- S/MIME
- See Secure/Multipurpose Internet Mail Extensions.
- SACL
- See system access control list.
- salt value
- Random data that is sometimes include as part of a session key. When added to a session key, the plaintext salt data is placed in front of the encrypted key data.
Salt values are added to increase the work required to mount a brute-force (dictionary) attack against data encrypted with a symmetric-key cipher.
Salt values are generated by calling CryptGenRandom.
- SAS
- See secure attention sequence.
- SCard$DefaultReaders
- A terminal reader group that contains all readers assigned to that terminal, however, it is not reserved for this specific use.
- SCard$AllReaders
- A Smart Card system-wide reader group that includes all readers introduced to the smart card resource manager. Readers are automatically added to the group when they are introduced to the system.
- SCARD_AUTOALLOCATE
- A Smart Card system constant that tells the smart card resource manager to allocate sufficient memory itself, returning a pointer to the allocated buffer instead of filling in a user-supplied buffer. The returned buffer must then eventually be freed by calling SCardFreeMemory.
- SChannel
- A security package that provides authentication between clients and servers.
- secure attention sequence (SAS)
- A key sequence that begins the process of logging on or off. The default sequence is CTRL+ALT+DEL.
- Secure Electronic Transaction (SET)
- A protocol for secure electronic transactions over the Internet.
- Secure Hash Algorithm (SHA-1)
- A hashing algorithm that generates a 160-bit hash value. SHA-1 is used with the Digital Signature Algorithm(DSA) in the Digital Signature Standard(DSS), among other places.
The CryptoAPI references this algorithm by its identifier (CALG_SHA), name (SHA), and class (ALG_CLASS_HASH).
SHA-1 was developed by the National Institute of Standards and Technology (NIST) and by the National Security Agency (NSA).
- Secure Hash Standard
- A standard designed by NIST and NSA. This standard defines the Secure Hash Algorithm (SHA-1) for use with the Digital Signature Standard (DSS).
See also Secure Hash Algorithm.
- Secure Sockets Layer protocol (SSL)
- A protocol for secure network communications using a combination of public and secret key technology.
- Secure/Multipurpose Internet Mail Extensions (S/MIME)
- An e-mail security standard that makes use of public key encryption.
- security context
- The security attributes or rules that are currently in effect. For example, the current user logged on to the computer or the personal identification number entered by the smart card user. For SSPI, a security context is an opaque data structure that contains security data relevant to a connection, such as a session key or an indication of the duration of the session
- security descriptor
- A structure and associated data that contains the security information for a securable object. A security descriptor identifies the object's owner and primary group. It can also contain a DACL that controls access to the object, and a SACL that controls the logging of attempts to access the object.
See also absolute security descriptor, discretionary access-control list, self-relative security descriptor, system access-control list.
- security identifier (SID)
- A structure of variable length that uniquely identifies a user or group on all Windows NT® implementations.
- security package
- Programs that perform the necessary mapping between an application program's API call and the actual security model function implementation. Security packages are controlled through a security support provider. Security packages are directly analogous to GSS mechanisms.
- security support provider (SSP)
- A dynamic-link library (DLL) that implements the SSPI by making one or more security packages available to applications. Each security package provides mappings between an application's SSPI function calls and an actual security model's functions. Security packages support security protocols such as Kerberos authentication and the Microsoft® LAN Manager.
- Security Support Provider Interface (SSPI)
- A common interface between transport-level applications, such as Microsoft Remote Procedure Call (RPC), and security providers, such as Windows Distributed Security. SSPI allows a transport application to call one of several security providers to obtain an authenticated connection. These calls do not require extensive knowledge of the security protocol's details.
- self-relative security descriptor
- A security descriptor that stores all its security information in a contiguous block of memory.
See also security descriptor.
- server certificate
- Refers to a certificate used for server authentication, such as authenticating a Web server to a Web browser. When a Web browser client attempts to access a secured Web server, the server sends its certificate to the browser to allow it to verify the server's identity.
- service principal name (SPN)
- The name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication
- serialize
- The process of converting data into a string of ones and zeros so that it can be transmitted serially. Encoding is part of this process.
- server
- A computer that responds to commands from a client computer. The client and server work together to perform distributive application functionality.
See also client.
- service provider (Smart Card)
- A Smart Card subsystem component that provides access to specific smart card services by means of COM interfaces.
See also primary service provider.
- session
- An exchange of messages under the protection of a single piece of keying material. For example, SSL sessions use a single key to send multiple messages back and forth under that key.
- session key
- A key used primarily for data encryption and decryption. Session keys are typically used with symmetric encryption algorithms where the same key is used for both encryption and decryption. For this reason, session and symmetric keys usually refer to the same type of key.
A session key consists of a random number of approximately 40 to 2000 bits. Session keys can be derived from hash values by calling CryptDeriveKey.
- session-key derivation scheme
- Specifies when a key is derived from a hash. Methods used depend on the CSP type.
- SET
- See Secure Electronic Transaction.
- SHA
- The CryptoAPI name for the Secure Hash algorithm. Other hashing algorythms include MD2, MD4, and MD5.
See also Secure Hash Algorithm.
- SHS
- See Secure Hash Standard.
- SID
- See security identifier.
- signature and data verification functions
- Simplified message functions used to sign outgoing messages and verify the authenticity of applied signatures in received messages and related data.
See simplified message functions.
