages between the
   client and the server MUST be confidentiality protected. Using as a
   base session key the value of H(A1) as defined above the client and
   server calculate a pair of message integrity keys as follows.

   The key for confidentiality protecting messages from client to server
   is:

   Kcc = MD5({H(A1)[0..n],
   "Digest H(A1) to client-to-server sealing key magic constant"})

   The key for confidentiality protecting messages from server to client
   is:



Leach & Newman              Standards Track                    [Page 14]

RFC 2831                 Digest SASL Mechanism                  May 2000


   Kcs = MD5({H(A1)[0..n],
   "Digest H(A1) to server-to-client sealing key magic constant"})

   where MD5 is as specified in [RFC 1321]. For cipher "rc4-40" n is 5;
   for "rc4-56" n is 7; for the rest n is 16. The key for the "rc-*"
   ciphers is all 16 bytes of Kcc or Kcs; the key for "des" is the first
   7 bytes; the key for "3des" is the first 14 bytes. The IV for "des"
   and "3des" is the last 8 bytes of Kcc or Kcs.

   If message confidentiality is negotiated, each message is encrypted
   with the chosen cipher and a MAC block is appended to the message.

   The MAC block is a variable length padding prefix followed by 16
   bytes formatted as follows: the first 10 bytes of the HMAC-MD5 [RFC
   2104] of the message, a 2-byte message type number in network byte
   order with value 1, and the 4-byte sequence number in network byte
   order. If the blocksize of the chosen cipher is not 1 byte, the
   padding prefix is one or more octets each containing the number of
   padding bytes, such that total length of the encrypted part of the
   message is a multiple of the blocksize. The padding and first 10
   bytes of the MAC block are encrypted along with the message.

   SEAL(Ki, Kc, SeqNum, msg) =
         {CIPHER(Kc, {msg, pad, HMAC(Ki, {SeqNum, msg})[0..9])}), 0x0001,
          SeqNum}

   where CIPHER is the chosen cipher, Ki and Kc are Kic and Kcc for
   messages sent by the client and Kis and Kcs for those sent by the
   server. The sequence number is initialized to zero, and incremented
   by one for each message sent.

   Upon receipt, the message is decrypted, HMAC(Ki, {SeqNum, msg}) is
   computed and compared with the received value; the message is
   discarded if they differ.

3  Security Considerations

3.1   Authentication of Clients using Digest Authentication

   Digest Authentication does not provide a strong authentication
   mechanism, when compared to public key based mechanisms, for example.
   However, since it prevents chosen plaintext attacks, it is stronger
   than (e.g.) CRAM-MD5, which has been proposed for use with LDAP [10],
   POP and IMAP (see RFC 2195 [9]).   It is intended to replace the much
   weaker and even more dangerous use of plaintext passwords; however,
   since it is still a password based mechanism it avoids some of the
   potential deployabilty issues with public-key, OTP or similar
   mechanisms.



Leach & Newman              Standards Track                    [Page 15]

RFC 2831                 Digest SASL Mechanism                  May 2000


   Digest Authentication offers no confidentiality protection beyond
   protecting the actual password. All of the rest of the challenge and
   response are available to an eavesdropper, including the user's name
   and authentication realm.

3.2   Comparison of Digest with Plaintext Passwords

   The greatest threat to the type of transactions for which these
   protocols are used is network snooping. This kind of transaction
   might involve, for example, online access to a mail service whose use
   is restricted to paying subscribers. With plaintext password
   authentication an eavesdropper can obtain the password of the user.
   This not only permits him to access anything in the database, but,
   often worse, will permit access to anything else the user protects
   with the same password.

3.3   Replay Attacks

   Replay attacks are defeated if the client or the server chooses a
   fresh nonce for each authentication, as this specification requires.

3.4  Online dictionary attacks

   If the attacker can eavesdrop, then it can test any overheard
   nonce/response pairs against a (potentially very large) list of
   common words. Such a list is usually much smaller than the total
   number of possible passwords. The cost of computing the response for
   each password on the list is paid once for each challenge.

