Random data that is sometimes included as part of a session key. When added to a session key, the plaintext salt data is placed in front of the encrypted key data. Salt values are added to increase the work required to mount a brute-force (dictionary) attack against data encrypted with a symmetric-key cipher. Salt values are generated by calling CryptGenRandom.
The form of a certification authority (CA) name that is used in file names (such as for a certificate revocation list) and in registry keys. The process of sanitizing the CA name is necessary to remove characters that are illegal for file names, registry key names, or Distinguished Name values, or that are illegal for technology-specific reasons. In Certificate Services, the sanitization process converts any illegal character in the common name of the CA to a 5-character representation in the format !xxxx, where ! is used as an escape character and xxxx represents four hexadecimal integers that uniquely identify the character being converted.
A smart card system-wide reader group that includes all readers introduced to the smart card resource manager. Readers are automatically added to the group when they are introduced to the system.
A terminal reader group that contains all readers assigned to that terminal, however, it is not reserved for this specific use.
A smart card system constant that tells the smart card resource manager to allocate sufficient memory itself, returning a pointer to the allocated buffer instead of filling in a user-supplied buffer. The returned buffer must then eventually be freed by calling SCardFreeMemory.
A security package that provides authentication between clients and servers.
(SAS) A key sequence that begins the process of logging on or off. The default sequence is CTRL+ALT+DEL.
(SET) A protocol for secure electronic transactions over the Internet.
(SHA) A hashing algorithm that generates a message digest. SHA is used with the Digital Signature Algorithm (DSA) in the Digital Signature Standard (DSS), among other places. CryptoAPI references this algorithm by the algorithm`s identifier (CALG_SHA), name (SHA), and class (ALG_CLASS_HASH). There are four varieties of SHA: SHA-1, SHA-256, SHA-384, and SHA-512. SHA-1 generates a 160-bit message digest. SHA-256, SHA-384, and SHA-512 generate 256-bit, 384-bit, and 512-bit message digests, respectively. SHA was developed by the National Institute of Standards and Technology (NIST) and by the National Security Agency (NSA).
A standard designed by NIST and NSA. This standard defines the Secure Hash Algorithm (SHA-1) for use with the Digital Signature Standard (DSS).
(SSL) A protocol for secure network communications using a combination of public and secret key technology.
(S/MIME) An e-mail security standard that makes use of public key encryption.
(SAM) A Windows service used during the logon process. SAM maintains user account information, including groups to which a user belongs.
The security attributes or rules that are currently in effect. For example, the current user logged on to the computer or the personal identification number entered by the smart card user. For SSPI, a security context is an opaque data structure that contains security data relevant to a connection, such as a session key or an indication of the duration of the session.
A structure and associated data that contains the security information for a securable object. A security descriptor identifies the object`s owner and primary group. It can also contain a DACL that controls access to the object, and a SACL that controls the logging of attempts to access the object.
(SID) A data structure of variable length that identifies user, group, and computer accounts. Every account on a network is issued a unique SID when the account is first created. Internal processes in Windows refer to an account`s SID rather than the account`s user or group name.
The software implementation of a security protocol. Security packages are contained in security support provider DLLs or security support provider/authentication package DLLs.
An entity recognized by the security system. Principals can include human users as well as autonomous processes.
A specification that defines security-related data objects and rules about how the objects are used to maintain security on a computer system.
(SSP) A dynamic-link library (DLL) that implements the SSPI by making one or more security packages available to applications. Each security package provides mappings between an application`s SSPI function calls and an actual security model`s functions. Security packages support security protocols such as Kerberos authentication and the Microsoft LAN Manager.
(SSPI) A common interface between transport-level applications, such as Microsoft Remote Procedure Call (RPC), and security providers, such as Windows Distributed Security. SSPI allows a transport application to call one of several security providers to obtain an authenticated connection. These calls do not require extensive knowledge of the security protocol`s details.
A security descriptor that stores all its security information in a contiguous block of memory.
The process of converting data into a string of ones and zeros so that it can be transmitted serially. Encoding is part of this process.
(SST) The Serialized Certificate Store format is the only format that preserves all certificate store properties. It is useful in cases such as when roots have been configured with custom EKU properties, and you want to move them to another computer.
A computer that responds to commands from a client computer. The client and server work together to perform distributive application functionality.
Refers to a certificate used for server authentication, such as authenticating a Web server to a Web browser. When a Web browser client attempts to access a secured Web server, the server sends its certificate to the browser to allow it to verify the server`s identity.
(SGC) An extension of Secure Sockets Layer (SSL) that enables organizations, such as financial institutions, that have export versions of Internet Information Services (IIS) to use strong encryption (for example, 128-bit encryption).
(SPN) The name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication
A smart card subsystem component that provides access to specific smart card services by means of COM interfaces.
An exchange of messages under the protection of a single piece of keying material. For example, SSL sessions use a single key to send multiple messages back and forth under that key.
A randomly-generated key that is used one time, then discarded. Session keys are symmetric (used for both encryption and decryption). They are sent with the message, protected by encryption with a public key from the intended recipient. A session key consists of a random number of approximately 40 to 2000 bits. Session keys can be derived from hash values by calling the CryptDeriveKey function.
