Glossary
- ACL
- Access Control List (ACL)
A file containing a list of principals with certain access permissions. Typically, a server consults an access control list to verify that a client has permission to use its services. Note that a principal authenticated by GSS-API can still be denied services if an ACL does not permit them.
- authentication
A security service that verifies the claimed identity of a principal.
- authorization
The process of determining whether a principal can use a service, which objects the principal is allowed to access, and the type of access allowed for each.
- client
Narrowly, a process that makes use of a network service on behalf of a user; for example, an application that uses rlogin. In some cases, a server can itself be a client of some other server or service. Informally, a principal that makes use of a service.
- confidentiality
A security service that encrypts data; confidentiality also includes integrity and authentication services. See also authentication, integrity, service.
- context
A "state of trust" between two applications. When a context has successfully been established between two peers, the context acceptor is aware that the context initiator is who it claims to be, and can verify and decrypt messages sent to it. If the context includes mutual authentication, then initiator knows the acceptor's identity is valid and can also verify and/or decrypt messages from it.
- context-level token
See token.
- credential
An information package that identifies a principal; a principal's "identification badge," specifying who the principal is and, often, what privileges it has. Credentials are produced by security mechanisms.
- credential cache
A storage space (usually a file) containing credentials stored by a given mechanism.
- data replay
Data replay is said to occur when a single message in a message stream is received more than once. Many security mechanisms support data replay detection. Replay detection, if available, must be requested at context-establishment time.
- data type
(Also data type) The form that a given piece of data takes -- for example, an int, a string, a gss_name_t structure, or a gss_OID_set structure.
- delegation
If permitted by the underlying security mechanism, a principal (generally the context initiator) can designate a peer principal (usually the context acceptor) as a proxy by delegating its credentials to it. The delegated credentials can be used by the recipient to make requests on behalf of the original principal, as might be the case when a principal uses rlogin from machine to machine to machine.
- exported name
A name that has been converted from the GSS-API internal-name format (specifically, a Mechanism Name) to the GSS-API Exported Name format by gss_export_name(). An exported name can be compared with names that are in non-GSS-API string format with memcmp(). See also Mechanism Name (MN), name.
- flavor
Historically, security flavor and authentication flavor were equivalent terms, as a flavor indicated a type of authentication (AUTH_UNIX, AUTH_DES, AUTH_KERB). RPCSEC_GSS is also a security flavor, even though it provides integrity and confidentiality services in addition to authentication.
- GSS-API
The Generic Security Service Application Programming Interface. A network layer providing support for various modular security services. GSS-API provides for security authentication, integrity, and confidentiality services, and allows maximum portability of applications with regard to security. See also authentication, confidentiality, integrity.
- host
A machine accessible over a network.
- integrity
A security service that, in addition to user authentication, provides proof of the validity of transmitted data through cryptographic tagging. See also authentication, confidentiality, Message Integrity Code (MIC).
- mechanism
A software package that specifies cryptographic techniques to achieve data authentication or confidentiality. Examples include Kerberos v5 and Diffie-Hellman public key.
- Mechanism Name (MN)
A special instance of a GSS-API internal-format name. A normal internal-format GSS-API name may contain several instances of a name, each in the format of an underlying mechanism; a Mechanism Name, however, is unique to a particular mechanism. Mechanism Names are generated by gss_canonicalize_name().
- message
Data in the form of a gss_buffer_t object sent from one GSS-API-based application to its peer. An example of a message is "ls" sent to a remote ftp server.
A message can contain more than just the user-provided data. For example, gss_wrap() takes an unwrapped message and produces a wrapped one to be sent; the wrapped message includes both the original message and an accompanying MIC. GSS-API-generated information that does not include a message is a token -- see token for more.
- Message Integrity Code (MIC)
A cryptographic "tag" attached to transmitted data to ensure the data's validity. The recipient of the data generates its own MIC and compares it to the one that was sent; if they're equal, the message is valid. Some MICs, such as those generated by gss_get_mic(), are visible to the application, while others, such as those generated by gss_wrap() or gss_init_sec_context(), are not.
- message-level token
See token.
- MIC