| Platform SDK: Logon Authentication |
For Windows 2000 and later, a pointer to an SCHANNEL_CRED structure is passed in the pAuthData parameter when calling AcquireCredentialsHandle.
By default, Schannel negotiates the best cipher available based on those enabled in the Schannel registry; however, there are cases when a particular application or connection requires a specific set of ciphers. An application can specify the ciphers for this credential through the palgSupportedAlgs member of the SCHANNEL_CRED structure. This member is a pointer to an array of CryptoAPI algorithm identifiers (ALG_IDs), listing the ciphers allowed for use in connections created using this credential. These include bulk encryption ciphers such as CALG_RC4, hash algorithms used in building MACs (such as CALG_MD5), and key exchange mechanisms such as CALG_RSA_KEYX. If no algorithm of a specific category is included in the list, Schannel uses the default algorithm for that particular category.
The list of supported algorithms can be retrieved by calling QueryCredentialsAttributes with SECPKG_ATTR_SUPPORTED_ALGS as the uLAttribute parameter.
Applications can limit the cipher strengths allowed for a particular connection by setting the minimum and maximum cipher strength values. These values limit a particular connection to a domestic strength cipher (56 bits, 64 bits, 128 bits) or to an export strength cipher (40 bits).
Cipher strength represents the actual strength of the cipher, not the amount of keying material negotiated. For example, DES requires 64 bits of keying material but provides only gives 56 bits of cipher strength. Setting the minimum and maximum values to zero causes Schannel to use all available cipher strengths. Setting the minimum cipher strength to –1 enables the special SSL3/TLS MAC only (NULL cipher) cipher suites, which are usually disabled by default.
The maximum and minimum cipher strengths can be retrieved by calling the QueryCredentialsAttributes function with SECPKG_ATTR_CIPHER_STRENGTHS as the uLAttribute parameter.