RFC 1508 (rfc1508) - Page 3 of 49
Generic Security Service Application Program Interface
Alternative Format: Original Text Document
RFC 1508 Generic Security Interface September 1993
implemented) over a range of underlying mechanisms based on secret-
key and public-key cryptographic technologies.
The GSS-API separates the operations of initializing a security
context between peers, achieving peer entity authentication (This
security service definition, and other definitions used in this
document, corresponds to that provided in International Standard ISO
7498-2-1988(E), Security Architecture.) (GSS_Init_sec_context() and
GSS_Accept_sec_context() calls), from the operations of providing
per-message data origin authentication and data integrity protection
(GSS_Sign() and GSS_Verify() calls) for messages subsequently
transferred in conjunction with that context. Per-message GSS_Seal()
and GSS_Unseal() calls provide the data origin authentication and
data integrity services which GSS_Sign() and GSS_Verify() offer, and
also support selection of confidentiality services as a caller
option. Additional calls provide supportive functions to the GSS-
API's users.
The following paragraphs provide an example illustrating the
dataflows involved in use of the GSS-API by a client and server in a
mechanism-independent fashion, establishing a security context and
transferring a protected message. The example assumes that credential
acquisition has already been completed. The example assumes that the
underlying authentication technology is capable of authenticating a
client to a server using elements carried within a single token, and
of authenticating the server to the client (mutual authentication)
with a single returned token; this assumption holds for presently-
documented CAT mechanisms but is not necessarily true for other
cryptographic technologies and associated protocols.
The client calls GSS_Init_sec_context() to establish a security
context to the server identified by targ_name, and elects to set the
mutual_req_flag so that mutual authentication is performed in the
course of context establishment. GSS_Init_sec_context() returns an
output_token to be passed to the server, and indicates
GSS_CONTINUE_NEEDED status pending completion of the mutual
authentication sequence. Had mutual_req_flag not been set, the
initial call to GSS_Init_sec_context() would have returned
GSS_COMPLETE status. The client sends the output_token to the server.
The server passes the received token as the input_token parameter to
GSS_Accept_sec_context(). GSS_Accept_sec_context indicates
GSS_COMPLETE status, provides the client's authenticated identity in
the src_name result, and provides an output_token to be passed to the
client. The server sends the output_token to the client.
The client passes the received token as the input_token parameter to
a successor call to GSS_Init_sec_context(), which processes data
Linn