Security Support Provider Interface Architecture (Windows Embedded CE 6.0)

1/6/2010

Different applications require different ways to identify or authenticate users, and different means of encrypting data traveling across a network. To avoid coding every available security option into an application, Windows Embedded CE supports the Security Support Provider Interface (SSPI), which enables applications to access dynamic-link libraries (DLLs) containing common authentication and cryptographic data schemes. These DLLs are called Security Support Providers (SSPs). The following illustration shows the relationship of the SSP DLLs to the SSPI Secur32.dll, Winsock, and WinInet.

Ee498166.cf2a9cdd-3324-4a73-ae70-7c6fbb765712(en-US,WinEmbedded.60).gif

SSPs make one or more security solutions, called security packages, available to applications. A security package maps various SSPI functions to the security protocols specified in the package. An application implementing the SSPI can use any security package available on a system without having details about the security protocols implemented by the security package. Additionally, you can write your own SSP and add it to the registry.

To determine which provider is supported by a specific OS design, check for unique DLLs associated with each provider. The following table shows the DLLs for Kerberos, NTLM, and Schannel security providers.

Security provider Module

Kerberos

Kerberos.dll, Cryptdll.dll

NTLM

Ntlmssp.dll

Schannel

Schannel.dll

The following example shows how to update the registry to install an SSP.

[HKEY_LOCAL_MACHINE\Comm\SecurityProviders]
    Providers=REG_SZ:provider1.dll, provider2.dll,...

A single DLL can contain multiple security packages; for example, SSL2 and SSL3.

The application programming interfaces (APIs) contained in the SSPI are divided into the following functional areas:

  • Package management
  • Credential management
  • Context management
  • Message support

Package management functions enumerate and query the attributes of the security packages of an SSP. These functions list the security packages available on a SSP, and enable an application to select one from the available security packages to support its requirements.

Credential management functions enable applications to gain access to the credentials of a principal, where a principal is an entity recognized by the security system. Such entities include human users and autonomous processes. A credential is data such as a password or user name used by a principal to establish the principal's identity.

Context management functions enable applications to create and use security contexts. A security context is security data, including session key and session duration, relevant to a connection. Both client and server must cooperate to create a security context. The client and the server can then use the security context with message support functions to ensure message integrity and privacy during the connection.

Message support functions enable an application to transmit messages that cannot be tampered with. The message support functions work with one or more buffers that contain a message and an associated security context created by the context management functions.

See Also

Reference

Authentication Services Reference

Concepts

Authentication Services Application Development
SSPI Functions and Structures
Security Packages
Authentication Services Security
Authentication Services Registry Settings

Other Resources

Authentication Services