HOME

TheInfoList



Click Here for Items Related To - Generic Security Services Application Program Interface
OR:
Generic Security Services Application Program Interface on:   [Wikipedia]   [Google]   [Amazon]

The Generic Security Service Application Program Interface (GSSAPI, also GSS-API) is an
application programming interface An application programming interface (API) is a way for two or more computer programs to communicate with each other. It is a type of software interface, offering a service to other pieces of software. A document or standard that describes how t ...
for programs to access
security Security is protection from, or resilience against, potential harm (or other unwanted coercive change) caused by others, by restraining the freedom of others to act. Beneficiaries (technically referents) of security may be of persons and social ...
services. The GSSAPI is an
IETF The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and a ...
standard that addresses the problem of many similar but incompatible security services in use today.


Operation

The GSSAPI, by itself, does not provide any security. Instead, security-service vendors provide GSSAPI ''implementations'' - usually in the form of
libraries A library is a collection of materials, books or media that are accessible for use and not just for display purposes. A library provides physical (hard copies) or digital access (soft copies) materials, and may be a physical location or a vir ...
installed with their security software. These libraries present a GSSAPI-compatible interface to application writers who can write their application to use only the vendor-independent GSSAPI. If the security implementation ever needs replacing, the application need not be rewritten. The definitive feature of GSSAPI applications is the exchange of opaque messages (''tokens'') which hide the implementation detail from the higher-level application. The client and server sides of the application are written to convey the tokens given to them by their respective GSSAPI implementations. GSSAPI tokens can usually travel over an insecure network as the mechanisms provide inherent message security. After the exchange of some number of tokens, the GSSAPI implementations at both ends inform their local application that a ''security context'' is established. Once a security context is established, sensitive application messages can be wrapped (encrypted) by the GSSAPI for secure communication between client and server. Typical protections guaranteed by GSSAPI wrapping include
confidentiality Confidentiality involves a set of rules or a promise usually executed through confidentiality agreements that limits the access or places restrictions on certain types of information. Legal confidentiality By law, lawyers are often required ...
(secrecy) and
integrity Integrity is the practice of being honest and showing a consistent and uncompromising adherence to strong moral and ethical principles and values. In ethics, integrity is regarded as the honesty and truthfulness or accuracy of one's actions. Inte ...
(authenticity). The GSSAPI can also provide local guarantees about the identity of the remote user or remote host. The GSSAPI describes about 45 procedure calls. Significant ones include: ; GSS_Acquire_cred: Obtains the user's identity proof, often a secret cryptographic key ; GSS_Import_name: Converts a username or hostname into a form that identifies a security entity ; GSS_Init_sec_context: Generates a client token to send to the server, usually a challenge ; GSS_Accept_sec_context: Processes a token from GSS_Init_sec_context and can generate a response token to return ; GSS_Wrap: Converts application data into a secure message token (typically encrypted) ; GSS_Unwrap: Converts a secure message token back into application data The GSSAPI is standardized for the C (RFC 2744) language.
Java Java (; id, Jawa, ; jv, ꦗꦮ; su, ) is one of the Greater Sunda Islands in Indonesia. It is bordered by the Indian Ocean to the south and the Java Sea to the north. With a population of 151.6 million people, Java is the world's List ...
implements the GSSAPI as JGSS, the Java Generic Security Services Application Program Interface. Some limitations of GSSAPI are: # standardizing only
authentication Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicati ...
, rather not
authorization Authorization or authorisation (see spelling differences) is the function of specifying access rights/privileges to resources, which is related to general information security and computer security, and to access control in particular. More for ...
too; # assuming a client–server architecture. Anticipating new security mechanisms, the GSSAPI includes a negotiating ''pseudo mechanism'',
SPNEGO Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), often pronounced "spenay-go", is a GSSAPI "pseudo mechanism" used by client-server software to negotiate the choice of security technology. SPNEGO is used when a client application wants ...
, that can discover and use new mechanisms not present when the original application was built.


