Path: blob/main/crypto/heimdal/lib/wind/rfc4013.txt
34907 views
123456Network Working Group K. Zeilenga7Request for Comments: 4013 OpenLDAP Foundation8Category: Standards Track February 200591011SASLprep: Stringprep Profile for User Names and Passwords1213Status of This Memo1415This document specifies an Internet standards track protocol for the16Internet community, and requests discussion and suggestions for17improvements. Please refer to the current edition of the "Internet18Official Protocol Standards" (STD 1) for the standardization state19and status of this protocol. Distribution of this memo is unlimited.2021Copyright Notice2223Copyright (C) The Internet Society (2005).2425Abstract2627This document describes how to prepare Unicode strings representing28user names and passwords for comparison. The document defines the29"SASLprep" profile of the "stringprep" algorithm to be used for both30user names and passwords. This profile is intended to be used by31Simple Authentication and Security Layer (SASL) mechanisms (such as32PLAIN, CRAM-MD5, and DIGEST-MD5), as well as other protocols33exchanging simple user names and/or passwords.34351. Introduction3637The use of simple user names and passwords in authentication and38authorization is pervasive on the Internet. To increase the39likelihood that user name and password input and comparison work in40ways that make sense for typical users throughout the world, this41document defines rules for preparing internationalized user names and42passwords for comparison. For simplicity and implementation ease, a43single algorithm is defined for both user names and passwords.4445The algorithm assumes all strings are comprised of characters from46the Unicode [Unicode] character set.4748This document defines the "SASLprep" profile of the "stringprep"49algorithm [StringPrep].5051The profile is designed for use in Simple Authentication and Security52Layer ([SASL]) mechanisms, such as [PLAIN], [CRAM-MD5], and53[DIGEST-MD5]. It may be applicable where simple user names and54555657Zeilenga Standards Track [Page 1]5859RFC 4013 SASLprep February 2005606162passwords are used. This profile is not intended for use in63preparing identity strings that are not simple user names (e.g.,64email addresses, domain names, distinguished names), or where65identity or password strings that are not character data, or require66different handling (e.g., case folding).6768This document does not alter the technical specification of any69existing protocols. Any specification that wishes to use the70algorithm described in this document needs to explicitly incorporate71this document and provide precise details as to where and how this72algorithm is used by implementations of that specification.73742. The SASLprep Profile7576This section defines the "SASLprep" profile of the "stringprep"77algorithm [StringPrep]. This profile is intended for use in78preparing strings representing simple user names and passwords.7980This profile uses Unicode 3.2 [Unicode].8182Character names in this document use the notation for code points and83names from the Unicode Standard [Unicode]. For example, the letter84"a" may be represented as either <U+0061> or <LATIN SMALL LETTER A>.85In the lists of mappings and the prohibited characters, the "U+" is86left off to make the lists easier to read. The comments for87character ranges are shown in square brackets (such as "[CONTROL88CHARACTERS]") and do not come from the standard.8990Note: A glossary of terms used in Unicode can be found in [Glossary].91Information on the Unicode character encoding model can be found in92[CharModel].93942.1. Mapping9596This profile specifies:9798- non-ASCII space characters [StringPrep, C.1.2] that can be99mapped to SPACE (U+0020), and100101- the "commonly mapped to nothing" characters [StringPrep, B.1]102that can be mapped to nothing.1031042.2. Normalization105106This profile specifies using Unicode normalization form KC, as107described in Section 4 of [StringPrep].108109110111112113Zeilenga Standards Track [Page 2]114115RFC 4013 SASLprep February 20051161171182.3. Prohibited Output119120This profile specifies the following characters as prohibited input:121122- Non-ASCII space characters [StringPrep, C.1.2]123- ASCII control characters [StringPrep, C.2.1]124- Non-ASCII control characters [StringPrep, C.2.2]125- Private Use characters [StringPrep, C.3]126- Non-character code points [StringPrep, C.4]127- Surrogate code points [StringPrep, C.5]128- Inappropriate for plain text characters [StringPrep, C.6]129- Inappropriate for canonical representation characters130[StringPrep, C.7]131- Change display properties or deprecated characters132[StringPrep, C.8]133- Tagging characters [StringPrep, C.9]1341352.4. Bidirectional Characters136137This profile specifies checking bidirectional strings as described in138[StringPrep, Section 6].1391402.5. Unassigned Code Points141142This profile specifies the [StringPrep, A.1] table as its list of143unassigned code points.1441453. Examples146147The following table provides examples of how various character data148is transformed by the SASLprep string preparation algorithm149150# Input Output Comments151- ----- ------ --------1521 I<U+00AD>X IX SOFT HYPHEN mapped to nothing1532 user user no transformation1543 USER USER case preserved, will not match #21554 <U+00AA> a output is NFKC, input in ISO 8859-11565 <U+2168> IX output is NFKC, will match #11576 <U+0007> Error - prohibited character1587 <U+0627><U+0031> Error - bidirectional check1591604. Security Considerations161162This profile is intended to prepare simple user name and password163strings for comparison or use in cryptographic functions (e.g.,164message digests). The preparation algorithm was specifically165designed such that its output is canonical, and it is well-formed.166167168169Zeilenga Standards Track [Page 3]170171RFC 4013 SASLprep February 2005172173174However, due to an anomaly [PR29] in the specification of