Generic Security Services Application Program Interface


Generic Security Services Application Program Interface

The Generic Security Services Application Program Interface (GSSAPI, also GSS-API) is an application programming interface for programs to access security services.

The GSSAPI is an IETF standard that addresses the problem of many similar but incompatible security services in use today.

How it works

The GSSAPI, by itself, does not provide any security.Instead, security service vendors provide GSSAPI "implementations" usually in the form of libraries installed with their security software.These libraries present a GSSAPI-compatible interface to application writers who can write their application to use only the vendor-independent GSSAPI.If the security implementation ever needs replacing, the application need not be rewritten.

The definitive feature of GSSAPI applications is the exchange of opaque messages ("tokens")that hide the implementation detail from the higher level application.The client and server sides of the application are written to convey the tokens given to them bytheir respective GSSAPI implementations.GSSAPI tokens can be sent over an insecure network because the mechanisms guarantee inherent message security.After some number of tokens have been exchanged, the GSSAPI at both ends inform their local application that a "security context" has been established.

Once a security context is established, sensitive application messages can be wrapped (encrypted) by the GSSAPI for secure communication between client and server.Typical protections guaranteed by GSSAPI wrapping include confidentiality (secrecy) and integrity (authenticity). The GSSAPI can also provide local guarantees about the identity of the remote user or remote host.

The GSSAPI describes about 45 procedure calls. Significant ones include:
* "GSS_Acquire_cred" - obtains the user's identity proof, often a secret cryptographic key
* "GSS_Import_name" - converts a username or hostname into a form that identifies a security entity
* "GSS_Init_sec_context" - generates a client token to send to the server, usually a challenge
* "GSS_Accept_sec_context" - processes a token from "GSS_Init_sec_context" and can generate a response token to return
* "GSS_Wrap" - converts application data into a secure message token (typically encrypted)
* "GSS_Unwrap" - converts a secure message token back into application data

The GSSAPI has been standardised for the
C and Java languages.

Limitations of the GSSAPI include that it standardizes only authentication, and not authorization, and that it assumes a client-server architecture.

Anticipating new security mechanisms,the GSSAPI includes a negotiating "pseudo mechanism", SPNEGO, that can discover and use new mechanisms not present when the original application was built.

Relationship to Kerberos

The dominant GSSAPI mechanism implementation in use is Kerberos. Unlike the GSSAPI, the Kerberos API has not been standardizedand various existing implementations use incompatible APIs.The GSSAPI allows Kerberos implementations to be API compatible.

Competing technologies

* RADIUS
* SASL
* TLS
* SSPI
* SPNEGO

Key concepts of the GSSAPI

;Name :A binary string that labels a security principal (i.e. user or service program) - see access control and identity. For example, Kerberos uses names like "user@REALM" for users and "service/hostname@REALM" for programs.;Credentials :Information that proves an identity; used by an entity to act as the named principal. Credentials typically involve a secret cryptographic key.;Context :The state of one end of the authenticating/authenticated protocol. May provide message protection services, which can be used to compose a secure channel.;Tokens :Opaque messages exchanged either as part of the initial authentication protocol (context-level tokens), or as part of a protected communication (per-message tokens);Mechanism :An underlying GSSAPI implementation that provides actual names, tokens and credentials. Known mechanisms include Kerberos, NTLM, Distributed Computing Environment (DCE), SESAME, SPKM, LIPKEY.;Initiator/acceptor :The peer that sends the first token is the initiator; the other the acceptor. Generally, the client program is the initiator while the server is the acceptor.

History of the GSSAPI

* July 1991: IETF Common Authentication Technology (CAT) Working Group meets in Atlanta, led by John Linn
* September 1993: GSSAPI version 1 (RFC 1508, RFC 1509)
* May 1995: Windows NT 3.51 released, includes SSPI
* June 1996: Kerberos mechanism for GSSAPI (RFC 1964)
* January 1997: GSSAPI version 2 (RFC 2078)
* October 1997: SASL published, includes GSSAPI mechanism (RFC 2222)
* January 2000: GSSAPI version 2 update 1 (RFC 2743, RFC 2744)
* August 2004: KITTEN working group meets to continue CAT activities
* May 2006: Secure Shell use of GSSAPI standardised (RFC 4462)

External links

* RFC 2743 The Generic Security Service API Version 2 update 1
* RFC 2744 The Generic Security Service API Version 2: C-Bindings
* RFC 1964 The Kerberos 5 GSS-API mechanism
* RFC 4121 The Kerberos 5 GSS-API mechanism: Version 2
* RFC 4178 The Simple and Protected GSS-API Negotiation Mechanism (SPNEGO)
* RFC 2025 The Simple Public-Key GSS-API Mechanism (SPKM)
* RFC 2847 LIPKEY - A Low Infrastructure Public Key Mechanism Using SPKM
* [http://www.ietf.org/html.charters/kitten-charter.html Kitten working group - next generation GSS-API]


Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Graphics Device Interface — The Graphics Device Interface (GDI) is a Microsoft Windows application programming interface and core operating system component responsible for representing graphical objects and transmitting them to output devices such as monitors and printers …   Wikipedia

  • Список RFC — Здесь представлен список RFC (документ запроса комментариев). Поскольку на данный момент их существует более 5000, то в данном списке представлены лишь наиболее значимые из них, по которым существуют связанные с ними статьи. Содержание 1 RFC по… …   Википедия

  • Kerberos (protocol) — Kerberos is a computer network authentication protocol, which allows individuals communicating over a non secure network to prove their identity to one another in a secure manner. It is also a suite of free software published by Massachusetts… …   Wikipedia

  • Kerberos — /kɛərbərəs/  сетевой протокол аутентификации, позволяющий передавать данные через незащищённые сети для безопасной идентификации. Ориентирован , в первую очередь , на клиент серверную модель и обеспечивает взаимную аутентификацию  оба… …   Википедия

  • GSS — can mean:In science: * General Social Survey * Genome survey sequence * German Space Society * Gerstmann Sträussler Scheinker syndrome * Gudjonsson suggestibility scaleIn technology: * Generic Security Services Application Program Interface *… …   Wikipedia

  • GSSAPI — Das Generic Security Services Application Program Interface (GSSAPI, auch GSS API) ist eine Programmierschnittstelle für Anwendungen, die auf Security Devices zugreifen. Die GSSAPI ist ein IETF Standard, der das Problem vieler verschiedener,… …   Deutsch Wikipedia

  • GSS — Cette page d’homonymie répertorie les différents sujets et articles partageant un même nom. GSS peut être l abréviation de : Grandes surfaces spécialisées Generic Security Services Application Program Interface, un terme informatique… …   Wikipédia en Français

  • Ssh — im TCP/IP‑Protokollstapel: Anwendung SSH Transport TCP Internet IP (IPv4, IPv6) Netzzugang Ethernet Tok …   Deutsch Wikipedia

  • Secure Shell — SSH im TCP/IP‑Protokollstapel: Anwendung SSH Transport TCP Internet IP (IPv4, IPv6) Netzzugang Ethernet Token …   Deutsch Wikipedia

  • Open-system environment reference model — Illustration of the open system environment reference model, 1995.[1] Open system environment (OSE) reference model (RM) or OSE reference model (OSE/RM) is one of the first reference models for enterprise architecture. It provides a …   Wikipedia