Generic Security Services Application Program Interface

Last updated December 06, 2023

The Generic Security Service Application Program Interface (GSSAPI, also GSS-API) is an application programming interface for programs to access security services.

Operation

The GSSAPI, by itself, does not provide any security. Instead, security-service vendors provide GSSAPI implementations - usually in the form of libraries installed with their security software. These libraries present a GSSAPI-compatible interface to application writers who can write their application to use only the vendor-independent GSSAPI. If the security implementation ever needs replacing, the application need not be rewritten.

The definitive feature of GSSAPI applications is the exchange of opaque messages (tokens) which hide the implementation detail from the higher-level application. The client and server sides of the application are written to convey the tokens given to them by their respective GSSAPI implementations. GSSAPI tokens can usually travel over an insecure network as the mechanisms provide inherent message security. After the exchange of some number of tokens, the GSSAPI implementations at both ends inform their local application that a security context is established.

Once a security context is established, sensitive application messages can be wrapped (encrypted) by the GSSAPI for secure communication between client and server. Typical protections guaranteed by GSSAPI wrapping include confidentiality (secrecy) and integrity (authenticity). The GSSAPI can also provide local guarantees about the identity of the remote user or remote host.

The GSSAPI describes about 45 procedure calls. Significant ones include:

GSS_Acquire_cred: Obtains the user's identity proof, often a secret cryptographic key
GSS_Import_name: Converts a username or hostname into a form that identifies a security entity
GSS_Init_sec_context: Generates a client token to send to the server, usually a challenge
GSS_Accept_sec_context: Processes a token from GSS_Init_sec_context and can generate a response token to return
GSS_Wrap: Converts application data into a secure message token (typically encrypted)
GSS_Unwrap: Converts a secure message token back into application data

The GSSAPI is standardized for the C (RFC 2744) language. Java implements the GSSAPI^[1] as JGSS,^[2] the Java Generic Security Services Application Program Interface.^[3]

Some limitations of GSSAPI are:

standardizing only authentication, rather not authorization too;
assuming a client–server architecture.

Anticipating new security mechanisms, the GSSAPI includes a negotiating pseudo mechanism, SPNEGO, that can discover and use new mechanisms not present when the original application was built.

Relationship to Kerberos

The dominant GSSAPI mechanism implementation in use is Kerberos. Unlike the GSSAPI, the Kerberos API has not been standardized and various existing implementations use incompatible APIs. The GSSAPI allows Kerberos implementations to be API compatible.

Related technologies

Key concepts

Name: A binary string that labels a security principal (i.e., user or service program) - see access control and identity. For example, Kerberos uses names like user@REALM for users and service/hostname@REALM for programs.
Credentials: Information that proves an identity; used by an entity to act as the named principal. Credentials typically involve a secret cryptographic key.
Context: The state of one end of the authenticating/authenticated protocol. May provide message protection services, which can be used to compose a secure channel.
Tokens: Opaque messages exchanged either as part of the initial authentication protocol (context-level tokens), or as part of a protected communication (per-message tokens)
Mechanism: An underlying GSSAPI implementation that provides actual names, tokens and credentials. Known mechanisms include Kerberos, NTLM, Distributed Computing Environment (DCE), SESAME, SPKM, LIPKEY.
Initiator/acceptor: The peer that sends the first token is the initiator; the other is the acceptor. Generally, the client program is the initiator while the server is the acceptor.

History

July 1991: IETF Common Authentication Technology (CAT) Working Group meets in Atlanta, led by John Linn
September 1993: GSSAPI version 1 (RFC 1508, RFC 1509)
May 1995: Windows NT 3.51 released, includes SSPI
June 1996: Kerberos mechanism for GSSAPI (RFC 1964)
January 1997: GSSAPI version 2 (RFC 2078)
October 1997: SASL published, includes GSSAPI mechanism (RFC 2222)
January 2000: GSSAPI version 2 update 1 (RFC 2743, RFC 2744)
August 2004: KITTEN working group meets to continue CAT activities
May 2006: Secure Shell use of GSSAPI standardised (RFC 4462)

Related Research Articles

Kerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed it primarily at a client–server model, and it provides mutual authentication—both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks.

The Lightweight Directory Access Protocol is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network. As examples, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number.

In computing, the Post Office Protocol (POP) is an application-layer Internet standard protocol used by e-mail clients to retrieve e-mail from a mail server. Today, POP version 3 (POP3) is the most commonly used version. Together with IMAP, it is one of the most common protocols for email retrieval.

The Secure Shell Protocol (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution.

