HOME
The Info List - SChannel





Security Support Provider Interface (SSPI) is a Win32 API used by Microsoft Windows systems to perform a variety of security-related operations such as authentication. SSPI functions as a common interface to several Security Support Providers (SSPs):[1] A Security Support Provider is a dynamic-link library (DLL) that makes one or more security packages available to applications.

Contents

1 Windows SSPs 2 Comparison 3 References 4 External links

Windows SSPs[edit] The following SSPs are installed with Windows:

NTLM (Introduced in Windows NT 3.51) (msv1_0.dll) - Provides NTLM challenge/response authentication for client-server domains prior to Windows 2000
Windows 2000
and for non-domain authentication (SMB/CIFS).[2] Kerberos (Introduced in Windows 2000
Windows 2000
and updated in Windows Vista
Windows Vista
to support AES) [3] (kerberos.dll) - Preferred for mutual client-server domain authentication in Windows 2000
Windows 2000
and later.[4] Negotiate (Introduced in Windows 2000) (secur32.dll) - Selects Kerberos and if not available, NTLM protocol. Negotiate SSP provides single sign-on capability, sometimes referred to as Integrated Windows Authentication
Authentication
(especially in the context of IIS).[5] On Windows 7
Windows 7
and later, NEGOExts is introduced which negotiates the use of installed custom SSPs which are supported on the client and server for authentication. Secure Channel (aka SChannel) - Introduced in Windows 2000
Windows 2000
and updated in Windows Vista
Windows Vista
to support stronger AES encryption and ECC [6] This provider uses SSL/TLS records to encrypt data payloads. (schannel.dll) PCT (obsolete) and Microsoft's implementation of TLS/SSL - Public key cryptography SSP that provides encryption and secure communication for authenticating clients and servers over the internet.[7] Updated in Windows 7
Windows 7
to support TLS 1.2. Digest SSP (Introduced in Windows XP) (wdigest.dll) - Provides challenge/response based HTTP and SASL authentication between Windows and non-Windows systems where Kerberos is not available.[8] Credential (CredSSP) (Introduced in Windows Vista
Windows Vista
and available on Windows XP
Windows XP
SP3) (credssp.dll) - Provides SSO and Network Level Authentication
Authentication
for Remote Desktop Services.[9] Distributed Password Authentication
Authentication
(DPA) - (Introduced in Windows 2000) (msapsspc.dll) - Provides internet authentication using digital certificates.[10] Public Key Cryptography User-to-User (PKU2U) (Introduced in Windows 7) (pku2u.dll) - Provides peer-to-peer authentication using digital certificates between systems that are not part of a domain.

Comparison[edit] SSPI is a proprietary variant of GSSAPI with extensions and very Windows-specific data types. It shipped with Windows NT 3.51
Windows NT 3.51
and Windows 95
Windows 95
with the NT LAN Manager Security Support Provider (NTLMSSP). For Windows 2000, an implementation of Kerberos 5 was added, using token formats conforming to the official protocol standard RFC 1964 (The Kerberos 5 GSSAPI mechanism) and providing wire-level interoperability with Kerberos 5 implementations from other vendors. The tokens generated and accepted by the SSPI are mostly compatible with the GSS-API so an SSPI client on Windows may be able to authenticate with a GSS-API server on Unix depending on the specific circumstances. One significant shortcoming of SSPI is its lack of channel bindings, which makes some GSSAPI interoperability impossible. Another fundamental difference between the IETF-defined GSSAPI and Microsoft's SSPI is the concept of "impersonation". In this model, a server can switch to and operate with the full privileges of the authenticated client, so that the operating system performs all access control checks, e.g. when opening new files. Whether these are less privileges or more privileges than that of the original service account depends entirely on which client connects/authenticates. In the traditional (GSSAPI) model, when a server runs under a service account, it cannot elevate its privileges, and has to perform access control in a client-specific and application-specific fashion. The obvious negative security implications of the impersonation concept are prevented in Windows Vista
Windows Vista
by restricting impersonation to selected service accounts.[11] Impersonation can be implemented in a Unix/Linux model using the seteuid or related system calls. While this means an unprivileged process cannot elevate its privileges, it also means that to take advantage of impersonation the process must run as root (or another process with the CAP_SETUID capability). References[edit]

^ SSP Packages Provided by Microsoft ^ User Authentication
Authentication
- Security ( Windows 2000
Windows 2000
Resource Kit Documentation) : MSDN ^ Kerberos Enhancements in Windows Vista: MSDN ^ Windows 2000
Windows 2000
Kerberos Authentication ^ Windows Authentication ^ TLS/SSL Cryptographic Enhancements in Windows Vista ^ Secure Channel: SSP Packages Provided by Microsoft ^ Microsoft Digest SSP: SSP Packages provided by Microsoft ^ Credential Security Service Provider and SSO for Terminal Services Logon ^ DCOM Technical Overview: Security on the Internet ^ Windows Service Hardening: AskPerf blog

External links[edit]

SSPI Reference on MSDN SSPI Information and Win32 samples Example of use of SSPI for HTTP authentification

v t e

Microsoft APIs and frameworks

Graphics

Desktop Window Manager Direct2D Direct3D D3D (extensions) GDI / GDI+ WPF Silverlight WinRT XAML Windows Color System Windows Image Acquisition Windows Imaging Component DirectX Graphics Infrastructure (DXGI) Windows Advanced Rasterization Platform WinG

