Jaa

New Authentication Functionality in Windows Vista

  • Artikkeli

The Windows Authentication Team works on the core Windows authentication components, such as the LSA, and is responsible for Windows authentication protocols, including Kerberos, SSL, NTLM, and Digest.

The team has 5 program managers, 10 developers, and 11 testers. We also have one architect, Paul Leach, who holds the title of Distinguished Engineer (the highest technical title at Microsoft). Paul has been with the team the longest, since the early '90s. We also have other architects who provide advice on the long-term architecture and direction, including Butler Lampson (a Microsoft Technical and Turing award winner). Butler is known for his work on authentication in distributed systems, including the seminal Authentication in Distributed Systems: Theory and Practice.

These days, the team is focused on shipping the new authentication functionality in Windows Vista. The key advances that we have made are:

GINAs Replaced with New Credential Providers
In previous releases, the customization of interactive user logon was done by creating a custom GINA. Despite the name, GINAs were responsible for more than simply gathering authentication information and rendering the UI to collect it. Because of this, custom GINAs were complex to create and usually required Microsoft Product Support Services (PSS) support for successful implementation. Often, using a custom GINA resulted in unintended side effects, such as preventing fast user switching (FUS) and smartcard logon. In Windows Vista, GINAs are replaced with a new modular Credential Provider model that is easier to program to. 

New Credential Security Service Provider, CredSSP
Credential Security Service Provider (CredSSP) is a new security service provider that is available through the Security Support Provider Interface (SSPI) in Windows. CredSSP enables an application to delegate the user’s credentials from the client (by using the client-side SSP) to the target server (through the server-side SSP).

Although CredSSP was originally designed to meet Terminal Server requirements, it is currently also being used by Web Services, and is available to any internal or third-party application under SSPI. The CredSSP is used by Terminal Services to provide SSO.
 
Stored User Names and Passwords Backup and Restore Wizard
Stored User Names and Passwords in Windows Vista includes a Backup and Restore Wizard, which allows users to back up user names and passwords they have requested Windows to remember for them. This new functionality allows users to restore the user names and passwords on any Windows Vista system. Restoring user names and passwords from a backup file will replace any existing saved user names and passwords the user has on the system.

SSL/TLS Enhancements
Microsoft has added new SSL and TLS extensions, which enable the support of both AES and new ECC cipher suites. The support for AES--not available in Microsoft Windows 2000 or Windows Server 2003--is important, as AES has become a National Institute of Standards and Technology (NIST) standard. In order to ease the process of bulk encryption, several cipher suites have been added that support AES.

Schannel ECC Cipher Suite Support
Elliptical curve cryptography, known as ECC, is an encryption technique that uses a public key. ECC is based on elliptic curve theory, and is used to create more efficient and smaller cryptographic keys. ECC differs from other forms that use the product of very large prime numbers to create keys; ECC instead makes use of an elliptic curve equation to create keys.
 
In Windows Vista, the Schannel SSP includes new cipher suites that support ECC cryptography. Now, ECC cipher suites can be negotiated as part of the standard TLS handshake.
 
Schannel Crypto Agility
Windows Vista offers an Open Cryptographic Interface (OCI) and crypto-agile capabilities for Schannel. By providing crypto-agnostic capabilities, Microsoft enables government organizations to substitute a higher level of functionality, including advanced combinations of cipher suites. Organizations can now create new cipher suites and then plug them into Schannel.

Kerberos Support for AES
This Windows Vista security enhancement will enable the use of AES encryption with Kerberos. This enhancement includes the following changes from Windows XP:

• AES support for the base Kerberos protocol: The base Kerberos protocol in Windows Vista will support AES for encryption of TGTs, service tickets, and session keys.
• AES support for Generic Security Services (GSS)-Kerberos mechanism: In addition to enabling AES for the base protocol, GSS messages, which make up client/server communications in Windows Vista, are protected with AES. 
 
Authentication Support for Branch Domain Controllers
Windows Vista includes new authentication feature changes to support the branch office DC feature in Windows Server “Longhorn.” The specific changes to the Key Distribution Center (KDC) involve being able to issue tickets for branch users only and to forward other requests to the hub DC.
 
Flexible Smartcard Authentication Support
Although Microsoft Windows Server 2003 included support for smartcards as well, the types of certificates that smartcards could contain were limited by strict requirements. First of all, each certificate needed to have a user principal name (UPN) it was associated with and needed to contain the smartcard logon OID in the extended key usage (EKU) field. In addition, each certificate required that signing be used in conjunction with encryption.