Network File System (NFS) is a distributed file system protocol originally developed by Sun Microsystems (Sun) in 1984, allowing a user on a client computer to access files over a computer network much like local storage is accessed. NFS, like many other protocols, builds on the Open Network Computing Remote Procedure Call system. NFS is an open IETF standard defined in a Request for Comments (RFC), allowing anyone to implement the protocol.

Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.

SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. SOCKS5 optionally provides authentication so only authorized users may access a server. Practically, a SOCKS server proxies TCP connections to an arbitrary IP address, and provides a means for UDP packets to be forwarded.

Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), often pronounced "spenay-go", is a GSSAPI "pseudo mechanism" used by client-server software to negotiate the choice of security technology. SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports. The pseudo-mechanism uses a protocol to determine what common GSSAPI mechanisms are available, selects one and then dispatches all further security operations to it. This can help organizations deploy new security mechanisms in a phased manner.

Simple Authentication and Security Layer (SASL) is a framework for authentication and data security in Internet protocols. It decouples authentication mechanisms from application protocols, in theory allowing any authentication mechanism supported by SASL to be used in any application protocol that uses SASL. Authentication mechanisms can also support proxy authorization, a facility allowing one user to assume the identity of another. They can also provide a data security layer offering data integrity and data confidentiality services. DIGEST-MD5 provides an example of mechanisms which can provide a data-security layer. Application protocols that support SASL typically also support Transport Layer Security (TLS) to complement the services offered by SASL.

Integrated Windows Authentication (IWA) is a term associated with Microsoft products that refers to the SPNEGO, Kerberos, and NTLMSSP authentication protocols with respect to SSPI functionality introduced with Microsoft Windows 2000 and included with later Windows NT-based operating systems. The term is used more commonly for the automatically authenticated connections between Microsoft Internet Information Services, Internet Explorer, and other Active Directory aware applications.

A pluggable authentication module (PAM) is a mechanism to integrate multiple low-level authentication schemes into a high-level application programming interface (API). PAM allows programs that rely on authentication to be written independently of the underlying authentication scheme. It was first proposed by Sun Microsystems in an Open Software Foundation Request for Comments (RFC) 86.0 dated October 1995. It was adopted as the authentication framework of the Common Desktop Environment. As a stand-alone open-source infrastructure, PAM first appeared in Red Hat Linux 3.0.4 in August 1996 in the Linux PAM project. PAM is currently supported in the AIX operating system, DragonFly BSD, FreeBSD, HP-UX, Linux, macOS, NetBSD and Solaris.

Extensible Authentication Protocol (EAP) is an authentication framework frequently used in network and internet connections. It is defined in RFC 3748, which made RFC 2284 obsolete, and is updated by RFC 5247. EAP is an authentication framework for providing the transport and usage of material and parameters generated by EAP methods. There are many methods defined by RFCs, and a number of vendor-specific methods and new proposals exist. EAP is not a wire protocol; instead it only defines the information from the interface and the formats. Each protocol that uses EAP defines a way to encapsulate by the user EAP messages within that protocol's messages.

TSIG is a computer-networking protocol defined in RFC 2845. Primarily it enables the Domain Name System (DNS) to authenticate updates to a DNS database. It is most commonly used to update Dynamic DNS or a secondary/slave DNS server. TSIG uses shared secret keys and one-way hashing to provide a cryptographically secure means of authenticating each endpoint of a connection as being allowed to make or respond to a DNS update.

Network Security Services (NSS) is a collection of cryptographic computer libraries designed to support cross-platform development of security-enabled client and server applications with optional support for hardware TLS/SSL acceleration on the server side and hardware smart cards on the client side. NSS provides a complete open-source implementation of cryptographic libraries supporting Transport Layer Security (TLS) / Secure Sockets Layer (SSL) and S/MIME. NSS releases prior to version 3.14 are tri-licensed under the Mozilla Public License 1.1, the GNU General Public License, and the GNU Lesser General Public License. Since release 3.14, NSS releases are licensed under GPL-compatible Mozilla Public License 2.0.

In computer systems, an access token contains the security credentials for a login session and identifies the user, the user's groups, the user's privileges, and, in some cases, a particular application. In some instances, one may be asked to enter an access token rather than the usual password.

GSS-TSIG is an extension to the TSIG DNS authentication protocol for secure key exchange. It is a GSS-API algorithm which uses Kerberos for passing security tokens to provide authentication, integrity and confidentiality.

Security Support Provider Interface (SSPI) is a component of Windows API that performs security-related operations such as authentication.

A principal in computer security is an entity that can be authenticated by a computer system or network. It is referred to as a security principal in Java and Microsoft literature.

