1.3 GSS-API Overview
This section describes GSS-API from a protocol point of view.
The Generic Security Service Application Programming Interface
provides security services to calling applications. It allows a
communicating application to authenticate the user associated with
another application, to delegate rights to another application, and to
apply security services such as confidentiality and integrity on a
per-message basis.
There are four stages to using the GSS-API:
- The application acquires a set of credentials with which it may prove
its identity to other processes. The application's credentials vouch
for its global identity, which may or may not be related to any local
username under which it may be running.
- A pair of communicating applications establish a joint security
context using their credentials. The security context is a pair of
GSS-API data structures that contain shared state information, which
is required in order that per-message security services may be
provided. Examples of state that might be shared between applications
as part of a security context are cryptographic keys, and message
sequence numbers. As part of the establishment of a security context,
the context initiator is authenticated to the responder, and may
require that the responder is authenticated in turn. The initiator
may optionally give the responder the right to initiate further
security contexts, acting as an agent or delegate of the initiator.
This transfer of rights is termed delegation, and is achieved by
creating a set of credentials, similar to those used by the initiating
application, but which may be used by the responder.
To establish and maintain the shared information that makes up the
security context, certain GSS-API calls will return a token data
structure, which is an opaque data type that may contain
cryptographically protected data. The caller of such a GSS-API
routine is responsible for transferring the token to the peer
application, encapsulated if necessary in an application- application
protocol. On receipt of such a token, the peer application should
pass it to a corresponding GSS-API routine which will decode the token
and extract the information, updating the security context state
information accordingly.
- Per-message services are invoked to apply either: integrity and data
origin authentication, or confidentiality, integrity and data origin
authentication to application data, which are treated by GSS-API as
arbitrary octet-strings. An application transmitting a message that
it wishes to protect will call the appropriate GSS-API routine
(gss_get_mic or gss_wrap) to apply protection, specifying the
appropriate security context, and send the resulting token to the
receiving application. The receiver will pass the received token
(and, in the case of data protected by gss_get_mic, the accompanying
message-data) to the corresponding decoding routine (gss_verify_mic or
gss_unwrap) to remove the protection and validate the data.
- At the completion of a communications session (which may extend across
several transport connections), each application calls a GSS-API
routine to delete the security context. Multiple contexts may also be
used (either successively or simultaneously) within a single
communications association, at the option of the applications.