[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CVS gss/doc/specification
|
From: |
gss-commit |
|
Subject: |
CVS gss/doc/specification |
|
Date: |
Tue, 29 Nov 2005 22:13:45 +0100 |
Update of /home/cvs/gss/doc/specification
In directory dopio:/tmp/cvs-serv2987
Added Files:
draft-ietf-kitten-gssapi-csharp-bindings-00.txt
Log Message:
Add.
---
/home/cvs/gss/doc/specification/draft-ietf-kitten-gssapi-csharp-bindings-00.txt
2005/11/29 21:13:45 NONE
+++
/home/cvs/gss/doc/specification/draft-ietf-kitten-gssapi-csharp-bindings-00.txt
2005/11/29 21:13:45 1.1
NETWORK WORKING GROUP J. C. Luciani
INTERNET-DRAFT Novell, Inc.
Expires: April 8, 2006 November 8, 2005
GSS_API V2: C# Bindings
draft-ietf-kitten-gssapi-csharp-bindings-00.txt
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Abstract
The Generic Security Services Application Program Interface (GSS-API)
offers application programmers uniform access to security services
atop a variety of underlying cryptographic mechanisms. This document
specifies the C# language bindings for GSS-API which is described at
a language independent conceptual level in RFC 2743 [RFC2743].
The GSS-API C# bindings were designed to emulate the Java bindings as
defined in RFC 2853 [RFC2853].
Luciani Expires April 8, 2006 [Page 1]
�
Internet-Draft GSS-API V2: C# Bindings November 2005
Table of Contents
1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2. GSS-API Operational Paradigm. . . . . . . . . . . . . . . . . . . . 6
3. Additional Controls . . . . . . . . . . . . . . . . . . . . . . . . 7
3.1. Delegation. . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.2. Mutual Authentication . . . . . . . . . . . . . . . . . . . . . . 9
3.3. Replay and Out-of-Sequence Detection. . . . . . . . . . . . . . 10
3.4. Anonymous Authentication. . . . . . . . . . . . . . . . . . . . 11
3.5. Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . 12
3.6. Inter-process Context Transfer. . . . . . . . . . . . . . . . . 12
3.7. The Use of Incomplete Contexts. . . . . . . . . . . . . . . . . 13
4. C# GSS-API Overview . . . . . . . . . . . . . . . . . . . . . . . 13
4.1. Object Identifiers. . . . . . . . . . . . . . . . . . . . . . . 14
4.2. Object Identifier Sets. . . . . . . . . . . . . . . . . . . . . 14
4.3. Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . 14
4.4. Contexts. . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
4.5. Authentication Tokens . . . . . . . . . . . . . . . . . . . . . 17
4.6. Interprocess Tokens . . . . . . . . . . . . . . . . . . . . . . 17
4.7. Error Reporting . . . . . . . . . . . . . . . . . . . . . . . . 17
4.7.1. GSS Status Codes. . . . . . . . . . . . . . . . . . . . . . . 18
4.7.2. Mechanism-specific Codes. . . . . . . . . . . . . . . . . . . 20
4.7.3. Suplementary Status Codes . . . . . . . . . . . . . . . . . . 20
4.8. Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4.9. Channel Bindings. . . . . . . . . . . . . . . . . . . . . . . . 23
5. Introduction to GSS-API Classes and Interfaces. . . . . . . . . . 24
5.1. GSSManager Class. . . . . . . . . . . . . . . . . . . . . . . . 24
5.2. GSSName Interface . . . . . . . . . . . . . . . . . . . . . . . 25
5.3. GSSCredential Interface . . . . . . . . . . . . . . . . . . . . 25
5.4. GSSContext Interface. . . . . . . . . . . . . . . . . . . . . . 26
5.5. MessageProp Class . . . . . . . . . . . . . . . . . . . . . . . 27
5.6. GSSException Class. . . . . . . . . . . . . . . . . . . . . . . 27
5.7. Oid Class . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