- signature certificate
- A certificate containing a public key that is used to verify digital signatures.
- signature file
- A file that contains the signature of a particular CSP. The signature file is necessary to ensure that the CryptoAPI recognizes the CSP. The CryptoAPI validates this signature periodically to make certain the CSP has not been tampered with.
- signature functions
- Functions used to create and verify digital signatures.
See also simplified message functions.
- signature key pair
- The public/private key pair used for authenticating (digitally signing) messages. Signature key pairs are created by calling CryptGenKey.
See also exchange key pair.
- signature private key
- The private key of a signature key pair.
See signature key pair.
- signed and enveloped data
- A data content type defined by PKCS #7. This data type consists of encrypted content of any type, encrypted content-encryption keys for one or more recipients, and doubly encrypted message hash(es) for one or more signers. The double encryption consists of an encryption with a signer's private key followed by an encryption with the content-encryption key.
- signed data
- A data content type defined by PKCS #7. This data type consists of any type of content plus encrypted message hashes (digests) of the content for zero or more signers. The resulting hash(es) can be used to confirm who signed the message. These hashes also confirm that the original message has not been modified since the message was signed.
- simple key BLOB
- A session key encrypted with the key-exchange public key of the destination user. This key BLOB type is used when storing a session key or transmitting a session key to another user. A key BLOB is created by calling CryptExportKey.
- simplified message functions
- Message management functions such as message encryption, decryption, signing and signature verification functions. Simplified message functions operate at a higher level than the base cryptographic functions or the low-level message functions.
Simplified message functions wrap several of the base cryptographic, low-level message, and certificate functions into a single function that performs a specific task in a specific manner, such as encrypting a PKCS #7 message or signing a message.
See also low-level message functions.
- site certificate
- Both server certificates and certification authority (CA) certificates are sometimes called site certificates. When referring to a server certificate, the certificate identifies the Web server presenting the certificate. When referring to a CA certificate, the certificate identifies the CA that issues server and/or client authentication certificates to the servers and clients that request these certificates.
- Skipjack
- An encryption algorithm specified as part of the Fortezza encryption suite. Skipjack is a symmetric cipher with a fixed key length of 80 bits.
Skipjack is a classified algorithm created by the United States National Security Agency (NSA). The technical details of the Skipjack algorithm are secret.
- smart card
- An integrated circuit card (ICC) owned by an individual or a group whose information must be protected according to specific ownership assignments. It provides its own physical access control; without the smart card subsystem placing additional access control on the smart card.
A smart card is a plastic card containing an integrated circuit that is compatible with ISO 7816.
- smart card common dialog
- A common dialog that assists the user in selecting and locating a smart card. It works with the smart card database management services and reader services to help the application, and if necessary the user, to identify which smart card to use for a given purpose.
- smart card database
- The database used by the resource manager to manage resources. It contains a list of known smart cards, the interfaces and primary service provider of each card, and known smart card readers and reader groups.
- smart card subsystem
- The subsystem used to provide a link between smart card readers and smart card aware applications running within the PC environment. This subsystem is designed specifically for Microsoft® Windows® 95 OSR2.1 and Microsoft Windows 2000, with support for CryptoAPI and the Windows driver model.
- Software Publishing Certificate (SPC)
- A PKCS #7 signed-data object containing X.509 certificates.
- SPN
- See service principal name.
- SSL
- See Secure Sockets Layer protocol.
- SSL3 Client Authentication algorithm
- An algorithm used for client authentication in Secure Sockets Layer(SSL) version 3. In the SSL3 protocol, a concatenation of an MD5 hash and a SHA-1 hash is signed with an RSA private key. CryptoAPI and the Microsoft Base and Enhanced Cryptographic Providers support SSL3 with the hash type CALG_SSL3_SHAMD5.
- SSL3 protocol
- Version 3 of the Secure Sockets Layer (SSL) protocol.
- SSP
- See security support provider.
- SSPI
- See Security Support Provider Interface.
- state
- The set of all persisted values associated with a cryptographic entity such as a key or a hash. This set can include such things as the initialization vector (IV) being used, the algorithm being used, or the value of the entity already calculated.
- stream cipher
- A cipher that serially encrypts data, one bit at a time.
See also block cipher.
- subauthentication package
- An optional DLL that provides additional authentication functionality, usually by extending the authentication algorithm. If a subauthentication package is installed, the authentication package will call the subauthentication package before returning its authentication result to the Local Security Authority (LSA).
See also Local Security Authority.
- symmetric algorithm
- A cryptographic algorithm that typically uses a single key, often referred to as a session key, for encryption and decryption. Symmetric algorithms can be divided into two categories, stream algorithms and block algorithms (also called stream and block ciphers).
See also stream cipher and block cipher.
- symmetric encryption
- Encryption that uses a single key for both encryption and decryption. Symmetric encryption is preferred when encrypting large amounts of data. Some of the more common symmetric encryption algorithms are RC2, RC4, and Data Encryption Standard (DES).
See also public-key encryption.
- symmetric key
- A single key, typically a session key, used for both encryption and decryption.
See also session key.
- system access-control list (SACL)
- An ACL that controls the generation of audit messages for attempts to access a securable object. The ability to get or set an object's SACL is controlled by a privilege typically held only by system administrators.
See also access-control list (ACL), discretionary access-control list (DACL), privilege.
- system program interface
- The set of functions provided by a cryptographic service provider (CSP) that implements an application's functions.