SMTP Authentication, often abbreviated SMTP AUTH, is an extension of the Simple Mail Transfer Protocol (SMTP) whereby a client may log in using any authentication mechanism supported by the server. It is mainly used by submission servers, where authentication is mandatory.

In cryptography, the Salted Challenge Response Authentication Mechanism (SCRAM) is a family of modern, password-based challenge–response authentication mechanisms providing authentication of a user to a server. As it is specified for Simple Authentication and Security Layer (SASL), it can be used for password-based logins to services like SMTP and IMAP (e-mail), XMPP (chat), or MongoDB and PostgreSQL (databases). For XMPP, supporting it is mandatory.

References

↑ "JSR-000072 Generic Security Services API Specification 0.1". 2001-06-15. Retrieved 2015-10-07.
↑ Schönefeld, Marc (2010). Refactoring of Security Antipatterns in Distributed Java Components. Schriften aus der Fakultät Wirtschaftsinformatik und Angewandte Informatik der Otto-Friedrich-Universität Bamberg. Vol. 5. University of Bamberg Press. p. 179. ISBN 9783923507689 . Retrieved 2015-10-07. JGSS is the JAVA implementation of the GSSAPI.
↑ Fisher, Marina; Sharma, Sonu; Lai, Ray; Moroney, Laurence (2006). Java EE and .NET Interoperability: Integration Strategies, Patterns, and Best Practices. Prentice Hall Professional. ISBN 9780132715706 . Retrieved 2015-10-07. Java Generic Security Services Application Program Interface (JGSS) API for uniform access to security services atop a variety of underlying security mechanism, including Kerberos, which are building blocks for single sign-on and data encryption.

External links

RFC 2743 The Generic Security Service API Version 2 update 1
RFC 2744 The Generic Security Service API Version 2: C-Bindings
RFC 1964 The Kerberos 5 GSS-API mechanism
RFC 4121 The Kerberos 5 GSS-API mechanism: Version 2
RFC 4178 The Simple and Protected GSS-API Negotiation Mechanism (SPNEGO)
RFC 2025 The Simple Public-Key GSS-API Mechanism (SPKM)
RFC 2847 LIPKEY - A Low Infrastructure Public Key Mechanism Using SPKM
"Common Authentication Technology Next Generation (kitten)". Internet Engineering Task Force. September 2013.
Sun Microsystems (2002). "GSS-API Programming Guide — Sun Solaris 9". Oracle Corporation.
Oracle Corporation (2020). "Writing Applications That Use GSS-API — Oracle Solaris 11.4, Developer's Guide to Security".

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "JSR-000072 Generic Security Services API Specification 0.1". 2001-06-15. Retrieved 2015-10-07.

[2] Schönefeld, Marc (2010). Refactoring of Security Antipatterns in Distributed Java Components. Schriften aus der Fakultät Wirtschaftsinformatik und Angewandte Informatik der Otto-Friedrich-Universität Bamberg. Vol. 5. University of Bamberg Press. p. 179. ISBN 9783923507689 . Retrieved 2015-10-07. JGSS is the JAVA implementation of the GSSAPI.

[3] Fisher, Marina; Sharma, Sonu; Lai, Ray; Moroney, Laurence (2006). Java EE and .NET Interoperability: Integration Strategies, Patterns, and Best Practices. Prentice Hall Professional. ISBN 9780132715706 . Retrieved 2015-10-07. Java Generic Security Services Application Program Interface (JGSS) API for uniform access to security services atop a variety of underlying security mechanism, including Kerberos, which are building blocks for single sign-on and data encryption.

[1]

[2]

[3]

v t e Authentication
Authentication APIs	BSD Authentication (BSD Auth) eAuthentication (eAuth) Generic Security Services API (GSSAPI) Java Authentication and Authorization Service (JAAS) Pluggable Authentication Modules (PAM) Simple Authentication and Security Layer (SASL) Security Support Provider Interface (SSPI) XCert Universal Database API (XUDA)
Authentication protocols	ACF2 Authentication and Key Agreement (AKA) CAVE-based authentication Challenge-Handshake Authentication Protocol (CHAP) MS-CHAP Central Authentication Service (CAS) CRAM-MD5 Diameter Extensible Authentication Protocol (EAP) Host Identity Protocol (HIP) IndieAuth Kerberos LAN Manager NT LAN Manager (NTLM) OAuth OpenID OpenID Connect (OIDC) Password-authenticated key agreement protocols Password Authentication Protocol (PAP) Protected Extensible Authentication Protocol (PEAP) Remote Access Dial In User Service (RADIUS) Resource Access Control Facility (RACF) Secure Remote Password protocol (SRP) TACACS Woo–Lam
Category Commons