5.8. ChannelBinding Class. . . . . . . . . . . . . . . . . . . . . . 27
5.9. GSSConstants Class. . . . . . . . . . . . . . . . . . . . . . . 28
5.10. GSSNameTypes Class . . . . . . . . . . . . . . . . . . . . . . 28
5.11. GSSCredentialUsage Enumeration . . . . . . . . . . . . . . . . 28
6. Detailed GSS-API Description. . . . . . . . . . . . . . . . . . . 28
6.1. public abstract class GSSManager. . . . . . . . . . . . . . . . 28
6.1.1. Example Code. . . . . . . . . . . . . . . . . . . . . . . . . 29
6.1.2. getInstance . . . . . . . . . . . . . . . . . . . . . . . . . 29
6.1.3. getMechs. . . . . . . . . . . . . . . . . . . . . . . . . . . 29
6.1.4. getNamesForMech . . . . . . . . . . . . . . . . . . . . . . . 29
6.1.5. getMechsForName . . . . . . . . . . . . . . . . . . . . . . . 29
6.1.6. createName. . . . . . . . . . . . . . . . . . . . . . . . . . 30
6.1.7. createName. . . . . . . . . . . . . . . . . . . . . . . . . . 30
6.1.8. createName. . . . . . . . . . . . . . . . . . . . . . . . . . 31
6.1.9. createName. . . . . . . . . . . . . . . . . . . . . . . . . . 32
6.1.10. createCredential . . . . . . . . . . . . . . . . . . . . . . 32
Luciani Expires April 8, 2006 [Page 2]
�
Internet-Draft GSS-API V2: C# Bindings November 2005
6.1.11. createCredential . . . . . . . . . . . . . . . . . . . . . . 33
6.1.12. createCredential . . . . . . . . . . . . . . . . . . . . . . 33
6.1.13. createContext. . . . . . . . . . . . . . . . . . . . . . . . 34
6.1.14. createContext. . . . . . . . . . . . . . . . . . . . . . . . 35
6.1.15. createContext. . . . . . . . . . . . . . . . . . . . . . . . 35
6.2. public class GSSConstants . . . . . . . . . . . . . . . . . . . 35
6.2.1. DEFAULT_LIFETIME. . . . . . . . . . . . . . . . . . . . . . . 35
6.2.2. INDEFINITE_LIFETIME . . . . . . . . . . . . . . . . . . . . . 36
6.3. public class GSSNameTypes . . . . . . . . . . . . . . . . . . . 36
6.3.1. NT_HOSTBASED_SERVICE. . . . . . . . . . . . . . . . . . . . . 36
6.3.2. NT_USER_NAME. . . . . . . . . . . . . . . . . . . . . . . . . 36
6.3.3. NT_MACHINE_UID_NAME . . . . . . . . . . . . . . . . . . . . . 36
6.3.4. NT_STRING_UID_NAME. . . . . . . . . . . . . . . . . . . . . . 37
6.3.5. NT_ANONYMOUS. . . . . . . . . . . . . . . . . . . . . . . . . 37
6.3.6. NT_EXPORT_NAME. . . . . . . . . . . . . . . . . . . . . . . . 37
6.4. public interface GSSName. . . . . . . . . . . . . . . . . . . . 38
6.4.1. Example Code. . . . . . . . . . . . . . . . . . . . . . . . . 38
6.4.2. Equals. . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
6.4.3. Equals. . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
6.4.4. canonicalize. . . . . . . . . . . . . . . . . . . . . . . . . 39
6.4.5. export. . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
6.4.6. ToString. . . . . . . . . . . . . . . . . . . . . . . . . . . 40
6.4.7. stringNameType. . . . . . . . . . . . . . . . . . . . . . . . 40
6.4.8. isAnonymous . . . . . . . . . . . . . . . . . . . . . . . . . 40
6.4.9. isMN . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
6.5. public enum GSSCredentialUsage. . . . . . . . . . . . . . . . . 41
6.5.1. INITIATE_AND_ACCEPT . . . . . . . . . . . . . . . . . . . . . 41
6.5.2. INITIATE_ONLY . . . . . . . . . . . . . . . . . . . . . . . . 41
6.5.3. ACCEPT_ONLY . . . . . . . . . . . . . . . . . . . . . . . . . 41
6.6. public interface GSSCredential. . . . . . . . . . . . . . . . . 41
6.6.1. Example Code. . . . . . . . . . . . . . . . . . . . . . . . . 42
6.6.2. dispose . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
