Security Support Provider Interface

As intranets become more secure, client applications, such as Web browsers and e-mail applications, and their servers become more complex. Different applications require different ways of identifying or authenticating users, and different ways of encrypting data as it travels across a network. To avoid coding every available security option into an application, Windows CE supports the Security Support Provider Interface (SSPI), which enables applications to access dynamic-link libraries (DLLs) containing common authentication and cryptographic data schemes. These DLLs are called Security Support Providers (SSPs). The following illustration shows the relationship of the SSP DLLs to the SSPI Secur32.dll, Winsock, and WinInet.

SSPs make one or more security solutions, called security packages, available to applications. A security package maps various SSPI functions to the security protocols specified in the package. An application implementing the SSPI can use any security package available on a system without knowing details about the security protocols that the security package implements. The application programming interfaces (APIs) contained in the SSPI are divided into the following functional areas:

• Package management
• Credential management
• Context management
• Message support

Package management functions enumerate and query the attributes of the security packages of an SSP. They list the security packages available on a system and enable an application to select one to support its requirements.

Credential management functions enable applications to gain access to the credentials of a principal. A principal is an entity recognized by the security system. This includes human users as well as autonomous processes. A credential is data used by a principal to establish the identity of the principal, such as a password or user name.

Context management functions enable applications to create and use security contexts. A security context is the security data relevant to a connection, and contains such data as a session key and the session duration. Both client and server must cooperate to create a security context. The client and the server can then use the security context with message support functions to ensure message integrity and privacy during the connection.

Message support functions enable an application to transmit messages that cannot be tampered with. The functions work with one or more buffers that contain a message and an associated security context created by the context management functions.

These sections describe how to initialize and use the functions contained in the SSPI to create a secure network connection. This process contains the following primary tasks:

• Initializing the SSPI
• Establishing an authentic connection
• Ensuring communication integrity during message exchange
• Calling the Windows NT LAN Manager Security Support Provider (Windows NT LMSSP)

The following example shows how to update the registry to install an SSP:

[HKEY_LOCAL_MACHINE\Comm\SecurityProviders]
    Providers=REG_SZ:provider1.dll, provider2.dll,...

A single DLL can contain multiple providers. Provider.dll can contain two security packages; for example, Protocol 1 and Protocol 2.