   The server can mitigate this attack by not allowing users to select
   passwords that are in a dictionary.

3.5  Offline dictionary attacks

   If the attacker can choose the challenge, then it can precompute the
   possible responses to that challenge for a list of common words. Such
   a list is usually much smaller than the total number of possible
   passwords. The cost of computing the response for each password on
   the list is paid just once.

   Offline dictionary attacks are defeated if the client chooses a fresh
   nonce for each authentication, as this specification requires.









Leach & Newman              Standards Track                    [Page 16]

RFC 2831                 Digest SASL Mechanism                  May 2000


3.6  Man in the Middle

   Digest authentication is vulnerable to "man in the middle" (MITM)
   attacks. Clearly, a MITM would present all the problems of
   eavesdropping. But it also offers some additional opportunities to
   the attacker.

   A possible man-in-the-middle attack would be to substitute a weaker
   qop scheme for the one(s) sent by the server; the server will not be
   able to detect this attack. For this reason, the client should always
   use the strongest scheme that it understands from the choices
   offered, and should never choose a scheme that does not meet its
   minimum requirements.

3.7  Chosen plaintext attacks

   A chosen plaintext attack is where a MITM or a malicious server can
   arbitrarily choose the challenge that the client will use to compute
   the response. The ability to choose the challenge is known to make
   cryptanalysis much easier [8].

   However, Digest does not permit the attack to choose the challenge as
   long as the client chooses a fresh nonce for each authentication, as
   this specification requires.

3.8  Spoofing by Counterfeit Servers

   If a user can be led to believe that she is connecting to a host
   containing information protected by a password she knows, when in
   fact she is connecting to a hostile server, then the hostile server
   can obtain challenge/response pairs where it was able to partly
   choose the challenge. There is no known way that this can be
   exploited.

3.9  Storing passwords

   Digest authentication requires that the authenticating agent (usually
   the server) store some data derived from the user's name and password
   in a "password file" associated with a given realm. Normally this
   might contain pairs consisting of username and H({ username-value,
   ":", realm-value, ":", passwd }), which is adequate to compute H(A1)
   as described above without directly exposing the user's password.

   The security implications of this are that if this password file is
   compromised, then an attacker gains immediate access to documents on
   the server using this realm. Unlike, say a standard UNIX password
   file, this information need not be decrypted in order to access
   documents in the server realm associated with this file. On the other



Leach & Newman              Standards Track                    [Page 17]

RFC 2831                 Digest SASL Mechanism                  May 2000


   hand, decryption, or more likely a brute force attack, would be
   necessary to obtain the user's password. This is the reason that the
   realm is part of the digested data stored in the password file. It
   means that if one Digest authentication password file is compromised,
   it does not automatically compromise others with the same username
   and password (though it does expose them to brute force attack).

   There are two important security consequences of this. First the
   password file must be protected as if it contained plaintext
   passwords, because for the purpose of accessing documents in its
   realm, it effectively does.

   A second consequence of this is that the realm string should be
   unique among all realms that any single user is likely to use. In
   particular a realm string should include the name of the host doing
   the authentication.

3.10  Multiple realms

   Use of multiple realms may mean both that compromise of a the
   security database for a single realm does not compromise all
   security, and that there are more things to protect in order to keep
   the whole system secure.

3.11  Summary

   By modern cryptographic standards Digest Authentication is weak,
   compared to (say) public key based mechanisms. But for a large range
   of purposes it is valuable as a replacement for plaintext passwords.
   Its strength may vary depending on the implementation.

4  Example

   This example shows the use of the Digest SASL mechanism with the
   IMAP4 AUTHENTICATE command [RFC 2060].

   In this example, "C:" and "S:" represent a line sent by the client or
   server respectively including a CRLF at the end.  Linebreaks and
   indentation within a "C:" or "S:" are editorial and not part of the
   protocol. The password in this example was "secret".  Note that the
   base64 encoding of the challenges and responses is part of the IMAP4
   AUTHENTICATE command, not part of the Digest specification itself.

