Security Support Provider Interface
Encyclopedia
Security Support Provider Interface (SSPI) is an API
used by Microsoft Windows systems to perform a variety of security-related operations such as authentication.
SSPI functions as a common interface to several Security Support Providers (SSPs): A Security Support Provider is a dynamic-link library
(DLL) that makes one or more security packages available to applications.
with extensions and very Windows-specific data types. It shipped with Windows NT 3.51
and Windows 95
with the NT LAN Manager
Security Support Provider
(NTLMSSP
). For Windows 2000, an implementation of Kerberos 5 was added, using token formats conforming to the official protocol standard RFC 1964 (The Kerberos 5 GSSAPI mechanism) and providing wire-level interoperability with Kerberos 5 implementations from other vendors.
The tokens generated and accepted by the SSPI are mostly compatible with the GSS-API so an SSPI client on Windows may be able to authenticate with a GSS-API server on UNIX depending on the specific circumstances.
One significant shortcoming of SSPI is its lack of , which makes some GSSAPI interoperability impossible.
Another fundamental difference between the IETF
-defined GSSAPI and Microsoft's SSPI is the concept of "impersonation". In this model, a server can switch to and operate with the FULL privileges of the authenticated client, so that the operating system performs all access control
checks, e.g. when opening new files. Whether these are less privileges or more privileges than that of the original service account depends entirely on which client connects/authenticates. In the traditional (GSSAPI) model, a server runs under a service account, cannot elevate its privileges, and has to perform access control in a client-specific and application-specific fashion. The obvious negative security implications of the impersonation concept are mitigated in Windows Vista by restricting impersonation to selected service accounts.
Application programming interface
An application programming interface is a source code based specification intended to be used as an interface by software components to communicate with each other...
used by Microsoft Windows systems to perform a variety of security-related operations such as authentication.
SSPI functions as a common interface to several Security Support Providers (SSPs): A Security Support Provider is a dynamic-link library
Dynamic-link library
Dynamic-link library , or DLL, is Microsoft's implementation of the shared library concept in the Microsoft Windows and OS/2 operating systems...
(DLL) that makes one or more security packages available to applications.
Windows SSPs
The following SSPs are installed with Windows:- NTLMNTLMSSPNTLMSSP is a binary messaging protocol used by the Microsoft Security Support Provider Interface to facilitate NTLM challenge-response authentication and to negotiate integrity and confidentiality options...
(Introduced in Windows NT 3.51Windows NT 3.51Windows NT 3.51 is the third release of Microsoft's Windows NT line of operating systems. It was released on 30 May 1995, nine months after Windows NT 3.5. The release provided two notable feature improvements; firstly NT 3.51 was the first of a short-lived outing of Microsoft Windows on the...
) (Msv1_0.dll) - Provides NTLMNTLMIn a Windows network, NTLM is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users....
challenge/response authentication for client-server domains prior to Windows 2000Windows 2000Windows 2000 is a line of operating systems produced by Microsoft for use on personal computers, business desktops, laptops, and servers. Windows 2000 was released to manufacturing on 15 December 1999 and launched to retail on 17 February 2000. It is the successor to Windows NT 4.0, and is the...
and for non-domain authentication (SMBServer Message BlockIn computer networking, Server Message Block , also known as Common Internet File System operates as an application-layer network protocol mainly used to provide shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network. It also provides an...
/CIFS). - Kerberos (Introduced in Windows 2000Windows 2000Windows 2000 is a line of operating systems produced by Microsoft for use on personal computers, business desktops, laptops, and servers. Windows 2000 was released to manufacturing on 15 December 1999 and launched to retail on 17 February 2000. It is the successor to Windows NT 4.0, and is the...
and updated in Windows VistaWindows VistaWindows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
to support AESAdvanced Encryption StandardAdvanced Encryption Standard is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used worldwide. It supersedes DES...
) (secur32.dll) - Preferred for mutual client-server domain authentication in Windows 2000 and later. - NegotiateSPNEGOSPNEGO is a GSSAPI "pseudo mechanism" that is used to negotiate one of a number of possible real mechanisms....
(Introduced in Windows 2000) (secur32.dll) - Selects Kerberos and if not available, NTLM protocol. Negotiate SSP provides single sign-onSingle sign-onSingle sign-on is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them...
capability called as Integrated Windows AuthenticationIntegrated Windows AuthenticationIntegrated Windows Authentication is a term associated with Microsoft products that refers to the SPNEGO, Kerberos, and NTLMSSP authentication protocols with respect to SSPI functionality introduced with Microsoft Windows 2000 and included with later Windows NT-based operating systems...
. On Windows 7 and later, NEGOExts is introduced which negotiates the use of installed custom SSPs which are supported on the client and server for authentication. - Secure channel (aka SChannel) (Introduced in Windows 2000Windows 2000Windows 2000 is a line of operating systems produced by Microsoft for use on personal computers, business desktops, laptops, and servers. Windows 2000 was released to manufacturing on 15 December 1999 and launched to retail on 17 February 2000. It is the successor to Windows NT 4.0, and is the...
and updated in Windows VistaWindows VistaWindows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
to support stronger AES encryption and ECCElliptic curve cryptographyElliptic curve cryptography is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. The use of elliptic curves in cryptography was suggested independently by Neal Koblitz and Victor S...
