IdSASLOTP

TIdSASLOTP is a TIdSASLUserPass descendant that Implements the OTP (One-Time-Password) SASL authentication mechanism, as described in the Internet Standards documents: 

RFC 2444 - The One-Time-Password SASL Mechanism  

RFC 2222 - Simple Authentication and Security Layer (SASL)  

SASL authentication mechanism names must be registered with the IANA. The current list of registered SASL authentication mechanisms is located at: 

IANA Official Simple Authentication and Security Layer Mechanisms  

OTP SASL provides an authentication mechanism for situations where there is limited client or server trust. The OTP SASL mechanism is intended to replace the SKEY SASL mechanism. 

OTP SASL is a good choice for usage scenarios where the client is untrusted (e.g., a kiosk client), as a one-time password will only give the client a single opportunity to act on behalf of the user. OTP is also a good choice for situations where interactive logins are permitted to the server, as a compromised OTP authentication database is only subject to dictionary attacks, unlike authentication databases for other simple mechanisms such as CRAM-MD5. 

In OTP SASL, the client begins by sending a message to the server containing the authorization identity and the authentication identity for the SASL authentication mechanism. 

The authorization identity is used to allow login with a different user identity, auch as in a proxy server. The authorization identity can contain a blank string when the identity is the same as the authentication identity (or Username). 

The authentication identity is the Username that will be authenticated using the credentials provided in a subsequent client response. 

Both the authorization identity and the authentication identity are limited to 255 characters. US-ASCII printable characters are preferred in the values, although UTF-8 printable characters are permitted to support international names. Use of character sets other than US-ASCII and UTF-8 is forbidden. 

The server responds by sending a message containing the OTP challenge as described in OTP and OTP extended responses. 

The client must respond by creating a an extended response using the hash algorithm indicated in the server challenge. OTP SASL requires use of the extended response format as described in the specifications for the authentication mechanism, including: 

TIdSASLOTP uses only the "word" response format in its current implementation. 

OTP SASL requires support for the MD5 hashing algorithm used in building client responses. OTP SASL recokmmends support for the SHA1 hashing algorithm. 

TIdSASLOTP implments support for the following hashing algortihms: 

TIdSASL TIdSASLUserPass