    S: * OK elwood.innosoft.com PMDF IMAP4rev1 V6.0-9
    C: c CAPABILITY
    S: * CAPABILITY IMAP4 IMAP4rev1 ACL LITERAL+ NAMESPACE QUOTA
                UIDPLUS AUTH=CRAM-MD5 AUTH=DIGEST-MD5 AUTH=PLAIN
    S: c OK Completed



Leach & Newman              Standards Track                    [Page 18]

RFC 2831                 Digest SASL Mechanism                  May 2000


    C: a AUTHENTICATE DIGEST-MD5
    S: + cmVhbG09ImVsd29vZC5pbm5vc29mdC5jb20iLG5vbmNlPSJPQTZNRzl0
         RVFHbTJoaCIscW9wPSJhdXRoIixhbGdvcml0aG09bWQ1LXNlc3MsY2hh
         cnNldD11dGYtOA==
    C: Y2hhcnNldD11dGYtOCx1c2VybmFtZT0iY2hyaXMiLHJlYWxtPSJlbHdvb2
       QuaW5ub3NvZnQuY29tIixub25jZT0iT0E2TUc5dEVRR20yaGgiLG5jPTAw
       MDAwMDAxLGNub25jZT0iT0E2TUhYaDZWcVRyUmsiLGRpZ2VzdC11cmk9Im
       ltYXAvZWx3b29kLmlubm9zb2Z0LmNvbSIscmVzcG9uc2U9ZDM4OGRhZDkw
       ZDRiYmQ3NjBhMTUyMzIxZjIxNDNhZjcscW9wPWF1dGg=
    S: + cnNwYXV0aD1lYTQwZjYwMzM1YzQyN2I1NTI3Yjg0ZGJhYmNkZmZmZA==
    C:
    S: a OK User logged in
    ---

    The base64-decoded version of the SASL exchange is:

    S: realm="elwood.innosoft.com",nonce="OA6MG9tEQGm2hh",qop="auth",
       algorithm=md5-sess,charset=utf-8
    C: charset=utf-8,username="chris",realm="elwood.innosoft.com",
       nonce="OA6MG9tEQGm2hh",nc=00000001,cnonce="OA6MHXh6VqTrRk",
       digest-uri="imap/elwood.innosoft.com",
       response=d388dad90d4bbd760a152321f2143af7,qop=auth
    S: rspauth=ea40f60335c427b5527b84dbabcdfffd

    The password in this example was "secret".

   This example shows the use of the Digest SASL mechanism with the
   ACAP, using the same notational conventions and password as in the
   previous example. Note that ACAP does not base64 encode and uses
   fewer round trips that IMAP4.

    S: * ACAP (IMPLEMENTATION "Test ACAP server") (SASL "CRAM-MD5"
               "DIGEST-MD5" "PLAIN")
    C: a AUTHENTICATE "DIGEST-MD5"
    S: + {94}
    S: realm="elwood.innosoft.com",nonce="OA9BSXrbuRhWay",qop="auth",
       algorithm=md5-sess,charset=utf-8
    C: {206}
    C: charset=utf-8,username="chris",realm="elwood.innosoft.com",
       nonce="OA9BSXrbuRhWay",nc=00000001,cnonce="OA9BSuZWMSpW8m",
       digest-uri="acap/elwood.innosoft.com",
       response=6084c6db3fede7352c551284490fd0fc,qop=auth
    S: a OK (SASL {40}
    S: rspauth=2f0b3d7c3c2e486600ef710726aa2eae) "AUTHENTICATE
    Completed"
    ---





Leach & Newman              Standards Track                    [Page 19]

RFC 2831                 Digest SASL Mechanism                  May 2000


   The server uses the values of all the directives, plus knowledge of
   the users password (or the hash of the user's name, server's realm
   and the user's password) to verify the computations above. If they
   check, then the user has authenticated.