Unicode175normalization, canonical equivalence is not guaranteed for a select176few character sequences. These sequences, however, do not appear in177well-formed text. This specification was published despite this178known technical problem. It is expected that this specification will179be revised before further progression on the Standards Track (after180[Unicode] and/or [StringPrep] specifications have been updated to181address this problem).182183It is not intended for preparing identity strings that are not simple184user names (e.g., distinguished names, domain names), nor is the185profile intended for use of simple user names that require different186handling (such as case folding). Protocols (or applications of those187protocols) that have application-specific identity forms and/or188comparison algorithms should use mechanisms specifically designed for189these forms and algorithms.190191Application of string preparation may have an impact upon the192feasibility of brute force and dictionary attacks. While the number193of possible prepared strings is less than the number of possible194Unicode strings, the number of usable names and passwords is greater195than as if only ASCII was used. Though SASLprep eliminates some196Unicode code point sequences as possible prepared strings, that197elimination generally makes the (canonical) output forms practicable198and prohibits nonsensical inputs.199200User names and passwords should be protected from eavesdropping.201202General "stringprep" and Unicode security considerations apply. Both203are discussed in [StringPrep].2042055. IANA Considerations206207This document details the "SASLprep" profile of the [StringPrep]208protocol. This profile has been registered in the stringprep profile209registry.210211Name of this profile: SASLprep212RFC in which the profile is defined: RFC 4013213Indicator whether or not this is the newest version of the214profile: This is the first version of the SASPprep profile.2152166. Acknowledgement217218This document borrows text from "Preparation of Internationalized219Strings ('stringprep')" and "Nameprep: A Stringprep Profile for220Internationalized Domain Names", both by Paul Hoffman and Marc221Blanchet. This document is a product of the IETF SASL WG.222223224225Zeilenga Standards Track [Page 4]226227RFC 4013 SASLprep February 20052282292307. Normative References231232[StringPrep] Hoffman, P. and M. Blanchet, "Preparation of233Internationalized Strings ("stringprep")", RFC 3454,234December 2002.235236[Unicode] The Unicode Consortium, "The Unicode Standard, Version2373.2.0" is defined by "The Unicode Standard, Version2383.0" (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-23961633-5), as amended by the "Unicode Standard Annex240#27: Unicode 3.1"241(http://www.unicode.org/reports/tr27/) and by the242"Unicode Standard Annex #28: Unicode 3.2"243(http://www.unicode.org/reports/tr28/).2442458. Informative References246247[Glossary] The Unicode Consortium, "Unicode Glossary",248<http://www.unicode.org/glossary/>.249250[CharModel] Whistler, K. and M. Davis, "Unicode Technical Report251#17, Character Encoding Model", UTR17,252<http://www.unicode.org/unicode/reports/tr17/>, August2532000.254255[SASL] Melnikov, A., Ed., "Simple Authentication and Security256Layer (SASL)", Work in Progress.257258[CRAM-MD5] Nerenberg, L., "The CRAM-MD5 SASL Mechanism", Work in259Progress.260261[DIGEST-MD5] Leach, P., Newman, C., and A. Melnikov, "Using Digest262Authentication as a SASL Mechanism", Work in Progress.263264[PLAIN] Zeilenga, K., Ed., "The Plain SASL Mechanism", Work in265Progress.266267[PR29] "Public Review Issue #29: Normalization Issue",268<http://www.unicode.org/review/pr-29.html>, February2692004.270271Author's Address272273Kurt D. Zeilenga274OpenLDAP Foundation275276EMail: [email protected]277278279280281Zeilenga Standards Track [Page 5]282283RFC 4013 SASLprep February 2005284285286Full Copyright Statement287288Copyright (C) The Internet Society (2005).289290This document is subject to the rights, licenses and restrictions291contained in BCP 78, and except as set forth therein, the authors292retain all their rights.293294This document and the information contained herein are provided on an295"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS296OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET297ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,298INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE299INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED300WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.301302Intellectual Property303304The IETF takes no position regarding the validity or scope of any305Intellectual Property Rights or other rights that might be claimed to306pertain to the implementation or use of the technology described in307this document or the extent to which any license under such rights308might or might not be available; nor does it represent that it has309made any independent effort to identify any such rights. Information310on the IETF's procedures with respect to rights in IETF Documents can311be found in BCP 78 and BCP 79.312313Copies of IPR disclosures made to the IETF Secretariat and any314assurances of licenses to be made available, or the result of an315attempt made to obtain a general license or permission for the use of316such proprietary rights by implementers or users of this317specification can be obtained from the IETF on-line IPR repository at318http://www.ietf.org/ipr.319320The IETF invites any interested party to bring to its attention any321copyrights, patents or patent applications, or other proprietary322rights that may cover technology that may be required to implement323this standard. Please address the information to the IETF at ietf-324[email protected].325326327Acknowledgement328329Funding for the RFC Editor function is currently provided by the330Internet Society.331332333334335336337Zeilenga Standards Track [Page 6]338339340341