Audio

DirectMusic DirectSound DirectX
DirectX
plugin XACT Speech API XAudio2

Multimedia

DirectX

Media Objects Video Acceleration

Xinput DirectInput DirectShow Image Mastering API Managed DirectX Media Foundation XNA Windows Media Video for Windows

Web

MSHTML RSS Platform JScript VBScript BHO XDR SideBar Gadgets TypeScript

Data access

Data Access Components (MDAC)

ADO ADO.NET ODBC OLE DB

Extensible Storage Engine Entity Framework Sync Framework Jet Engine MSXML OPC

Networking

Winsock

LSP

Winsock Kernel Filtering Platform NDIS Windows Rally BITS P2P API MSMQ MS MPI DirectPlay

Communication

Messaging API Telephony API WCF

Administration and management

Win32 console Windows Script Host WMI (extensions) PowerShell Task Scheduler Offline Files Shadow Copy Windows Installer Error Reporting Event Log Common Log File System

Component model

COM COM+ ActiveX Distributed Component Object Model .NET Framework

Libraries

Framework Class Library Microsoft Foundation Classes (MFC) Active Template
Template
Library (ATL) Windows Template
Template
Library (WTL)

Device drivers

WDM WDF

KMDF UMDF

WDDM NDIS UAA BDA VxD

Security

Crypto API

CAPICOM

Windows CardSpace Data Protection API Security Support Provider Interface (SSPI)

.NET

ASP.NET ADO.NET Remoting Silverlight TPL WCF WCS WPF WF

Software factories

EFx Factory Enterprise Library Composite UI CCF CSF

IPC

MSRPC Dynamic Data Exchange (DDE) Remoting WCF

Accessibility

Active Accessibility UI Automation

Text and multilingual support

DirectWrite Text Services Framework Text Object Model Input method
Input method
editor Language Interface Pack Multilingual User Interface Uniscribe

v t e

Authentication

Authentication
Authentication
APIs

BSD Authentication
Authentication
(BSD Auth) eAuthentication Generic Security Services API (GSSAPI) Java Authentication
Authentication
and Authorization Service (JAAS) OAuth OpenID OpenID
OpenID
Connect (OIDC) Pluggable Authentication
Authentication
Modules (PAM) Simple Authentication
Authentication
and Security Layer (SASL) Security Support Provider Interface (SSPI) XCert Universal Database API (XUDA)

Authentication
Authentication
protocol

ACF2 AKA CAVE-based authentication Challenge-Handshake Authentication
Authentication
Protocol (CHAP)

MS-CHAP

Central Authentication
Authentication
Service (CAS) CRAM-MD5 Diameter Extensible Authentication
Authentication
Protocol (EAP) Host Identity Protocol (HIP) Kerberos LAN Manager NT LAN Manager (NTLM) Password-authenticated key agreement protocols Password Authentication
Authentication
Protocol (PAP) Protected Extensible Authentication
Authentication
Protocol (PEAP) Remote Access Dial In User Service (RADIUS) Resource Access Control Facility (RACF) Secure Remote Password protocol (SRP) TACACS Woo–Lam

v t e

TLS and SSL

Protocols and technologies

Transport Layer Security / Secure Sockets Layer (TLS/SSL) Datagram Transport Layer Security (DTLS) Server Name Indication (SNI) Application-Layer Protocol Negotiation (ALPN) DNS-based Authentication
Authentication
of Named Entities (DANE) DNS Certification Authority Authorization (CAA) HTTPS HTTP Strict Transport Security
HTTP Strict Transport Security
(HSTS) HTTP Public Key Pinning (HPKP) OCSP stapling Perfect forward secrecy STARTTLS

Public-key infrastructure

Automated Certificate Management Environment (ACME) Certificate authority
Certificate authority
(CA) CA/Browser Forum Certificate policy Certificate revocation list (CRL) Domain-validated certificate (DV) Extended Validation Certificate
Extended Validation Certificate
(EV) Online Certificate Status Protocol (OCSP) Public key certificate Public-key cryptography Public key infrastructure
Public key infrastructure
(PKI) Root certificate Self-signed certificate

See also

Domain Name System Security Extensions (DNSSEC) Internet Protocol Security (IPsec) Secure Shell
Secure Shell
(SSH)

History

Export of cryptography from the United States Server-Gated Cryptography

Implementations

Bouncy Castle BoringSSL Botan cryptlib GnuTLS JSSE LibreSSL MatrixSSL mbed TLS NSS OpenSSL RSA BSAFE S2n SChannel SSLeay stunnel wolfSSL

Notaries

Certificate Transparency Convergence HTTPS
HTTPS
Everywhere Perspectives Project

Vulnerabilities

Theory

Man-in-the-middle attack Padding oracle attack

Cipher

Bar mitzvah attack

Protocol

BEAST BREACH CRIME DROWN Logjam POODLE
POODLE
(in regards to SSL 3.0)

Implementation

Certificate authority
Certificate authority
compromise Random number generator attacks FREAK goto fail Heartbleed Lucky Thirteen attack POODLE
POODLE
(in regards

.