Movatterモバイル変換

[0]ホーム
URL:

Jump to content
WikipediaThe Free Encyclopedia
Search

Security Support Provider Interface

From Wikipedia, the free encyclopedia
This article needs to beupdated. Please help update this article to reflect recent events or newly available information.(March 2025)
Windows application programming interface

Security Support Provider Interface (SSPI) is a component ofWindows API that performs security-related operations such asauthentication.

SSPI functions as a common interface to several Security Support Providers (SSPs):[1] A Security Support Provider is adynamic-link library (DLL) that makes one or more security packages available to apps.

Providers

[edit]

The following SSPs are included in Windows:

  • NTLMSSP (msv1_0.dll) – Introduced inWindows NT 3.51. ProvidesNTLM challenge/response authentication forWindows domains prior toWindows 2000 and for systems that are not part of a domain.[2]
  • Kerberos (kerberos.dll) – Introduced inWindows 2000 and updated inWindows Vista to supportAES.[3] Performs authentication for Windows domains in Windows 2000 and later.[4]
  • NegotiateSSP (secur32.dll) – Introduced in Windows 2000. Providessingle sign-on capability, sometimes referred to asIntegrated Windows Authentication (especially in the context of IIS).[5] Prior toWindows 7, it tries Kerberos before falling back to NTLM. On Windows 7 and later, NEGOExts is introduced, which negotiates the use of installed custom SSPs which are supported on the client and server for authentication.
  • Secure Channel (schannel.dll) – Introduced in Windows 2000 and updated in Windows Vista to support stronger AES encryption andECC[6] This provider uses SSL/TLS records to encrypt data payloads.
  • TLS/SSLPublic key cryptography SSP that provides encryption and secure communication for authenticating clients and servers over the internet.[7] Updated in Windows 7 to support TLS 1.2.
  • Digest SSP (wdigest.dll) – Introduced inWindows XP. Provides challenge/response based HTTP andSASL authentication between Windows and non-Windows systems where Kerberos is not available.[8]
  • CredSSP (credssp.dll) – Introduced inWindows Vista and available on Windows XP SP3. Providessingle sign-on andNetwork Level Authentication forRemote Desktop Services.[9]
  • Distributed Password Authentication (DPA, msapsspc.dll) – Introduced in Windows 2000. Provides internet authentication usingdigital certificates.[10]
  • Public Key Cryptography User-to-User (PKU2U, pku2u.dll) – Introduced inWindows 7. Provides peer-to-peer authentication using digital certificates between systems that are not part of a domain.

Comparison

[edit]

SSPI is a proprietary variant ofGeneric Security Services Application Program Interface (GSSAPI) with extensions and very Windows-specific data types. It shipped withWindows NT 3.51 andWindows 95 with theNTLMSSP. For Windows 2000, an implementation of Kerberos 5 was added, using token formats conforming to the official protocol standard RFC 1964 (The Kerberos 5 GSSAPI mechanism) and providing wire-level interoperability with Kerberos 5 implementations from other vendors.

The tokens generated and accepted by the SSPI are mostly compatible with the GSS-API so an SSPI client on Windows may be able to authenticate with a GSS-API server on Unix depending on the specific circumstances.

One significant shortcoming of SSPI is its lack ofchannel bindings, which makes some GSSAPI interoperability impossible.

Another fundamental difference between theIETF-defined GSSAPI and Microsoft's SSPI is the concept of "impersonation". In this model, a server can operate with thefull privileges of the authenticated client, so that the operating system performs allaccess control checks, e.g. when opening new files. Whether these are less privileges or more privileges than that of the original service account depends entirely on the client. In the traditional (GSSAPI) model, when a server runs under a service account, it cannot elevate its privileges, and has to perform access control in a client-specific and application-specific fashion. The obvious negative security implications of the impersonation concept are prevented in Windows Vista by restricting impersonation to selected service accounts.[11] Impersonation can be implemented in a Unix/Linux model using theseteuid or related system calls. While this means an unprivileged process cannot elevate its privileges, it also means that to take advantage of impersonation the process must run in the context ofthe root user account.

References

[edit]
  1. ^SSP Packages Provided by Microsoft
  2. ^User Authentication - Security (Windows 2000 Resource Kit Documentation) : MSDN
  3. ^Kerberos Enhancements in Windows Vista: MSDN
  4. ^Windows 2000 Kerberos Authentication
  5. ^"Windows Authentication".Windows Server 2008 R2 and Windows Server 2008 Documentations. Microsoft. 2 July 2012. Retrieved2020-08-05 – via Microsoft Docs.
  6. ^TLS/SSL Cryptographic Enhancements in Windows Vista
  7. ^Secure Channel: SSP Packages Provided by Microsoft
  8. ^Microsoft Digest SSP: SSP Packages provided by Microsoft
  9. ^Credential Security Service Provider and SSO for Terminal Services Logon
  10. ^DCOM Technical Overview: Security on the Internet
  11. ^"Windows Service Hardening: AskPerf blog". Archived fromthe original on 2010-04-02. Retrieved2009-12-22.

External links

[edit]
Graphics and UI
Audio
Multimedia
Web
Data access
Networking
Communication
Administration and
management
Component model
Libraries
Device drivers
Security
.NET
Software factories
IPC
Accessibility
Text and multilingual
support
Authentication
APIs
Authentication
protocols
Protocols and technologies
Public-key infrastructure
See also
History
Implementations
Notaries
Vulnerabilities
Theory
Cipher
Protocol
Implementation
Retrieved from "https://en.wikipedia.org/w/index.php?title=Security_Support_Provider_Interface&oldid=1281053447"
Categories:
Hidden categories:
[8]ページ先頭
©2009-2026 Movatter.jp