Specifies when a key is derived from a hash. Methods used depend on the CSP type.
The CryptoAPI name for the Secure Hash algorithm, SHA-1. Other hashing algorithms include MD2, MD4, and MD5.
Simplified message functions used to sign outgoing messages and verify the authenticity of applied signatures in received messages and related data.
A certificate that contains a public key that is used to verify digital signatures.
A file that contains the signature of a particular cryptographic service provider (CSP). The signature file is necessary to ensure that CryptoAPI recognizes the CSP. CryptoAPI validates this signature periodically to ensure the CSP has not been tampered with.
Functions used to create and verify digital signatures.
The public/private key pair used for authenticating (digitally signing) messages. Signature key pairs are created by calling CryptGenKey.
The private key of a signature key pair.
A data content type defined by PKCS #7. This data type consists of encrypted content of any type, encrypted content-encryption keys for one or more recipients, and doubly encrypted message hashes for one or more signers. The double encryption consists of an encryption with a signer`s private key followed by an encryption with the content-encryption key.
A data content type defined by PKCS #7. This data type consists of any type of content plus encrypted message hashes (digests) of the content for zero or more signers. The resulting hashes can be used to confirm who signed the message. These hashes also confirm that the original message has not been modified since the message was signed.
A session key encrypted with the key-exchange public key of the destination user. This key BLOB type is used when storing a session key or transmitting a session key to another user. A key BLOB is created by calling CryptExportKey.
Message management functions, such as message encryption, decryption, signing, and signature verification functions. Simplified message functions operate at a higher level than the base cryptographic functions or the low-level message functions. Simplified message functions wrap several of the base cryptographic, low-level message, and certificate functions into a single function that performs a specific task in a specific manner, such as encrypting a PKCS #7 message or signing a message.
Both server certificates and certification authority (CA) certificates are sometimes called site certificates. When referring to a server certificate, the certificate identifies the Web server presenting the certificate. When referring to a CA certificate, the certificate identifies the CA that issues server and/or client authentication certificates to the servers and clients that request these certificates.
An encryption algorithm specified as part of the Fortezza encryption suite. Skipjack is a symmetric cipher with a fixed key length of 80 bits. Skipjack is a classified algorithm created by the United States National Security Agency (NSA). The technical details of the Skipjack algorithm are secret.
An integrated circuit card (ICC) owned by an individual or a group whose information must be protected according to specific ownership assignments. It provides its own physical access control; without the smart card subsystem placing additional access control on the smart card. A smart card is a plastic card that contains an integrated circuit that is compatible with ISO 7816.
A common dialog box that assists the user in selecting and locating a smart card. It works with the smart card database management services and reader services to help the application, and, if necessary, the user, to identify which smart card to use for a given purpose.
The database used by the resource manager to manage resources. It contains a list of known smart cards, the interfaces and primary service provider of each card, and known smart card readers and reader groups.
The subsystem used to provide a link between smart card readers and smart card–aware applications.
(SPC) A PKCS #7 signed-data object that contains X.509 certificates.
A Tracking software that is used to monitor user behavior or gather information about the user, sometimes including personally identifiable or other sensitive information.
It may collect personal information that can be shared widely or stolen, resulting in fraud or ID theft; can be used in the commission of other crimes, including domestic violence and stalking; can slow machine down; may be associated with security risks and/or loss of data.
It may be used for legitimate monitoring: e.g. by parents or companies; may be a necessary component of adware that is linked to wanted software; may allow customization.
*Anti-Spyware Coalition Definitions and Supporting Documents
An algorithm used for client authentication in Secure Sockets Layer (SSL) version 3. In the SSL3 protocol, a concatenation of an MD5 hash and a SHA-1 hash is signed with an RSA private key. CryptoAPI and the Microsoft Base and Enhanced Cryptographic Providers support SSL3 with the hash type CALG_SSL3_SHAMD5.
Version 3 of the Secure Sockets Layer (SSL) protocol.
The set of all persisted values associated with a cryptographic entity such as a key or a hash. This set can include such things as the initialization vector (IV) being used, the algorithm being used, or the value of the entity already calculated.
A cipher that serially encrypts data, one bit at a time.
An optional DLL that provides additional authentication functionality, usually by extending the authentication algorithm. If a subauthentication package is installed, the authentication package will call the subauthentication package before returning its authentication result to the Local Security Authority (LSA).
Credentials for use in authenticating a security principal to foreign security domains.
A cryptographic algorithm that typically uses a single key, often referred to as a session key, for encryption and decryption. Symmetric algorithms can be divided into two categories, stream algorithms and block algorithms (also called stream and block ciphers).
Encryption that uses a single key for both encryption and decryption. Symmetric encryption is preferred when encrypting large amounts of data. Some of the more common symmetric encryption algorithms are RC2, RC4, and Data Encryption Standard (DES).
A single key used for both encryption and decryption. Session keys are usually symmetric.
(SACL) An ACL that controls the generation of audit messages for attempts to access a securable object. The ability to get or set an object`s SACL is controlled by a privilege typically held only by system administrators.
The set of functions provided by a cryptographic service provider (CSP) that implements an application`s functions.