Schannel Security Support Provider (Compact 2013)
3/28/2014
Secure Channel, also known as Schannel, is a security support provider (SSP) containing a set of security protocols that provide identity authentication and enhanced communication security through encryption.
Schannel is primarily used for Internet applications that require enhanced security for Hypertext Transfer Protocol (HTTP) communications.
Schannel Credentials
Schannel protocols require credentials to authenticate servers and, optionally, clients. Server authentication, where the server provides proof of its identity to the client, is required by the Schannel security protocols. Client authentication may be requested by the server at any time.
Schannel credentials are X.509 certificates. Public and private key information from certificates is used to authenticate the server and, optionally, the client. These keys are also used to provide message integrity while the client and the server exchange the information required to generate and exchange session keys.
Obtaining Schannel Credentials
Credentials are required by the Schannel authentication process. Both the client and the server must obtain valid credentials to establish a security context for message exchange.
Your application obtains credentials by calling the AcquireCredentialsHandle function. This function returns a handle to the requested credentials. Because a credentials handle is used to store credential settings, the same handle cannot be used for both client-side and server-side operations. This means that applications that support both client and server connections must obtain a minimum of two credentials handles.
An SCHANNEL_CRED structure specifies the following information:
- A security protocol.
- The allowable ciphers.
- Minimum and maximum cipher strengths.
- An X.509 certificate used for authentication. This is required for the server, and is optional for the client unless the server requests client authentication.
Pass the SCHANNEL_CRED structure through the pAuthData parameter to the AcquireCredentialsHandle function. This function returns the credentials handle required to establish a security context.
For more information about certificates, see Certificates.
Manually Validating Schannel Credentials
You must validate the certificate provided by the server that is attempting to establish its identity. To manually validate the server certificate, you must first get it. Use the QueryContextAttributes function and specify the SECPKG_ATTR_REMOTE_CERT_CONTEXT attribute value. This attribute returns a CERT_CONTEXT structure containing the certificate supplied by the server. This certificate is called the leaf certificate because it is the last certificate in the certificate chain and is farthest away from the root certificate.
If the certificate chain has more than two certificates, the intermediate certificates may be located in the certificate store specified by the hCertStore field of the CERT_CONTEXT structure.
Using the leaf certificate you must verify the following information:
- The certificate chain is complete and the root is a certificate from a trusted certification authority (CA).
- The current time is not beyond the begin and end dates for each of the certificates in the certificate chain.
- The depth of the leaf certificate is not deeper than the maximum allowable depth specified in the certificate extension. This check is only necessary if there is a depth specified.
- The usage of the certificate is correct, for example, a client certificate should not be used to authenticate a server.
- For server authentication, the server identity contained in the server's leaf certificate matches the server that the client is attempting to contact. Typically, the client will match some item in the certificate's Subject Name field to the server's IP address or DNS name.
You can use CertGetCertificateChain to verify the first four items in the list above.
See Also
Reference
Authentication Services Registry Settings
Authentication Services Reference