This article includes a list ofgeneral references, butit lacks sufficient correspondinginline citations. Please help toimprove this article byintroducing more precise citations.(October 2013) (Learn how and when to remove this message)

TheGeneric Security Service Application Programming Interface (GSSAPI, alsoGSS-API) is anapplication programming interface for programs to accesssecurity services.

The GSSAPI is anIETF standard that addresses the problem of many similar but incompatible security services in use as of 2005^[update].

The GSSAPI, by itself, does not provide any security. Instead, security-service vendors provide GSSAPIimplementations - usually in the form oflibraries installed with their security software. These libraries present a GSSAPI-compatible interface to application writers who can write their application to use only thevendor-independent GSSAPI.If the security implementation ever needs replacing, the application need not be rewritten.

The definitive feature of GSSAPI applications is the exchange of opaque messages (tokens) which hide the implementation detail from the higher-level application.The client and server sides of the application are written to convey the tokens given to them bytheir respective GSSAPI implementations.GSSAPI tokens can usually travel over an insecure network as the mechanisms provide inherent message security.After the exchange of some number of tokens, the GSSAPI implementations at both ends inform their local application that asecurity context is established.

Once a security context is established, sensitive application messages can be wrapped (encrypted) by the GSSAPI for secure communication between client and server.Typical protections guaranteed by GSSAPI wrapping includeconfidentiality (secrecy) andintegrity (authenticity). The GSSAPI can also provide local guarantees about the identity of the remote user or remote host.

The GSSAPI describes about 45 procedure calls. Significant ones include:

GSS_Acquire_cred

Obtains the user's identity proof, often a secret cryptographic key

GSS_Import_name

Converts a username or hostname into a form that identifies a security entity

GSS_Init_sec_context

Generates a client token to send to the server, usually a challenge

GSS_Accept_sec_context

Processes a token fromGSS_Init_sec_context and can generate a response token to return

GSS_Wrap

Converts application data into a secure message token (typically encrypted)

GSS_Unwrap

Converts a secure message token back into application data

The GSSAPI is standardized for theC (RFC 2744) language.Java implements the GSSAPI^[1]as JGSS,^[2]the Java Generic Security Services Application Program Interface.^[3]

Some limitations of GSSAPI are:

1. standardizing onlyauthentication, rather notauthorization too;
2. assuming aclient–server architecture.

Anticipating new security mechanisms, the GSSAPI includes a negotiatingpseudo mechanism,SPNEGO, that can discover and use new mechanisms not present when the original application was built.

The dominant GSSAPI mechanism implementation in use isKerberos.Unlike the GSSAPI, the Kerberos API has not been standardizedand various existing implementations use incompatible APIs.The GSSAPI allows Kerberos implementations to be API compatible.

• RADIUS
• SASL
• TLS
• SSPI
• SPNEGO
• RPCSEC GSS

Name

A binary string that labels asecurity principal (i.e., user or service program) - seeaccess control andidentity. For example,Kerberos uses names likeuser@REALM for users andservice/hostname@REALM for programs.

Credentials

Information that proves an identity; used by an entity to act as the named principal. Credentials typically involve a secret cryptographic key.

Context

The state of one end of the authenticating/authenticatedprotocol. May provide message protection services, which can be used to compose asecure channel.

Tokens

Opaque messages exchanged either as part of the initial authentication protocol (context-level tokens), or as part of a protected communication (per-message tokens)

Mechanism

An underlying GSSAPI implementation that provides actual names, tokens and credentials. Known mechanisms includeKerberos,NTLM,Distributed Computing Environment (DCE), SESAME,SPKM, LIPKEY.

Initiator/acceptor

The peer that sends the first token is the initiator; the other is the acceptor. Generally, the client program is the initiator while the server is the acceptor.

• July 1991: IETF Common Authentication Technology (CAT) Working Group meets in Atlanta, led by John Linn
• September 1993: GSSAPI version 1 (RFC 1508, RFC 1509)
• May 1995: Windows NT 3.51 released, includes SSPI
• June 1996: Kerberos mechanism for GSSAPI (RFC 1964)
• January 1997: GSSAPI version 2 (RFC 2078)
• October 1997: SASL published, includes GSSAPI mechanism (RFC 2222)
• January 2000: GSSAPI version 2 update 1 (RFC 2743, RFC 2744)
• August 2004: KITTEN working group meets to continue CAT activities
• May 2006: Secure Shell use of GSSAPI standardised (RFC 4462)

• PKCS #11

• RFC 2743 The Generic Security Service API Version 2 update 1
• RFC 2744 The Generic Security Service API Version 2: C-Bindings
• RFC 1964 The Kerberos 5 GSS-API mechanism
• RFC 4121 The Kerberos 5 GSS-API mechanism: Version 2
• RFC 4178 The Simple and Protected GSS-API Negotiation Mechanism (SPNEGO)
• RFC 2025 The Simple Public-Key GSS-API Mechanism (SPKM)
• RFC 2847 LIPKEY - A Low Infrastructure Public Key Mechanism Using SPKM
• "Common Authentication Technology Next Generation (kitten)".Internet Engineering Task Force. September 2013.
• Sun Microsystems (2002)."GSS-API Programming Guide — Sun Solaris 9".Oracle Corporation.
• Oracle Corporation (2020)."Writing Applications That Use GSS-API — Oracle Solaris 11.4, Developer's Guide to Security".

• Operating system security
• Internet Standards

• Articles with short description
• Short description matches Wikidata
• Articles lacking in-text citations from October 2013
• All articles lacking in-text citations
• Articles containing potentially dated statements from 2005
• All articles containing potentially dated statements