Manualshelf

OSF DCE Application Development Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series
521522523524525526527528529530
DCE Security Service
Refer to the discussion of Authenticated RPC in Part 3 of this guide for complete
information about protection levels.
23.1.4.2 GSSAPI and Protection Levels
Unlike secure RPC, where the client chooses a protection level that is then applied
automatically to all data transferred in either direction, applications that use GSSAPI
must protect data on a message-by-message basis. This allows an application the option
of protecting only particularly sensitive messages, and avoids the overhead of security
processing for other messages.
GSSAPI offers two distinct types of protection through the gss_sign()/ gss_verify()
routines and the gss_seal()/gss_unseal() routines, as follows:
The gss_sign( ) routine creates a token containing a signature to protect the integrity
of the message data. The token contains only the signature. The application must
send both the token and the message to which it applies to the peer application for
verification. The receiving application calls the gss_verify() routine to check the
signature.
The gss_seal( ) routine creates a token containing both a signature and the message
data, and may optionally encrypt the data. Only the token need be sent to the peer
application, which processes it using the gss_unseal() routine to verify the signature
and extract the message data.
Three distinct signature algorithms are supported by the per-message protection routines.
An algorithm may be requested by providing one of several constants to the
qop_request parameter of either the gss_sign() or the gss_seal() routine. The constants
are as follows:
GSSDCE_C_QOP_DES_MAC Conventional DES MAC. Slow but well understood.
GSSDCE_C_QOP_DES_MD5 DES MAC of an MD5 signature. Faster than
QOP_DES_MAC.
GSSDCE_C_QOP_MD5 MD5 signature. Fastest supported signature algorithm. The
default.
23.1.5 Data Encryption Mechanisms
Authentication protocols assume the availability of a data encryption mechanism. One
that is frequently used is the Data Encryption Standard (DES), although DCE supports at
least one other encryption mechanism. Your version of DCE Security may use DES for
data privacy, or for principal authentication and data-integrity checking; or it may use
another encryption mechanism, or no encryption at all. Consult the documentation
supplied by your DCE vendor for specific information.
234 Tandem Computers Incorporated 124245