A security descriptor structure that contains pointers to the security information associated with an object. <br><br> *<a href="https://msdn.microsoft.com/en-us/library/windows/desktop/ms721607%28v=vs.85%29.aspx" target=_blank>https://msdn.microsoft.com/en-us/library/windows/desktop/ms721607(v=vs.85).aspx</a>
(ASN.1) A method used to specify abstract objects that are intended for serial transmission.
A key BLOB that contains the key of the symmetric cipher used to encrypt a file or message. The access block can only be opened with a private key.
(ACE) An entry in an access control list (ACL). An ACE contains a set of access rights and a security identifier (SID) that identifies a trustee for whom the rights are allowed, denied, or audited.
(ACL) A list of security protections that applies to an object. (An object can be a file, process, event, or anything else having a security descriptor.) An entry in an access control list (ACL) is an access control entry (ACE). There are two types of access control list, discretionary and system.
A 32-bit value that specifies the rights that are allowed or denied in an access control entry (ACE). An access mask is also used to request access rights when an object is opened.
An access token contains the security information for a logon session. The system creates an access token when a user logs on, and every process executed on behalf of the user has a copy of the token. The token identifies the user, the user`s groups, and the user`s privileges. The system uses the token to control access to securable objects and to control the ability of the user to perform various system-related operations on the local computer. There are two kinds of access token, primary and impersonation.
Any program that causes advertising content to be displayed. It may be linked to other software or content that is wanted, subsidizing its cost. It may provide advertising that is desired by the user. It may be a nuisance and impair productivity; may display objectionable content; can slow machine down or cause crashes and loss of data; may not provide users with adequate removal tools; may be associated with security risks. <br><br> *<a href="http://antispywarecoalition.org/documents/glossary.htm" target=_blank>Anti-Spyware Coalition Definitions and Supporting Documents</a>
The CryptoAPI algorithm name for the Advanced Encryption Standard algorithm.
The CryptoAPI algorithm class for data encryption algorithms. Typical data encryption algorithms include RC2 and RC4.
The CryptoAPI algorithm class for hashing algorithms. Typical hashing algorithms include MD2, MD5, SHA-1, and MAC.
The CryptoAPI algorithm class for key exchange algorithms. A typical key exchange algorithm is RSA_KEYX.
The CryptoAPI algorithm class for signature algorithms. A typical digital signature algorithm is RSA_SIGN.
A protocol that normally resides on top of the transport layer. For example, HTTP, TELNET, FTP, and SMTP are all application protocols.
(APDU) A command sequence (an Application Protocol Data Unit) that can be sent by the smart card or returned by the application.
American Standard Code for Information Interchange. A coding scheme that assigns numeric values to letters, numbers, punctuation marks, and certain other characters.
A sequence of bytes returned from a smart card when it is turned on. These bytes are used to identify the card to the system.
An element of a relative distinguished name (RDN). Some typical attributes include common name, surname, e-mail address, postal address, and country/region name.
An encoded representation of the attribute information stored in a certificate request.
The process for verifying that a user, computer, service, or process is who or what it claims to be.
A DLL that encapsulates the authentication logic used to determine whether to permit a user to log on. LSA authenticates a user logon by sending the request to an authentication package. The authentication package then examines the logon information and either authenticates or rejects the user logon attempt.
A security feature of Internet Explorer. Authenticode allows vendors of downloadable executable code (plug-ins or ActiveX controls, for example) to attach digital certificates to their products to assure end users that the code is from the original developer and has not been altered. Authenticode lets end users decide for themselves whether to accept or reject software components posted on the Internet before downloading begins. <BR>
A Remote Control Software used to allow remote access or control of computer systems. It can be used to turn a user’s machine into a mass mailer or soldier for DDoS attack or a host for malicious or inappropriate content; it is stealing cycles and other resources; can slow machines down; may be associated with loss of data; and may cause personal information to be shared widely or allow it to be stolen. It may allow remote technical support or troubleshooting; can provide users remote access to own data or resources. <br><br> *<a href="http://antispywarecoalition.org/documents/glossary.htm" target=_blank>Anti-Spyware Coalition Definitions and Supporting Documents</a>
A trusted application running on a secure computer that provides secondary storage for the session keys of its clients. The backup authority stores session keys as key BLOBs that are encrypted with the backup authority`s public key. <br><br> *<a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secgloss/security/security_glossary.asp" target=_blank>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secgloss/security/security_glossary.asp</a>
A type of data contained in a PKCS #7 message. Base content types only contain data, no cryptographic enhancements such as hashes or signatures. Currently, the only base content type is the Data content type.
The lowest level of functions in the CryptoAPI architecture. They are used by applications and other high-level CryptoAPI functions to provide access to CSP-provided cryptographic algorithms, secure key generation, and secure storage of secrets.