6.6.3. getName . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
6.6.4. getName . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
6.6.5. getRemainingLifetime. . . . . . . . . . . . . . . . . . . . . 43
6.6.6. getRemainingInitLifetime. . . . . . . . . . . . . . . . . . . 44
6.6.7. getRemainingAcceptLifetime. . . . . . . . . . . . . . . . . . 44
6.6.8. getUsage. . . . . . . . . . . . . . . . . . . . . . . . . . . 44
6.6.9. getUsage. . . . . . . . . . . . . . . . . . . . . . . . . . . 45
6.6.10. getMechs . . . . . . . . . . . . . . . . . . . . . . . . . . 45
6.6.11. add. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
6.6.12. Equals . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
6.7. public interface GSSContext . . . . . . . . . . . . . . . . . . 47
6.7.1. Example Context . . . . . . . . . . . . . . . . . . . . . . . 48
6.7.2. initSecContext. . . . . . . . . . . . . . . . . . . . . . . . 50
6.7.2.1. Example Code. . . . . . . . . . . . . . . . . . . . . . . . 51
6.7.3. initSecContext. . . . . . . . . . . . . . . . . . . . . . . . 52
6.7.3.1. Example Code. . . . . . . . . . . . . . . . . . . . . . . . 53
6.7.4. acceptSecContext. . . . . . . . . . . . . . . . . . . . . . . 54
Luciani Expires April 8, 2006 [Page 3]
�
Internet-Draft GSS-API V2: C# Bindings November 2005
6.7.4.1. Example Code. . . . . . . . . . . . . . . . . . . . . . . . 55
6.7.5. acceptSecContext. . . . . . . . . . . . . . . . . . . . . . . 56
6.7.5.1. Example Code. . . . . . . . . . . . . . . . . . . . . . . . 57
6.7.6. isEstablished . . . . . . . . . . . . . . . . . . . . . . . . 57
6.7.7. dispose . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
6.7.8. getWrapSizeLimit. . . . . . . . . . . . . . . . . . . . . . . 58
6.7.9. wrap. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
6.7.10. wrap . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
6.7.11. unWrap . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
6.7.12. unWrap . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
6.7.13. getMIC . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
6.7.14. getMIC . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
6.7.15. verifyMIC. . . . . . . . . . . . . . . . . . . . . . . . . . 65
6.7.16. verifyMIC. . . . . . . . . . . . . . . . . . . . . . . . . . 66
6.7.17. export . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
6.7.18. mutualAuthenitcation . . . . . . . . . . . . . . . . . . . . 67
6.7.19. replayDetection. . . . . . . . . . . . . . . . . . . . . . . 68
6.7.20. sequenceDetection. . . . . . . . . . . . . . . . . . . . . . 68
6.7.21. credentialDelegation . . . . . . . . . . . . . . . . . . . . 68
6.7.22. anonymity. . . . . . . . . . . . . . . . . . . . . . . . . . 69
6.7.23. confidentiality. . . . . . . . . . . . . . . . . . . . . . . 69
6.7.24. integrity. . . . . . . . . . . . . . . . . . . . . . . . . . 69
6.7.25. lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . 70
6.7.26. channelBinding . . . . . . . . . . . . . . . . . . . . . . . 70
6.7.27. isTransferable . . . . . . . . . . . . . . . . . . . . . . . 70
6.7.28. isProtReady. . . . . . . . . . . . . . . . . . . . . . . . . 70
6.7.29. srcName. . . . . . . . . . . . . . . . . . . . . . . . . . . 71
6.7.30. targName . . . . . . . . . . . . . . . . . . . . . . . . . . 71
6.7.31. mechanism. . . . . . . . . . . . . . . . . . . . . . . . . . 71
6.7.32. delegatedCredential. . . . . . . . . . . . . . . . . . . . . 71
6.7.33. isInitiator. . . . . . . . . . . . . . . . . . . . . . . . . 72
