Generic Security Services Application Program Interface
Encyclopedia
The Generic Security Services Application Program Interface (GSSAPI, also GSS-API) is an application programming interface
for programs to access security
services.
The GSSAPI is an IETF standard that addresses the problem of many similar but incompatible security services in use today.
Instead, security service vendors provide GSSAPI implementations usually in the form of libraries
installed with their security software.
These libraries present a GSSAPI-compatible interface to application writers who can write their application to use only the vendor-independent
GSSAPI.
If the security implementation ever needs replacing, the application need not be rewritten.
The definitive feature of GSSAPI applications is the exchange of opaque messages (tokens)
that hide the implementation detail from the higher level application.
The client and server sides of the application are written to convey the tokens given to them by
their respective GSSAPI implementations.
GSSAPI tokens can usually be sent over an insecure network as the mechanisms provide inherent message security.
After some number of tokens have been exchanged, the GSSAPI implementations at both ends inform their local application that a security context has been established.
Once a security context is established, sensitive application messages can be wrapped (encrypted) by the GSSAPI for secure communication between client and server.
Typical protections guaranteed by GSSAPI wrapping include confidentiality
(secrecy) and integrity
(authenticity). The GSSAPI can also provide local guarantees about the identity of the remote user or remote host.
The GSSAPI describes about 45 procedure calls. Significant ones include:
The GSSAPI has been standardized for the
C
(RFC 2744) and Java
(JSR-072) languages.
Limitations of the GSSAPI include that it standardizes only authentication
, and not authorization
, and that it assumes a client–server architecture.
Anticipating new security mechanisms,
the GSSAPI includes a negotiating pseudo mechanism, SPNEGO
, that can discover and use new mechanisms not present when the original application was built.
Unlike the GSSAPI, the Kerberos API has not been standardized
and various existing implementations use incompatible APIs.
The GSSAPI allows Kerberos implementations to be API compatible.
(i.e., user or service program) - see access control
and identity
. For example, Kerberos uses names like user@REALM for users and service/hostname@REALM for programs.
Credential
s :Information that proves an identity; used by an entity to act as the named principal. Credentials typically involve a secret cryptographic key.
Context :The state of one end of the authenticating/authenticated protocol. May provide message protection services, which can be used to compose a secure channel
.
Tokens :Opaque messages exchanged either as part of the initial authentication protocol (context-level tokens), or as part of a protected communication (per-message tokens)
Mechanism :An underlying GSSAPI implementation that provides actual names, tokens and credentials. Known mechanisms include Kerberos, NTLM
, Distributed Computing Environment
(DCE), SESAME, SPKM, LIPKEY.
Initiator/acceptor :The peer that sends the first token is the initiator; the other is the acceptor. Generally, the client program is the initiator while the server is the acceptor.
Application programming interface
An application programming interface is a source code based specification intended to be used as an interface by software components to communicate with each other...
for programs to access security
Security
Security is the degree of protection against danger, damage, loss, and crime. Security as a form of protection are structures and processes that provide or improve security as a condition. The Institute for Security and Open Methodologies in the OSSTMM 3 defines security as "a form of protection...
services.
The GSSAPI is an IETF standard that addresses the problem of many similar but incompatible security services in use today.
How it works
The GSSAPI, by itself, does not provide any security.Instead, security service vendors provide GSSAPI implementations usually in the form of libraries
Library (computer science)
In computer science, a library is a collection of resources used to develop software. These may include pre-written code and subroutines, classes, values or type specifications....
installed with their security software.
These libraries present a GSSAPI-compatible interface to application writers who can write their application to use only the vendor-independent
Standardization
Standardization is the process of developing and implementing technical standards.The goals of standardization can be to help with independence of single suppliers , compatibility, interoperability, safety, repeatability, or quality....
GSSAPI.
If the security implementation ever needs replacing, the application need not be rewritten.
The definitive feature of GSSAPI applications is the exchange of opaque messages (tokens)
that hide the implementation detail from the higher level application.
The client and server sides of the application are written to convey the tokens given to them by
their respective GSSAPI implementations.
GSSAPI tokens can usually be sent over an insecure network as the mechanisms provide inherent message security.
After some number of tokens have been exchanged, the GSSAPI implementations at both ends inform their local application that a security context has been established.
Once a security context is established, sensitive application messages can be wrapped (encrypted) by the GSSAPI for secure communication between client and server.
Typical protections guaranteed by GSSAPI wrapping include confidentiality
Confidentiality
Confidentiality is an ethical principle associated with several professions . In ethics, and in law and alternative forms of legal resolution such as mediation, some types of communication between a person and one of these professionals are "privileged" and may not be discussed or divulged to...
(secrecy) and integrity
Data integrity
Data Integrity in its broadest meaning refers to the trustworthiness of system resources over their entire life cycle. In more analytic terms, it is "the representational faithfulness of information to the true state of the object that the information represents, where representational faithfulness...
(authenticity). The GSSAPI can also provide local guarantees about the identity of the remote user or remote host.
The GSSAPI describes about 45 procedure calls. Significant ones include:
- GSS_Acquire_cred - obtains the user's identity proof, often a secret cryptographic key
- GSS_Import_name - converts a username or hostname into a form that identifies a security entity
- GSS_Init_sec_context - generates a client token to send to the server, usually a challenge
- GSS_Accept_sec_context - processes a token from GSS_Init_sec_context and can generate a response token to return
- GSS_Wrap - converts application data into a secure message token (typically encrypted)
- GSS_Unwrap - converts a secure message token back into application data
The GSSAPI has been standardized for the
C
C (programming language)
C is a general-purpose computer programming language developed between 1969 and 1973 by Dennis Ritchie at the Bell Telephone Laboratories for use with the Unix operating system....