To better support smartcard deployments, Microsoft has made changes to the Windows operating system to enable support for a range of certificates. Now, customers can deploy smartcards with certificates that are not limited by the previous requirements.
  
Last Logon Time
This feature displays the time of the last successful interactive logon, as well as the number of failed logon attempts since the last successful logon during a successful interactive logon. This policy will enable a user to determine if the account was used without his or her knowledge.

You can learn more about our authentication work at https://blogs.technet.com/authentication/. If there is a particular area you would like more information about, please let us know.

-- The Windows Authentication Team

Comments

  • Anonymous
    August 25, 2006
    PingBack from http://informationneutral.info/?p=12

  • Anonymous
    September 08, 2006
    windows vista is better security than windows xp and windows vista contain more fucntion than windows xp.

  • Anonymous
    September 08, 2006
    The comment has been removed

  • Anonymous
    September 08, 2006
    This article was mentioned in the latest MSDN BiWeekly Newsletter, which means the general public of developers can read it. I'm a developer, so I have some interest in security issues. However, this article is almost totally incomprehensible to the uninitiated because you failed to define the following terms:

    LSA, Kerberos, SSL, NTLM, Digest, GINA, TLS, AES, ECC, Schannel SSP, TGTs, branch office DC, OID.

    In the future, please include a sidebar with definitions so we at least have a chance of following what you wrote.

    Consider yourself lashed three times with a wet noodle.

  • Anonymous
    September 09, 2006
    It all looks great. If it works as it is designed to it will be grealy welcomed.

  • Anonymous
    October 23, 2006
    Hi, where can I find more information about TLS and ECC?

  • Anonymous
    November 05, 2006
    AES support for the base Kerberos protocol, Define Basic, will it support Kerberos v3.0 or lower/higher versions. Will I be able to use Kerberos from Unix to do WNA check with user ??

  • Anonymous
    December 20, 2006
    Flexible Smartcard Authentication Support, "Now, customers can deploy smartcards with certificates that are not limited by the previous requirements." does it mean there will be no requirements to certificate content?    at least the UPN will still be required, isnt It?

  • Anonymous
    January 05, 2007
    PingBack from http://www.vistalogy.com/2007/01/05/new-authentication-functionality-in-windows-vista/

  • Anonymous
    January 25, 2007
    PingBack from http://4vista.info/?p=14

  • Anonymous
    February 10, 2007
    PingBack from http://ipfreaks.com/dreamscene/?p=62

  • Anonymous
    February 25, 2007
    nesesito proteccion antivirus gratuita

  • Anonymous
    April 01, 2007
    You said, "Organizations can now create new cipher suites and then plug them into Schannel." But I couldn't find any information from MSDN and elsewhere. I really want to know how to create new cipher suites, plug them into Schannel and use them. Please, let me know where can I get information about them. And one more question's here. Can I add new cipher suites into schannel on windows xp??

  • Anonymous
    April 24, 2007
    The comment has been removed

  • Anonymous
    June 26, 2007
    I think it is nice the support for AES. However, any idea how to list ALL available cipher suites under windows vista? Even better how to enable SSLv3 for clients like Windows Mail/Outlook? Thanks

  • Anonymous
    August 02, 2007
    I would like to diable the Windows welcome screen and have the user required to type screen name & password without the system remembering last used  name logged in.  How do you set this up in Windows Vista?

  • Anonymous
    November 21, 2007
    Is there anyway to allow XP compatible kerberos clients (e.g., from MIT) work with vista???

  • Anonymous
    January 23, 2008
    The comment has been removed

  • Anonymous
    January 25, 2008
    PingBack from http://softwareinformation.247blogging.info/windows-vista-security-new-authentication-functionality-in-windows-vista/

  • Anonymous
    April 08, 2008
    The comment has been removed

  • Anonymous
    July 07, 2008
    What should be done so that visa supports the plain authentication?

  • Anonymous
    July 14, 2008
    PingBack from http://appzdrive.com/home/8/?p=127336

  • Anonymous
    July 14, 2008
    PingBack from http://appzdrive.com/home/8/?p=127336

  • Anonymous
    July 14, 2008
    PingBack from http://appzdrive.com/home/8/?p=127336

  • Anonymous
    October 22, 2008
    Here I couldn't find any information from MSDN and elsewhere. I really want to know how to create new cipher suites, plug them into Schannel and use them.Can anyone provide tips in it. http://www.hacker4lease.com/

  • Anonymous
    November 23, 2008
    Windows Vista is good any time. You can experience it by using the security system in windows XP and in Windows Vista. And if the things are designed in the above mentioned way, than its going to be great.