Security Support Provider Interface
- Security Support Provider Interface
SSPI is an API used by Microsoft Windows systems to perform a variety of security related operations such as authentication.
SSPI functions as a common interface to several Security Support Providers (SSP) such as:
* NTLM
* Kerberos
* Secure channel (aka SChannel)
* Distributed Password Authentication (DPA)
* Digest access authentication
* Negotiate
* Credential
It is a proprietary variant of GSSAPI with extensions and very Windows-specific data types. It shipped with Windows NT 3.51 and Windows 95 with the NT LAN Manager Security Support Provider (NTLMSSP). For Windows 2000, an implementation of Kerberos 5 was added, using token formats conforming to the official protocol standard RFC 1964 (The Kerberos 5 GSSAPI mechanism) and providing wire-level interoperability with Kerberos 5 implementations from other vendors.
The tokens generated and accepted by the SSPI are mostly compatible with the GSS-API so an SSPI client on Windows may be able to authenticate with a GSS-API server on UNIX depending on the specific circumstances.One significant shortcoming of SSPI is its lack of explain|channel bindings|Channel binding is a way to cryptographically bind end-to-end authentication at the application layer to a secure channel at a lower layer. This cryptographic binding is a way to eliminate man-in-the-middle attacks in that secure channel. It is particularly useful to applications that intend to rely on TLS or IPsec for session/transport security. Channel bindings also stimulate the development of APIs for IPsec and an unauthenticated mode of IPsec., which makes some GSSAPI interoperability impossible.
Another fundamental difference between the IETF-defined GSSAPI and Microsoft's SSPI is the concept of "impersonation". In this model, a server can switch to and operate with the FULL privileges of the authenticated client, so that the operating system performs all access control checks, e.g. when opening new files. Whether these are less privileges or more privileges than that of the original service account depends entirely on which client connects/authenticates. In the traditional (GSSAPI) model, a server runs under a service account, cannot elevate its privileges, and has to perform access control in a client-specific and application-specific fashion. The obvious negative security implications of the impersonation concept are mitigated in the most recent version of Windows by restricting impersonation to selected service accounts.
See also
* Security Support Provider
* Integrated Windows Authentication
External links
* [http://msdn2.microsoft.com/en-us/library/aa380493.aspx SSPI Reference on MSDN]
* [http://win32.mvps.org/security/sspi.html SSPI Information and Win32 samples]
Wikimedia Foundation.
2010.
Look at other dictionaries:
Security Support Provider Interface — (SSPI) программный интерфейс между приложениями и провайдерами безопасности. SSPI используется для отделения протоколов уровня приложения от деталей реализации сетевых протоколов безопасности и обеспечивает уровень абстракции для поддержки… … Википедия
Security Support Provider — In Microsoft Windows, a Security Support Provider is a dynamic link library (DLL) that implements a Security Support Provider Interface (SSPI) by making one or more security packages available to applications.Security packages support security… … Wikipedia
Windows Application Programming Interface — Windows API (application programming interfaces) общее наименование целого набора базовых функций интерфейсов программирования приложений операционных систем семейств Windows и Windows NT корпорации «Майкрософт». Является самым прямым способом… … Википедия
Messaging Application Programming Interface — (MAPI) is a messaging architecture and a Component Object Model based API for Microsoft Windows. MAPI allows client programmes to become (e mail) messaging enabled, aware, or based by calling MAPI subsystem routines that interface with certain… … Wikipedia
OLE DB provider — An OLE DB provider is a software component enabling an OLE DB consumer to interact with a data source. OLE DB providers are analogous to ODBC drivers, JDBC drivers, and ADO.NET data providers. OLE DB providers can be created to access such simple … Wikipedia
Graphics Device Interface — The Graphics Device Interface (GDI) is a Microsoft Windows application programming interface and core operating system component responsible for representing graphical objects and transmitting them to output devices such as monitors and printers … Wikipedia
Layered Service Provider — Эта статья об многоуровневом поставщике услуг. О принципе подстановки Лисков см. Принцип подстановки Барбары Лисков. LSP (Layered Service Provider, англ. многоуровневый поставщик услуг) технология Windows sockets версии… … Википедия
Microsoft Messaging Passing Interface — Microsoft Message Passing Interface (MS MPI) is an implementation of the MPI 2 specification by Microsoft for use in Windows HPC Server 2008 to interconnect and communicate (via messages) between High performance computing nodes. It is mostly… … Wikipedia
Multilingual User Interface — For other localizations, not only Windows specified, see Internationalization and localization. Windows Vista Ultimate Start Menu before Traditional Chinese MUI was applied (left) and after Traditional Chinese MUI was applied (right) Multilingual … Wikipedia
Network Driver Interface Specification — The Network Driver Interface Specification (NDIS) is an application programming interface (API) for network interface cards (NICs). It was jointly developed by Microsoft and 3Com Corporation, and is mostly used in Microsoft Windows, but the open… … Wikipedia
