14.8. The Generic Security Services API (GSSAPI)

The GSSAPI is an IETF standard that provides a set of cryptographic services to an application. The services are provided via a well-defined application programming interface. The cryptographic services are:

• Context/session setup and shutdown

• Encrypting and decrypting messages

• Message signing and verification

The API is designed to work with a number of cryptographic technologies, but each technology separately defines the content of packets. Two independently written applications that use the GSSAPI may not be able to interoperate if they are not using the same underlying cryptographic technology.

There are at least two standard protocol-level implementations of the GSSAPI, one using Kerberos and the other using RSA public keys. In order to understand what is needed to support a particular implementation of the GSSAPI, you also need to know which underlying cryptographic technology has been used. In the case of a Kerberos GSSAPI, you will need a Kerberos Key Distribution Center (see Chapter 21, "Authentication and Auditing Services", for more information on Kerberos).

The GSSAPI works best in applications where the connections between computers match the transactions being performed. If multiple connections are needed to finish a transaction, each one will require a new GSSAPI session, because the GSSAPI does not include any support for identifying the cryptographic context of a message. Applications that need this functionality should probably be using TLS or SSL.

Because of the lack of context, the GSSAPI does not work well with connectionless protocols like UDP; it is really suited only for use with connection-oriented protocols like TCP.

---