Introduction to the Kerberos Products and GSS-API

Generic Security Service Application Programming Interface (GSS-API)

gss_context_time: Indicate validity time remaining in context

Authentication Services

Two sets of per-message calls provide security to the context. The gss_get_mic() and gss_verify_mic()function calls provide data origin authentication and data integrity services. The gss_wrap() and gss_unwrap() function calls support caller requested confidentiality. For more information, see “Confidentiality Service” on page 72.

The gss_get_mic() function call generates a token. The peer that receives the application data along with the message token verifies the communication using gss_verify_mic().

Each deployment can select their own configurable Quality Of Protection (QOP) options.

In summary, per-message calls that authenticate messages are:

gss_get_mic: Apply integrity check, receive as token separate from message

gss_verify_mic: Validate integrity check token along with message.

Confidentiality Service

GSS-APIs provide confidentiality with the gss_wrap() and

gss_unwrap() functions. The output of gss_wrap() is passed to the remote peer encapsulated and optionally encrypted with the associated token. This data element is an input to gss_unwrap() at the target, where it is decapsulated or optionally decrypted.

In summary, the APIs for confidentiality service include the following:

gss_wrap: Sign, optionally encrypt, encapsulate

gss_unwrap: Decapsulate, decrypt if needed, validate integrity check.

Support Services

GSS-API support services include the following APIs:

gss_display_status: Translate status codes into printable format

gss_indicate_mechs: Indicate supported mech_type on local system

72

Chapter 2