5   References

   [Digest]   Franks, J., et al., "HTTP Authentication: Basic and Digest
              Access Authentication", RFC 2617, June 1999.

   [ISO-8859] ISO-8859. International Standard--Information Processing--
              8-bit Single-Byte Coded Graphic Character Sets --
              Part 1: Latin alphabet No. 1, ISO-8859-1:1987.
              Part 2: Latin alphabet No. 2, ISO-8859-2, 1987.
              Part 3: Latin alphabet No. 3, ISO-8859-3, 1988.
              Part 4: Latin alphabet No. 4, ISO-8859-4, 1988.
              Part 5: Latin/Cyrillic alphabet, ISO-8859-5, 1988.
              Part 6: Latin/Arabic alphabet, ISO-8859-6, 1987.
              Part 7: Latin/Greek alphabet, ISO-8859-7, 1987.
              Part 8: Latin/Hebrew alphabet, ISO-8859-8, 1988.
              Part 9: Latin alphabet No. 5, ISO-8859-9, 1990.

   [RFC 822]  Crocker, D., "Standard for The Format of ARPA Internet
              Text Messages," STD 11, RFC 822, August 1982.

   [RFC 1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
              April 1992.

   [RFC 2047] Moore, K., "MIME (Multipurpose Internet Mail Extensions)
              Part Three: Message Header Extensions for Non-ASCII Text",
              RFC 2047, November 1996.

   [RFC 2052] Gulbrandsen, A. and P. Vixie, "A DNS RR for specifying the
              location of services (DNS SRV)", RFC 2052, October 1996.

   [RFC 2060] Crispin, M., "Internet Message Access Protocol - Version
              4rev1", RFC 2060, December 1996.

   [RFC 2104] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC:  Keyed-
              Hashing for  Message Authentication", RFC 2104, February
              1997.

   [RFC 2195] Klensin, J., Catoe, R. and P. Krumviede, "IMAP/POP
              AUTHorize Extension for Simple Challenge/Response", RFC
              2195, September 1997.






Leach & Newman              Standards Track                    [Page 20]

RFC 2831                 Digest SASL Mechanism                  May 2000


   [RFC 2119] Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC 2222] Myers, J., "Simple Authentication and Security Layer
              (SASL)", RFC 2222, October 1997.

   [USASCII]  US-ASCII. Coded Character Set - 7-Bit American Standard
              Code for Information Interchange. Standard ANSI X3.4-1986,
              ANSI, 1986.

6  Authors' Addresses

   Paul Leach
   Microsoft
   1 Microsoft Way
   Redmond, WA  98052

   EMail: paulle@microsoft.com


   Chris Newman
   Innosoft International, Inc.
   1050 Lakes Drive
   West Covina, CA 91790 USA

   EMail: chris.newman@innosoft.com

7  ABNF

   What follows is the definition of the notation as is used in the
   HTTP/1.1 specification (RFC 2616) and the HTTP authentication
   specification (RFC 2617); it is reproduced here for ease of
   reference. Since it is intended that a single Digest implementation
   can support both HTTP and SASL-based protocols, the same notation is
   used in both to facilitate comparison and prevention of unwanted
   differences. Since it is cut-and-paste from the HTTP specifications,
   not all productions may be used in this specification. It is also not
   quite legal ABNF; again, the errors were copied from the HTTP
   specifications.

7.1   Augmented BNF

   All of the mechanisms specified in this document are described in
   both prose and an augmented Backus-Naur Form (BNF) similar to that
   used by RFC 822 [RFC 822]. Implementers will need to be familiar with
   the notation in order to understand this specification.





Leach & Newman              Standards Track                    [Page 21]

RFC 2831                 Digest SASL Mechanism                  May 2000


   The augmented BNF includes the following constructs:

   name = definition
      The name of a rule is simply the name itself (without any
      enclosing "<" and ">") and is separated from its definition by the
      equal "=" character. White space is only significant in that
      indentation of continuation lines is used to indicate a rule
      definition that spans more than one line. Certain basic rules are
      in uppercase, such as SP, LWS, HT, CRLF, DIGIT, ALPHA, etc. Angle
      brackets are used within definitions whenever their presence will
      facilitate discerning the use of rule names.

