Generic Security Services Application Programming Interface: Difference between revisions
Content deleted Content added
tidy up; add section on History |
m →How it works: remove passive voice; minor fixes |
||
Line 5:
== How it works ==
The GSSAPI, by itself, does not provide any security.
Instead, security service vendors provide GSSAPI ''implementations'' usually in the form of [[Library (computer science)|libraries]] installed with their security software.
These libraries present a GSSAPI-compatible interface to application writers who can write their application to use only the [[Standardization|vendor-independent]] GSSAPI.
If the security implementation ever needs replacing, the application need not be rewritten.
The definitive feature of GSSAPI applications is the exchange of opaque messages (''tokens'')
The client and server sides of the application are written to convey the tokens given to them by
their respective GSSAPI implementations.
After some number of tokens have been exchanged, the GSSAPI
Once a security context is established, sensitive application messages can be wrapped (encrypted) by the GSSAPI
Typical protections guaranteed by GSSAPI wrapping include [[confidentiality]] (secrecy) and [[integrity]] (authenticity). The GSSAPI can also provide local guarantees about the identity of the remote user or remote host.
Line 24:
* ''GSS_Init_sec_context'' - generates a new token to send to the server
* ''GSS_Accept_sec_context'' - processes a token from ''GSS_Init_sec_context'' and generates a new token to send back
* ''GSS_Wrap'' - converts application data into a secure message (typically
* ''GSS_Unwrap'' - converts a secure message back into application data
| |||