In Kerberos, the process of determining whether a principal can use a service, which objects the principal is allowed to access, and the type of access allowed for each.
A state of trust between two applications. When a contexthas successfully been established between two peers, the context acceptoris aware that the context initiator is who it claims to be, and can verifyand decrypt messages sent to it. If the context includes mutual authentication,then the initiator knows the acceptor's identity is valid and can also verifyand decrypt messages from the acceptor.
An information package that identifies a principal and its ID. A credential specifies who the principal is and, often, its assignedprivileges. Credentials are produced by security mechanisms.
A mechanism name that has been converted from the GSS-APIinternal-name format to the GSS-API Exported Name format bygss_export_name(). An exported name can be compared with names that are in non-GSS-APIstring format withmemcmp(). See alsomechanism name (MN),name.
The Generic Security Service Application Programming Interface. A network layer providing support for various modular security services. GSS-API provides for security authentication, integrity, and confidentiality services, and allows maximum portability of applications with regard to security.
A storage system for PKI objects. The following examples are popularkeystores:
OpenSSL stores keys and certificates on disk in files (PEM, DER, or PKCS#12 format).
NSS is a private database that stores objects. NSS also supports PKCS#11 tokens.
PKCS#11 storage depends on the token selected: Local filesuse Oracle Solaris softtoken. Smart cards, for example, use hardware tokens.
A special instance of a GSS-API internal-format name. A normalinternal-format GSS-API name can contain several instances of a name, eachin the format of an underlying mechanism. A mechanism name, however, is uniqueto a particular mechanism. Mechanism names are generated bygss_canonicalize_name().
Data in the form of a gss_buffer_t object that is sent from one GSSAPI-based application to a peer. An example of a message is "ls" sent to a remoteftp server.
A message can contain more than just the user-provided data.For example,gss_wrap() takes an unwrapped message andproduces a wrapped one to be sent. The wrapped message includes both the originalmessage and an accompanying MIC. GSSAPI-generated information that does notinclude a message is atoken. Seetoken.
A cryptographic tag that is attached to transmitted data toensure the data's validity. The recipient of the data generates another MICand compares this MIC to the one that was sen. If the MICs are equal, themessage is valid. Some MICs, such as those generated bygss_get_mic(),are visible to the application, while others, such as those generated bygss_wrap() orgss_init_sec_context(), are not.
Seetoken.
The name of a principal, such asuser@system. Names in the GSS-API are handled through the gss_name_t structure, which is opaque to applications. See alsoexported name,mechanism name (MN),name type.
The particular form in which a name is given. Name types are stored as gss_OID types and are used to indicate the format used for a name. For example, the nameuser@system would have a name type of GSS_C_NT_HOSTBASED_SERVICE. See alsoexported name,mechanism name (MN),name.
Applies to a piece of data whose value or format is not normallyvisible to functions that use it. For example, theinput_token parametertogss_init_sec_context() is opaque to the application,but significant to the GSS-API. Similarly, theinput_message parametertogss_wrap() is opaque to the GSS-API but important tothe application doing the wrapping.
A parameter used to select the cryptographic algorithms tobe used in conjunction with the integrity or confidentiality service. Withintegrity, the QOP specifies the algorithm for producing a message integritycode (MIC). With confidentiality, the QOP specifies the algorithm for boththe MIC and message encryption.
A data packet in the form of a GSS-API gss_buffer_t structure.Tokens are produced by GSS-API functions for transfer to peer applications.
Tokens come in two types.Context-level tokens contain information used to establish or manage a security context. For example,gss_init_sec_context() bundles a context initiator's credential handle, the target system's name, flags for various requested services, and possibly other items into a token to be sent to the context acceptor.
Message tokens (also known asper-message tokens ormessage-level tokens) contain information generated by a GSS-APIfunction from messages to be sent to a peer application. For example,gss_get_mic() produces an identifying cryptographic tag for a given messageand stores it in a token to be sent to a peer with the message. Technically,a token is considered to be separate from a message, which is whygss_wrap() is said to produce anoutput_message andnot anoutput_token.
See alsomessage.