) (schannel.dll) - (PCTPrivate Communications TechnologyPrivate Communications Technology 1.0 was a protocol developed by Microsoft in the mid-1990s. PCT was designed to address security flaws in version 2.0 of Netscape's Secure Sockets Layer protocol and to force Netscape to hand control of the then-proprietary SSL protocol to an open standards...
(obsolete) and Microsoft's implementation of TLS/SSL) - Public key cryptography SSP that provides encryption and secure communication for authenticating clients and servers over the internet. Updated in Windows 7 to support TLS 1.2. - Digest SSPDigest access authenticationDigest access authentication is one of the agreed upon methods a web server can use to negotiate credentials with a user's web browser. It uses encryption to send the password over the network which is safer than the Basic access authentication that sends plaintext.Technically digest...
(Introduced in Windows XPWindows XPWindows XP is an operating system produced by Microsoft for use on personal computers, including home and business desktops, laptops and media centers. First released to computer manufacturers on August 24, 2001, it is the second most popular version of Windows, based on installed user base...
) (wdigest.dll) - Provides challenge/response based HTTP and SASLSimple Authentication and Security LayerSimple Authentication and Security Layer is a framework for authentication and data security in Internet protocols. It decouples authentication mechanisms from application protocols, in theory allowing any authentication mechanism supported by SASL to be used in any application protocol that uses...
authentication between Windows and non-Windows systems where Kerberos is not available. - Credential (CredSSP) (Introduced in Windows VistaWindows VistaWindows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
and available on Windows XP SP3) (credssp.dll) - Provides SSO and Network Level AuthenticationNetwork Level AuthenticationNetwork Level Authentication is a technology used in Remote Desktop Services or Remote Desktop Connection that requires the connecting user to authenticate themselves before a session is established with the server. Originally, if you opened an RDP to a server it would load the login screen...
for Remote Desktop Services. - Distributed Password Authentication (DPA) - (Introduced in Windows 2000) (Msapsspc.dll) - Provides internet authentication using digital certificatesPublic key certificateIn cryptography, a public key certificate is an electronic document which uses a digital signature to bind a public key with an identity — information such as the name of a person or an organization, their address, and so forth...
. - Public Key Cryptography User-to-User (PKU2U) (Introduced in Windows 7) (Pku2u.dll) - Provides peer-to-peer authentication using digital certificates between systems that are not part of a domain.
Comparison
SSPI is a proprietary variant of GSSAPIGeneric Security Services Application Program Interface
The Generic Security Services Application Program Interface is an application programming interface for programs to access security services....
with extensions and very Windows-specific data types. It shipped with Windows NT 3.51
Windows NT 3.51
Windows NT 3.51 is the third release of Microsoft's Windows NT line of operating systems. It was released on 30 May 1995, nine months after Windows NT 3.5. The release provided two notable feature improvements; firstly NT 3.51 was the first of a short-lived outing of Microsoft Windows on the...
and Windows 95
Windows 95
Windows 95 is a consumer-oriented graphical user interface-based operating system. It was released on August 24, 1995 by Microsoft, and was a significant progression from the company's previous Windows products...
with the NT LAN Manager
NTLM
In a Windows network, NTLM is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users....
Security Support Provider
NTLMSSP
NTLMSSP is a binary messaging protocol used by the Microsoft Security Support Provider Interface to facilitate NTLM challenge-response authentication and to negotiate integrity and confidentiality options...
(NTLMSSP
NTLMSSP
NTLMSSP is a binary messaging protocol used by the Microsoft Security Support Provider Interface to facilitate NTLM challenge-response authentication and to negotiate integrity and confidentiality options...
). For Windows 2000, an implementation of Kerberos 5 was added, using token formats conforming to the official protocol standard RFC 1964 (The Kerberos 5 GSSAPI mechanism) and providing wire-level interoperability with Kerberos 5 implementations from other vendors.
The tokens generated and accepted by the SSPI are mostly compatible with the GSS-API so an SSPI client on Windows may be able to authenticate with a GSS-API server on UNIX depending on the specific circumstances.
One significant shortcoming of SSPI is its lack of , which makes some GSSAPI interoperability impossible.
Another fundamental difference between the IETF
Internet Engineering Task Force
The Internet Engineering Task Force develops and promotes Internet standards, cooperating closely with the W3C and ISO/IEC standards bodies and dealing in particular with standards of the TCP/IP and Internet protocol suite...
-defined GSSAPI and Microsoft's SSPI is the concept of "impersonation". In this model, a server can switch to and operate with the FULL privileges of the authenticated client, so that the operating system performs all access control
Access control
Access control refers to exerting control over who can interact with a resource. Often but not always, this involves an authority, who does the controlling. The resource can be a given building, group of buildings, or computer-based information system...
checks, e.g. when opening new files. Whether these are less privileges or more privileges than that of the original service account depends entirely on which client connects/authenticates. In the traditional (GSSAPI) model, a server runs under a service account, cannot elevate its privileges, and has to perform access control in a client-specific and application-specific fashion. The obvious negative security implications of the impersonation concept are mitigated in Windows Vista by restricting impersonation to selected service accounts.