SASL is a framework for adding authentication and optional encryption to network protocols. It is a standardized protocol defined by the IETF standard (RFC 4422), providing a generic interface for authentication. This standard specifies how authentication should be layered on top of network protocols.
SASL doesn’t perform authentication itself. Instead, it acts as a bridge, enabling protocols to integrate authentication mechanisms like PLAIN, SCRAM, or GSSAPI. It abstracts the details of authentication away from the network protocol, making the mechanism pluggable and interchangeable.
Info
SASL is supported by many programming languages, for example in Java by JAAS(Java Authentication and Authorization Service) and in C++ (Cyrus SASL)
SASL operates as a layer that integrates with the protocol being used. The client and the server works together like so:
- Mechanism Selection: The client and server negotiate the authentication mechanism (e.g., PLAIN, SCRAM, GSSAPI (kerberos)).
- Authentication Exchange: The client sends credentials or tokens as per the chosen mechanism.
- Security Services: Depending on the mechanism, SASL may also provide encryption and data integrity.
Example
A common use case is securing communication with Kafka. SASL integrates with protocols like SASL/PLAIN for username/password authentication or SASL/SCRAM for more secure password handling.
SCRAM (Salted Challenge Response Authentication Mechanism)
SCRAM is a SASL authentication mechanism designed to securely authenticate users by exchanging hashed and salted credentials instead of plain text. SCRAM improves security by avoiding cleartext passwords and resisting replay attacks by using a per-session challenge (nonce)
SCRAM is based on the challenge-response model:
- Client: Sends an initial message including a nonce and the username
- Server: Provides the password salt, an iteration count, and its own nonce
- Client: Combines the the password, salt, server nonce, and client nonce to generate the response hash.
- Server: Verifies the hash by comparing with its own calculate value
Note
SCRAM uses a secure hash function like SHA-256 or SHA-512 for computations.
Example in Kafka
Kafka supports SASL/SCRAM for authentication. Configuration involves:
- Broker Configuration:
- Set
sasl.enabled.mechanisms=SCRAM-SHA-256. - Store hashed passwords in Kafka’s user database.
- Set
- Client Configuration:
- Provide the username and password in the client’s SASL configuration.
Example
Example client configuration for SCRAM:
sasl.mechanism=SCRAM-SHA-256 security.protocol=SASL_SSL sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="user" password="password";