Generic Security Services Application Program Interface

The Generic Security Service Application Program Interface (GSSAPI, also GSS-API) is an application programming interface for programs to access security services.

The GSSAPI is an IETF standard that addresses the problem of many similar but incompatible security services in use as of 2005.

Operation

edit

The GSSAPI, by itself, does not provide any security. Instead, security-service vendors provide GSSAPI implementations - usually in the form of libraries installed with their security software. These libraries present a GSSAPI-compatible interface to application writers who can write their application to use only the vendor-independent GSSAPI. If the security implementation ever needs replacing, the application need not be rewritten.

The definitive feature of GSSAPI applications is the exchange of opaque messages (tokens) which hide the implementation detail from the higher-level application. The client and server sides of the application are written to convey the tokens given to them by their respective GSSAPI implementations. GSSAPI tokens can usually travel over an insecure network as the mechanisms provide inherent message security. After the exchange of some number of tokens, the GSSAPI implementations at both ends inform their local application that a security context is established.

Once a security context is established, sensitive application messages can be wrapped (encrypted) by the GSSAPI for secure communication between client and server. Typical protections guaranteed by GSSAPI wrapping include confidentiality (secrecy) and integrity (authenticity). The GSSAPI can also provide local guarantees about the identity of the remote user or remote host.

The GSSAPI describes about 45 procedure calls. Significant ones include:

GSS_Acquire_cred
Obtains the user's identity proof, often a secret cryptographic key
GSS_Import_name
Converts a username or hostname into a form that identifies a security entity
GSS_Init_sec_context
Generates a client token to send to the server, usually a challenge
GSS_Accept_sec_context
Processes a token from GSS_Init_sec_context and can generate a response token to return
GSS_Wrap
Converts application data into a secure message token (typically encrypted)
GSS_Unwrap
Converts a secure message token back into application data

The GSSAPI is standardized for the C (RFC 2744) language. Java implements the GSSAPI[1] as JGSS,[2] the Java Generic Security Services Application Program Interface.[3]

Some limitations of GSSAPI are:

  1. standardizing only authentication, rather not authorization too;
  2. assuming a client–server architecture.

Anticipating new security mechanisms, the GSSAPI includes a negotiating pseudo mechanism, SPNEGO, that can discover and use new mechanisms not present when the original application was built.

Relationship to Kerberos

edit

The dominant GSSAPI mechanism implementation in use is Kerberos. Unlike the GSSAPI, the Kerberos API has not been standardized and various existing implementations use incompatible APIs. The GSSAPI allows Kerberos implementations to be API compatible.

edit

Key concepts

edit
Name
A binary string that labels a security principal (i.e., user or service program) - see access control and identity. For example, Kerberos uses names like user@REALM for users and service/hostname@REALM for programs.
Credentials
Information that proves an identity; used by an entity to act as the named principal. Credentials typically involve a secret cryptographic key.
Context
The state of one end of the authenticating/authenticated protocol. May provide message protection services, which can be used to compose a secure channel.
Tokens
Opaque messages exchanged either as part of the initial authentication protocol (context-level tokens), or as part of a protected communication (per-message tokens)
Mechanism
An underlying GSSAPI implementation that provides actual names, tokens and credentials. Known mechanisms include Kerberos, NTLM, Distributed Computing Environment (DCE), SESAME, SPKM, LIPKEY.
Initiator/acceptor
The peer that sends the first token is the initiator; the other is the acceptor. Generally, the client program is the initiator while the server is the acceptor.

History

edit
  • July 1991: IETF Common Authentication Technology (CAT) Working Group meets in Atlanta, led by John Linn
  • September 1993: GSSAPI version 1 (RFC 1508, RFC 1509)
  • May 1995: Windows NT 3.51 released, includes SSPI
  • June 1996: Kerberos mechanism for GSSAPI (RFC 1964)
  • January 1997: GSSAPI version 2 (RFC 2078)
  • October 1997: SASL published, includes GSSAPI mechanism (RFC 2222)
  • January 2000: GSSAPI version 2 update 1 (RFC 2743, RFC 2744)
  • August 2004: KITTEN working group meets to continue CAT activities
  • May 2006: Secure Shell use of GSSAPI standardised (RFC 4462)

See also

edit

References

edit
  1. ^ "JSR-000072 Generic Security Services API Specification 0.1". 2001-06-15. Retrieved 2015-10-07.
  2. ^ Schönefeld, Marc (2010). Refactoring of Security Antipatterns in Distributed Java Components. Schriften aus der Fakultät Wirtschaftsinformatik und Angewandte Informatik der Otto-Friedrich-Universität Bamberg. Vol. 5. University of Bamberg Press. p. 179. ISBN 9783923507689. Retrieved 2015-10-07. JGSS is the JAVA implementation of the GSSAPI.
  3. ^ Fisher, Marina; Sharma, Sonu; Lai, Ray; Moroney, Laurence (2006). Java EE and .NET Interoperability: Integration Strategies, Patterns, and Best Practices. Prentice Hall Professional. ISBN 9780132715706. Retrieved 2015-10-07. Java Generic Security Services Application Program Interface (JGSS) API for uniform access to security services atop a variety of underlying security mechanism, including Kerberos, which are building blocks for single sign-on and data encryption.
edit