Relationship to Kerberos

The dominant GSSAPI mechanism implementation in use is Kerberos. Unlike the GSSAPI, the Kerberos API has not been standardized and various existing implementations use incompatible APIs. The GSSAPI allows Kerberos implementations to be API compatible.


Related technologies

*
RADIUS In classical geometry, a radius ( : radii) of a circle or sphere is any of the line segments from its center to its perimeter, and in more modern usage, it is also their length. The name comes from the latin ''radius'', meaning ray but also the ...
* SASL * TLS * SSPI *
SPNEGO Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), often pronounced "spenay-go", is a GSSAPI "pseudo mechanism" used by client-server software to negotiate the choice of security technology. SPNEGO is used when a client application wants ...
* RPCSEC GSS


Key concepts

;Name :A binary string that labels a security principal (i.e., user or service program) - see
access control In the fields of physical security and information security, access control (AC) is the selective restriction of access to a place or other resource, while access management describes the process. The act of ''accessing'' may mean consuming ...
and
identity Identity may refer to: * Identity document * Identity (philosophy) * Identity (social science) * Identity (mathematics) Arts and entertainment Film and television * ''Identity'' (1987 film), an Iranian film * ''Identity'' (2003 film), ...
. For example, Kerberos uses names like ''user@REALM'' for users and ''service/hostname@REALM'' for programs. ; Credentials :Information that proves an identity; used by an entity to act as the named principal. Credentials typically involve a secret cryptographic key. ;Context :The state of one end of the authenticating/authenticated
protocol Protocol may refer to: Sociology and politics * Protocol (politics), a formal agreement between nation states * Protocol (diplomacy), the etiquette of diplomacy and affairs of state * Etiquette, a code of personal behavior Science and technolog ...
. May provide message protection services, which can be used to compose a
secure channel In cryptography, a secure channel is a means of data transmission that is resistant to overhearing and tampering. A confidential channel is a means of data transmission that is resistant to overhearing, or eavesdropping (e.g., reading the conten ...
. ;Tokens :Opaque messages exchanged either as part of the initial authentication protocol (context-level tokens), or as part of a protected communication (per-message tokens) ;Mechanism :An underlying GSSAPI implementation that provides actual names, tokens and credentials. Known mechanisms include Kerberos,
NTLM In a Windows network, NT (New Technology) LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft L ...
,
Distributed Computing Environment In computing, the Distributed Computing Environment (DCE) software system was developed in the early 1990s from the work of the Open Software Foundation (OSF), a consortium (founded in 1988) that included Apollo Computer (part of Hewlett-Packard fr ...
(DCE), SESAME, SPKM, LIPKEY. ;Initiator/acceptor :The peer that sends the first token is the initiator; the other is the acceptor. Generally, the client program is the initiator while the server is the acceptor.


History

* July 1991: IETF Common Authentication Technology (CAT) Working Group meets in Atlanta, led by John Linn * September 1993: GSSAPI version 1 (RFC 1508, RFC 1509) * May 1995: Windows NT 3.51 released, includes SSPI * June 1996: Kerberos mechanism for GSSAPI (RFC 1964) * January 1997: GSSAPI version 2 (RFC 2078) * October 1997: SASL published, includes GSSAPI mechanism (RFC 2222) * January 2000: GSSAPI version 2 update 1 (RFC 2743, RFC 2744) * August 2004: KITTEN working group meets to continue CAT activities * May 2006: Secure Shell use of GSSAPI standardised (RFC 4462)


See also

* PKCS #11


References


External links

* The Generic Security Service API Version 2 update 1 * The Generic Security Service API Version 2: C-Bindings * The Kerberos 5 GSS-API mechanism * The Kerberos 5 GSS-API mechanism: Version 2 * The Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) * The Simple Public-Key GSS-API Mechanism (SPKM) * LIPKEY - A Low Infrastructure Public Key Mechanism Using SPKM * * * {{Authentication APIs Operating system security Internet Standards