SSF, the security strength factor, indicates the strength of the SASL protection. If the mechanism supports a security layer, the client and server negotiate the SSF. The value of the SSF is based on the security properties that were specified before the SASL negotiation. If a non-zero SSF is negotiated, both client and server need to use the mechanism's security layer when the authentication has completed. SSF is represented by an integer with one of the following values:
0 – No protection.
1 – Integrity checking only.
>1 – Supports authentication, integrity and confidentiality. The number represents the encryption key length.
The confidentiality and integrity operations are performed by the security mechanism. libsasl coordinates these requests.
In the negotiation, the SASL client selects the mechanism with the maximum SSF. However, the actual SASL mechanism that is chosen might subsequently negotiate a lower SSF.