   "literal"
      Quotation marks surround literal text. Unless stated otherwise,
      the text is case-insensitive.

   rule1 | rule2
      Elements separated by a bar ("|") are alternatives, e.g., "yes |
      no" will accept yes or no.

   (rule1 rule2)
      Elements enclosed in parentheses are treated as a single element.
      Thus, "(elem (foo | bar) elem)" allows the token sequences
      "elem foo elem" and "elem bar elem".

   *rule
      The character "*" preceding an element indicates repetition. The
      full form is "<n>*<m>element" indicating at least <n> and at most
      <m> occurrences of element. Default values are 0 and infinity so
      that "*(element)" allows any number, including zero; "1*element"
      requires at least one; and "1*2element" allows one or two.

   [rule]
      Square brackets enclose optional elements; "[foo bar]" is
      equivalent to "*1(foo bar)".

   N rule
      Specific repetition: "<n>(element)" is equivalent to
      "<n>*<n>(element)"; that is, exactly <n> occurrences of (element).
      Thus 2DIGIT is a 2-digit number, and 3ALPHA is a string of three
      alphabetic characters.

   #rule
      A construct "#" is defined, similar to "*", for defining lists of
      elements. The full form is "<n>#<m>element" indicating at least
      <n> and at most <m> elements, each separated by one or more commas
      (",") and OPTIONAL linear white space (LWS). This makes the usual
      form of lists very easy; a rule such as



Leach & Newman              Standards Track                    [Page 22]

RFC 2831                 Digest SASL Mechanism                  May 2000


        ( *LWS element *( *LWS "," *LWS element ))
      can be shown as
        1#element
      Wherever this construct is used, null elements are allowed, but do
      not contribute to the count of elements present. That is,
      "(element), , (element) " is permitted, but counts as only two
      elements.  Therefore, where at least one element is required, at
      least one non-null element MUST be present. Default values are 0
      and infinity so that "#element" allows any number, including zero;
      "1#element" requires at least one; and "1#2element" allows one or
      two.

   ; comment
      A semi-colon, set off some distance to the right of rule text,
      starts a comment that continues to the end of line. This is a
      simple way of including useful notes in parallel with the
      specifications.

   implied *LWS
      The grammar described by this specification is word-based. Except
      where noted otherwise, linear white space (LWS) can be included
      between any two adjacent words (token or quoted-string), and
      between adjacent words and separators, without changing the
      interpretation of a field. At least one delimiter (LWS and/or
      separators) MUST exist between any two tokens (for the definition
      of "token" below), since they would otherwise be interpreted as a
      single token.

7.2   Basic Rules

   The following rules are used throughout this specification to
   describe basic parsing constructs. The US-ASCII coded character set
   is defined by ANSI X3.4-1986 [USASCII].

       OCTET          = <any 8-bit sequence of data>
       CHAR           = <any US-ASCII character (octets 0 - 127)>
       UPALPHA        = <any US-ASCII uppercase letter "A".."Z">
       LOALPHA        = <any US-ASCII lowercase letter "a".."z">
       ALPHA          = UPALPHA | LOALPHA
       DIGIT          = <any US-ASCII digit "0".."9">
       CTL            = <any US-ASCII control character
                        (octets 0 - 31) and DEL (127)>
       CR             = <US-ASCII CR, carriage return (13)>
       LF             = <US-ASCII LF, linefeed (10)>
       SP             = <US-ASCII SP, space (32)>
       HT             = <US-ASCII HT, horizontal-tab (9)>
       <">            = <US-ASCII double-quote mark (34)>
       CRLF           = CR LF



Leach & Newman              Standards Track                    [Page 23]

RFC 2831                 Digest SASL Mechanism                  May 2000



   All linear white space, including folding, has the same semantics as
   SP. A recipient MAY replace any linear white space with a single SP
   before interpreting the field value or forwarding the message
   downstream.

