Security Support Provider Interface

SSPI is an API used by Microsoft Windows systems to perform a variety of security related operations such as authentication.

SSPI functions as a common interface to several Security Support Providers (SSP) such as:
* NTLM
* Kerberos
* Secure channel (aka SChannel)
* Distributed Password Authentication (DPA)
* Digest access authentication
* Negotiate
* Credential

It is a proprietary variant of GSSAPI with extensions and very Windows-specific data types. It shipped with Windows NT 3.51 and Windows 95 with the NT LAN Manager Security Support Provider (NTLMSSP). For Windows 2000, an implementation of Kerberos 5 was added, using token formats conforming to the official protocol standard RFC 1964 (The Kerberos 5 GSSAPI mechanism) and providing wire-level interoperability with Kerberos 5 implementations from other vendors.

The tokens generated and accepted by the SSPI are mostly compatible with the GSS-API so an SSPI client on Windows may be able to authenticate with a GSS-API server on UNIX depending on the specific circumstances.One significant shortcoming of SSPI is its lack of explain|channel bindings|Channel binding is a way to cryptographically bind end-to-end authentication at the application layer to a secure channel at a lower layer. This cryptographic binding is a way to eliminate man-in-the-middle attacks in that secure channel. It is particularly useful to applications that intend to rely on TLS or IPsec for session/transport security. Channel bindings also stimulate the development of APIs for IPsec and an unauthenticated mode of IPsec., which makes some GSSAPI interoperability impossible.

Another fundamental difference between the IETF-defined GSSAPI and Microsoft's SSPI is the concept of "impersonation". In this model, a server can switch to and operate with the FULL privileges of the authenticated client, so that the operating system performs all access control checks, e.g. when opening new files. Whether these are less privileges or more privileges than that of the original service account depends entirely on which client connects/authenticates. In the traditional (GSSAPI) model, a server runs under a service account, cannot elevate its privileges, and has to perform access control in a client-specific and application-specific fashion. The obvious negative security implications of the impersonation concept are mitigated in the most recent version of Windows by restricting impersonation to selected service accounts.

See also

* Security Support Provider
* Integrated Windows Authentication

External links

* [http://msdn2.microsoft.com/en-us/library/aa380493.aspx SSPI Reference on MSDN]
* [http://win32.mvps.org/security/sspi.html SSPI Information and Win32 samples]


Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Security Support Provider Interface — (SSPI) программный интерфейс между приложениями и провайдерами безопасности. SSPI используется для отделения протоколов уровня приложения от деталей реализации сетевых протоколов безопасности и обеспечивает уровень абстракции для поддержки… …   Википедия

  • Security Support Provider — In Microsoft Windows, a Security Support Provider is a dynamic link library (DLL) that implements a Security Support Provider Interface (SSPI) by making one or more security packages available to applications.Security packages support security… …   Wikipedia

  • Security and safety features new to Windows Vista — There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.Beginning in early 2002 with Microsoft s announcement of their Trustworthy Computing… …   Wikipedia

  • Security as a service — refers to the practice of delivering traditional security applications as an Internet based service, on demand, to consumers and businesses. It is an example of the everything as a service trend and shares many of the common characteristics,… …   Wikipedia

  • Windows Application Programming Interface — Windows API (application programming interfaces) общее наименование целого набора базовых функций интерфейсов программирования приложений операционных систем семейств Windows и Windows NT корпорации «Майкрософт». Является самым прямым способом… …   Википедия

  • Messaging Application Programming Interface — (MAPI) is a messaging architecture and a Component Object Model based API for Microsoft Windows. MAPI allows client programmes to become (e mail) messaging enabled, aware, or based by calling MAPI subsystem routines that interface with certain… …   Wikipedia

  • OLE DB provider — An OLE DB provider is a software component enabling an OLE DB consumer to interact with a data source. OLE DB providers are analogous to ODBC drivers, JDBC drivers, and ADO.NET data providers. OLE DB providers can be created to access such simple …   Wikipedia

  • Graphics Device Interface — The Graphics Device Interface (GDI) is a Microsoft Windows application programming interface and core operating system component responsible for representing graphical objects and transmitting them to output devices such as monitors and printers …   Wikipedia

  • Layered Service Provider — Эта статья  об многоуровневом поставщике услуг. О принципе подстановки Лисков см. Принцип подстановки Барбары Лисков. LSP (Layered Service Provider, англ. многоуровневый поставщик услуг) технология Windows sockets версии… …   Википедия

  • Microsoft Messaging Passing Interface — Microsoft Message Passing Interface (MS MPI) is an implementation of the MPI 2 specification by Microsoft for use in Windows HPC Server 2008 to interconnect and communicate (via messages) between High performance computing nodes. It is mostly… …   Wikipedia


Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”

We are using cookies for the best presentation of our site. Continuing to use this site, you agree with this.