6.8. public class MessageProp. . . . . . . . . . . . . . . . . . . . 72
6.8.1. Constructors. . . . . . . . . . . . . . . . . . . . . . . . . 73
6.8.2. QOP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
6.8.3. privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
6.8.4. minorStatus . . . . . . . . . . . . . . . . . . . . . . . . . 74
6.8.5. minorString . . . . . . . . . . . . . . . . . . . . . . . . . 74
6.8.6. isDuplicateToken. . . . . . . . . . . . . . . . . . . . . . . 74
6.8.7. isOldToken. . . . . . . . . . . . . . . . . . . . . . . . . . 74
6.8.8. isUnseqToken. . . . . . . . . . . . . . . . . . . . . . . . . 74
6.8.9. isGapToken. . . . . . . . . . . . . . . . . . . . . . . . . . 75
6.9. public class ChannelBinding . . . . . . . . . . . . . . . . . . 75
6.9.1. Constructors. . . . . . . . . . . . . . . . . . . . . . . . . 76
6.9.2. initiatorAddress. . . . . . . . . . . . . . . . . . . . . . . 76
6.9.3. acceptorAddress . . . . . . . . . . . . . . . . . . . . . . . 77
6.9.4. applicationData . . . . . . . . . . . . . . . . . . . . . . . 77
6.9.5. Equals. . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
6.10. public class Oid . . . . . . . . . . . . . . . . . . . . . . . 77
6.10.1. Constructor. . . . . . . . . . . . . . . . . . . . . . . . . 78
Luciani Expires April 8, 2006 [Page 4]
�
Internet-Draft GSS-API V2: C# Bindings November 2005
6.10.2. ToString . . . . . . . . . . . . . . . . . . . . . . . . . . 78
6.10.3. Equals . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
6.10.4. DER. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
6.10.5. containedIn. . . . . . . . . . . . . . . . . . . . . . . . . 79
6.11. public class GSSException. . . . . . . . . . . . . . . . . . . 79
6.11.1. Constants. . . . . . . . . . . . . . . . . . . . . . . . . . 80
6.11.2. Constructors . . . . . . . . . . . . . . . . . . . . . . . . 82
6.11.3. major. . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
6.11.4. minor. . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
6.11.5. majorString. . . . . . . . . . . . . . . . . . . . . . . . . 83
6.11.6. minorString. . . . . . . . . . . . . . . . . . . . . . . . . 83
6.11.7. ToString . . . . . . . . . . . . . . . . . . . . . . . . . . 83
6.11.8. Message. . . . . . . . . . . . . . . . . . . . . . . . . . . 83
7. Sample Applications . . . . . . . . . . . . . . . . . . . . . . . 84
7.1. Simple GSS Context Initiator. . . . . . . . . . . . . . . . . . 84
7.2. Simple GSS Context Acceptor . . . . . . . . . . . . . . . . . . 89
8. Security Considerations . . . . . . . . . . . . . . . . . . . . . 93
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . . 93
10. Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . . 93
11. Normative References . . . . . . . . . . . . . . . . . . . . . . 94
12. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 94
13. Intellectual Property Statement. . . . . . . . . . . . . . . . . 94
14. Disclaimer of Validity . . . . . . . . . . . . . . . . . . . . . 95
15. Copyright Statement. . . . . . . . . . . . . . . . . . . . . . . 95
Luciani Expires April 8, 2006 [Page 5]
�
Internet-Draft GSS-API V2: C# Bindings November 2005
1.Introduction
This document specifies the C# language bindings for the Generic
Security Services Application Programming Interface Version 2
(GSS-API v2). GSS-API allows a caller application to authenticate a
principal identity, to delegate rights to a peer, and to apply
security services such as confidentiality and integrity on a per-
message basis.