       LWS            = [CRLF] 1*( SP | HT )

   The TEXT rule is only used for descriptive field contents and values
   that are not intended to be interpreted by the message parser. Words
   of *TEXT MAY contain characters from character sets other than
   ISO-8859-1 [ISO 8859] only when encoded according to the rules of RFC
   2047 [RFC 2047].

       TEXT           = <any OCTET except CTLs,
                        but including LWS>

   A CRLF is allowed in the definition of TEXT only as part of a header
   field continuation. It is expected that the folding LWS will be
   replaced with a single SP before interpretation of the TEXT value.

   Hexadecimal numeric characters are used in several protocol elements.

       HEX            = "A" | "B" | "C" | "D" | "E" | "F"
                      | "a" | "b" | "c" | "d" | "e" | "f" | DIGIT

   Many HTTP/1.1 header field values consist of words separated by LWS
   or special characters. These special characters MUST be in a quoted
   string to be used within a parameter value.

       token          = 1*<any CHAR except CTLs or separators>
       separators     = "(" | ")" | "<" | ">" | "@"
                      | "," | ";" | ":" | "\" | <">
                      | "/" | "[" | "]" | "?" | "="
                      | "{" | "}" | SP | HT

   A string of text is parsed as a single word if it is quoted using
   double-quote marks.

      quoted-string  = ( <"> qdstr-val <"> )
      qdstr-val      = *( qdtext | quoted-pair )
      qdtext         = <any TEXT except <">>

   Note that LWS is NOT implicit between the double-quote marks (<">)
   surrounding a qdstr-val and the qdstr-val; any LWS will be considered
   part of the qdstr-val.  This is also the case for quotation marks
   surrounding any other construct.




Leach & Newman              Standards Track                    [Page 24]

RFC 2831                 Digest SASL Mechanism                  May 2000


   The backslash character ("\") MAY be used as a single-character
   quoting mechanism only within qdstr-val and comment constructs.

       quoted-pair    = "\" CHAR

   The value of this construct is CHAR. Note that an effect of this rule
   is that backslash must be quoted.

8  Sample Code

   The sample implementation in [Digest] also applies to DIGEST-MD5.

   The following code implements the conversion from UTF-8 to 8859-1 if
   necessary.

    /* if the string is entirely in the 8859-1 subset of UTF-8, then
     * translate to 8859-1 prior to MD5
     */
    void MD5_UTF8_8859_1(MD5_CTX *ctx, const unsigned char *base,
        int len)
    {
        const unsigned char *scan, *end;
        unsigned char cbuf;

        end = base + len;
        for (scan = base; scan < end; ++scan) {
            if (*scan > 0xC3) break; /* abort if outside 8859-1 */
            if (*scan >= 0xC0 && *scan <= 0xC3) {
                if (++scan == end || *scan < 0x80 || *scan > 0xBF)
                    break;
            }
        }
        /* if we found a character outside 8859-1, don't alter string
         */
        if (scan < end) {
            MD5Update(ctx, base, len);
            return;
        }

        /* convert to 8859-1 prior to applying hash
         */
        do {
            for (scan = base; scan < end && *scan < 0xC0; ++scan)
                ;
            if (scan != base) MD5Update(ctx, base, scan - base);
            if (scan + 1 >= end) break;
            cbuf = ((scan[0] & 0x3) << 6) | (scan[1] & 0x3f);
            MD5Update(ctx, &cbuf, 1);



Leach & Newman              Standards Track                    [Page 25]

RFC 2831                 Digest SASL Mechanism                  May 2000


            base = scan + 2;
        } while (base < end);
    }
















































Leach & Newman              Standards Track                    [Page 26]

RFC 2831                 Digest SASL Mechanism                  May 2000


9  Full Copyright Statement

   Copyright (C) The Internet Society (2000).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.



















Leach & Newman              Standards Track                    [Page 27]