Wikipedia

Generic Security Services Application Programming Interface: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
Dleonard (talk | contribs)
197 edits
Improvements. Replace some opinion with simpler facts.
Line 20:
 
The GSSAPI describes about 45 procedure calls. Significant ones include:
* ''GSS_Acquire_cred'' - obtains the user's loginidentity proof, often a secret cryptographic key
* ''GSS_Import_name'' - converts a typed username or hostname into a form that identifies a securablesecurity entity
* ''GSS_Init_sec_context'' - generates a newclient token to send to the server, usually a challenge
* ''GSS_Accept_sec_context'' - processes a token from ''GSS_Init_sec_context'' and generatescan generate a newresponse token to send backreturn
* ''GSS_Wrap'' - converts application data into a secure message token (typically encrypted)
* ''GSS_Unwrap'' - converts a secure message token back into application data
 
The GSSAPI has been standardised for the
[[C (programming language)|C]] and [[Java (programming language)|Java]] languages.
<!-- A standard for [[C Sharp|C#]] is forthcoming. C# work appears to have perished -->
 
Limitations of the GSSAPI include that it standardizes only [[authentication]], and not [[authorization]], and that it assumes a [[client-server]] architecture.
 
Anticipating new security mechanisms,
Different GSS-API mechanisms are usually non-interoperable. When the future addition of other GSS-API mechanisms into a large heterogenous landscape is anticipated, it might be wise to deploy [[SPNEGO]] on every communication peer from the beginning so that a common GSS-API mechanism can be securely negotiated between communication peers (initiator and acceptor). Microsoft included SPNEGO with Microsoft Windows 2000 when they added Kerberos5 to the existing NTLM SSP/mechanism.
the GSSAPI includes a negotiating ''pseudo mechanism'', [[SPNEGO]], that can discover and use new mechanisms not present when the original application was built.
 
== Relationship to Kerberos ==
Line 40 ⟶ 41:
Unlike the GSSAPI, the Kerberos API has not been standardized
and various existing implementations use incompatible APIs.
The GSSAPI allows Kerberos implementations to be API compatible.
 
== Competing technologies ==
Retrieved from "https://en.wikipedia.org/wiki/Generic_Security_Services_Application_Programming_Interface"