One of the design goals utilized when defining the C# bindings for
GSS-API was to emulate the Java bindings specified in RFC 2853 as
much as possible while still taking advantage of C# features such
as Properties. By emulating the Java bindings, we hoped to leverage
work already done and to make life easier for developers utilizing
GSS-API under C# and Java. As a result of this design goal, the C#
bindings match the Java bindings very closely.
Because of the similarity between the Java and C# bindings and in the
spirit of leveraging work already done, this document borrows heavily
from RFC 2853.
2.GSS-API Operational Paradigm
The Generic Security Service Application Programming Interface
Version 2 defines a generic security API to calling applications. It
allows a communicating application to authenticate a user associated
with another application, to delegate rights to another application,
and to apply security services such as confidentiality and integrity
on a per-message basis.
There are four stages to using GSS-API:
1) The application acquires a set of credentials with which it may
prove its identity to other processes. The application's
credentials vouch for its global identity, which may or may not
be related to any local username under which it may be running.
2) A pair of communicating applications establish a joint security
context using their credentials. The security context
encapsulates shared state information, which is required in
order that per-message security services may be provided.
Examples of state information that might be shared between
applications as part of a security context are cryptographic
keys, and message sequence numbers. As part of the
establishment of a security context, the context initiator is
authenticated to the responder, and may require that the
responder is authenticated back to the initiator. The
initiator may optionally give the responder the right to
initiate further security contexts, acting as an agent or
Luciani Expires April 8, 2006 [Page 6]
�
Internet-Draft GSS-API V2: C# Bindings November 2005
delegate of the initiator. This transfer of rights is termed
"delegation", and is achieved by creating a set of credentials,
similar to those used by the initiating application, but which
may be used by the responder.
A GSSContext object is used to establish and maintain the
shared information that makes up the security context. Certain
GSSContext methods will generate a token, which applications
treat as cryptographically protected, opaque data. The caller
of such GSSContext method is responsible for transferring the
token to the peer application, encapsulated if necessary in an
application-to-application protocol. On receipt of such a
token, the peer application should pass it to a corresponding
GSSContext method which will decode the token and extract the
information, updating the security context state information
accordingly.
3) Per-message services are invoked on a GSSContext object to
apply either:
integrity and data origin authentication, or
confidentiality, integrity and data origin authentication
to application data, which are treated by GSS-API as arbitrary
octet-strings. An application transmitting a message that it
wishes to protect will call the appropriate GSSContext method
(getMIC or wrap) to apply protection, and send the resulting
token to the receiving application. The receiver will pass the
received token (and, in the case of data protected by getMIC,
the accompanying message-data) to the corresponding decoding
method of the GSSContext interface (verifyMIC or unwrap) to
remove the protection and validate the data.
4) At the completion of a communications session (which may extend
across several transport connections), each application uses a
GSSContext method to invalidate the security context and
release any system or cryptographic resources held. Multiple
contexts may also be used (either successively or
simultaneously) within a single communications association, at
the discretion of the applications.
3. Additional Controls
This section discusses the optional services that a context initiator
may request of the GSS-API before the context establishment. Each of
these services is requested by manipulating the appropriate property
of the GSSContext interface before the first call to init is
performed.
Luciani Expires April 8, 2006 [Page 7]
�
Internet-Draft GSS-API V2: C# Bindings November 2005
Only the context initiator can request context flags.
The optional services defined are:
Delegation
The (usually temporary) transfer of rights from initiator to
[4918 lines skipped]
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- CVS gss/doc/specification,
gss-commit <=