(RFC 2744) and Java
Java (programming language)
Java is a programming language originally developed by James Gosling at Sun Microsystems and released in 1995 as a core component of Sun Microsystems' Java platform. The language derives much of its syntax from C and C++ but has a simpler object model and fewer low-level facilities...
(JSR-072) languages.
Limitations of the GSSAPI include that it standardizes only authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
, and not authorization
Authorization
Authorization is the function of specifying access rights to resources, which is related to information security and computer security in general and to access control in particular. More formally, "to authorize" is to define access policy...
, and that it assumes a client–server architecture.
Anticipating new security mechanisms,
the GSSAPI includes a negotiating pseudo mechanism, SPNEGO
SPNEGO
SPNEGO is a GSSAPI "pseudo mechanism" that is used to negotiate one of a number of possible real mechanisms....
, that can discover and use new mechanisms not present when the original application was built.
Relationship to Kerberos
The dominant GSSAPI mechanism implementation in use is Kerberos.Unlike the GSSAPI, the Kerberos API has not been standardized
and various existing implementations use incompatible APIs.
The GSSAPI allows Kerberos implementations to be API compatible.
Related technologies
- RADIUS
- SASLSimple Authentication and Security LayerSimple Authentication and Security Layer is a framework for authentication and data security in Internet protocols. It decouples authentication mechanisms from application protocols, in theory allowing any authentication mechanism supported by SASL to be used in any application protocol that uses...
- TLS
- SSPISecurity Support Provider InterfaceSecurity Support Provider Interface is an API used by Microsoft Windows systems to perform a variety of security-related operations such as authentication....
- SPNEGOSPNEGOSPNEGO is a GSSAPI "pseudo mechanism" that is used to negotiate one of a number of possible real mechanisms....
Key concepts
Name :A binary string that labels a security principalSecurity principal
A principal in Computer Science is an entity that can be authenticated by a computer system or network. Authentication is the process of validating and confirming the identity of such an entity....
(i.e., user or service program) - see access control
Access control
Access control refers to exerting control over who can interact with a resource. Often but not always, this involves an authority, who does the controlling. The resource can be a given building, group of buildings, or computer-based information system...
and identity
Identity (object-oriented programming)
An identity in object-oriented programming, object-oriented design and object-oriented analysis describes the property of objects that distinguishes them from other objects. This is closely related to the philosophical concept of identity....
. For example, Kerberos uses names like user@REALM for users and service/hostname@REALM for programs.
Credential
Credential
A credential is an attestation of qualification, competence, or authority issued to an individual by a third party with a relevant or de facto authority or assumed competence to do so....
s :Information that proves an identity; used by an entity to act as the named principal. Credentials typically involve a secret cryptographic key.
Context :The state of one end of the authenticating/authenticated protocol. May provide message protection services, which can be used to compose a secure channel
Secure channel
In cryptography, a secure channel is a way of transferring data that is resistant to interception and tampering.A confidential channel is a way of transferring data that is resistant to interception, but not necessarily resistant to tampering....
.
Tokens :Opaque messages exchanged either as part of the initial authentication protocol (context-level tokens), or as part of a protected communication (per-message tokens)
Mechanism :An underlying GSSAPI implementation that provides actual names, tokens and credentials. Known mechanisms include Kerberos, NTLM
NTLM
In a Windows network, NTLM is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users....
, Distributed Computing Environment
Distributed Computing Environment
The Distributed Computing Environment is a software system developed in the early 1990s by a consortium that included Apollo Computer , IBM, Digital Equipment Corporation, and others. The DCE supplies a framework and toolkit for developing client/server applications...
(DCE), SESAME, SPKM, LIPKEY.
Initiator/acceptor :The peer that sends the first token is the initiator; the other is the acceptor. Generally, the client program is the initiator while the server is the acceptor.
History
- July 1991: IETF Common Authentication Technology (CAT) Working Group meets in Atlanta, led by John Linn
- September 1993: GSSAPI version 1 (RFC 1508, RFC 1509)
- May 1995: Windows NT 3.51 released, includes SSPI
- June 1996: Kerberos mechanism for GSSAPI (RFC 1964)
- January 1997: GSSAPI version 2 (RFC 2078)
- October 1997: SASL published, includes GSSAPI mechanism (RFC 2222)
- January 2000: GSSAPI version 2 update 1 (RFC 2743, RFC 2744)
- August 2004: KITTEN working group meets to continue CAT activities
- May 2006: Secure Shell use of GSSAPI standardised (RFC 4462)
External links
- RFC 2743 The Generic Security Service API Version 2 update 1
- RFC 2744 The Generic Security Service API Version 2: C-Bindings
- RFC 1964 The Kerberos 5 GSS-API mechanism
- RFC 4121 The Kerberos 5 GSS-API mechanism: Version 2
- RFC 4178 The Simple and Protected GSS-API Negotiation Mechanism (SPNEGO)
- RFC 2025 The Simple Public-Key GSS-API Mechanism (SPKM)
- RFC 2847 LIPKEY - A Low Infrastructure Public Key Mechanism Using SPKM
- Kitten working group - next generation GSS-API
- GSS-API Programming Guide from Sun