(BER) The set of rules used to encode ASN.1 defined data into a stream of bits (zeros or ones) for external storage or transmission. A single ASN.1 object may have several equivalent BER encodes. BER is defined in CCITT Recommendation X.209. This is one of the two encoding methods currently used by CryptoAPI.
A memory or data format in which the most significant byte is stored at the lower address or arrives first.
A generic sequence of bits that contain one or more fixed-length header structures plus context specific data.
A cipher algorithm that encrypts data in discrete units (called blocks), rather than as a continuous stream of bits. The most common block size is 64 bits. For example, DES is a block cipher.
A session key derived from a master key. Bulk encryption keys are used in Schannel (A security package that provides authentication between clients and servers) encryption.
Identifies the certification authority (CA) that issues server and client authentication certificates to the servers and clients that request these certificates. Because it contains a public key used in digital signatures, it is also referred to as a signature certificate. If the CA is a root authority, the CA certificate may be referred to as a root certificate. Also sometimes known as a site certificate. <br><br> *<a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secgloss/security/security_glossary.asp " target=_blank>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secgloss/security/security_glossary.asp </a>
A certification authority (CA) hierarchy contains multiple CAs. It is organized such that each CA is certified by another CA in a higher level of the hierarchy until the top of the hierarchy, also known as the root authority, is reached.
The CryptoAPI algorithm identifier for the Diffie-Hellman key-exchange algorithm when used for the generation of ephemeral keys.
The CryptoAPI algorithm identifier for the Diffie-Hellman key-exchange algorithm when used for the generation of store-and-forward keys.
The CryptoAPI algorithm identifier for the hash-based Message Authentication Code algorithm.
The CryptoAPI algorithm identifier for the Message Authentication Code algorithm.
The CryptoAPI algorithm identifier for the MD2 hash algorithm.
The CryptoAPI algorithm identifier for the MD5 hash algorithm.
The CryptoAPI algorithm identifier for the RC2 block cipher algorithm.
The CryptoAPI algorithm identifier for the RC4 stream cipher algorithm.
The CryptoAPI algorithm identifier for the RSA public key algorithm when used for key exchange.
The CryptoAPI algorithm identifier for the RSA public key algorithm when used to generate digital signatures.
The CryptoAPI algorithm identifier for the Secure Hash Algorithm (SHA-1).
A family of DES-like symmetric block ciphers developed by C. M. Adams and S. E. Tavares. PROV_MS_EXCHANGE provider types specify a particular CAST algorithm that uses a 64-bit block size.
A digitally signed statement that contains information about an entity and the entity`s public key, thus binding these two pieces of information together. A certificate is issued by a trusted organization (or entity) called a certification authority (CA) after the CA has verified that the entity is who it says it is.<BR>Certificates can contain different types of data. For example, an X.509 certificate includes the format of the certificate, the serial number of the certificate, the algorithm used to sign the certificate, the name of the CA that issued the certificate, the name and public key of the entity requesting the certificate, and the CA`s signature.<BR><BR>
A BLOB that contains the certificate data.<BR>A certificate BLOB is created by calls to CryptEncodeObject. The process is complete when the output of the call contains all the certificate data.<BR>
A CERT_CONTEXT structure that contains a handle to a certificate store, a pointer to the original encoded certificate BLOB, a pointer to a CERT_INFO structure, and an encoding type member. It is the CERT_INFO structure that contains most of the certificate information.
Functions that manage the translation of certificates and related material into standard, binary formats that can be used in different environments.
Defines how the certificate is encoded. The certificate encoding type is stored in the low-order word of the encoding type (DWORD) structure.
An encoded representation of the name information that is included in certificates. Each name BLOB is mapped to a CERT_NAME_BLOB structure.<BR>For example, the issuer and subject information referenced by a CERT_INFO structure is stored in two CERT_NAME_BLOB structures.<BR>
A named set of rules that indicate the applicability of certificates for a specific class of applications with common security requirements. Such a policy might, for example, limit certain certificates to electronic data interchange transactions within given price limits.
A specially formatted electronic message (sent to a CA) used to request a certificate. The request must contain the information required by the CA to authenticate the request, plus the public key of the entity requesting the certificate.<BR>All the information necessary to create the request is mapped to a CERT_REQUEST_INFO structure.<BR><BR>
(CRL) A document maintained and published by a certification authority (CA) that lists certificates issued by the CA that are no longer valid.
A server that issues certificates for a particular CA. The certificate server software provides customizable services for issuing and managing certificates used in security systems that employ public key cryptography.
A software service that issues certificates for a particular certification authority (CA). It provides customizable services for issuing and managing certificates for the enterprise. Certificates can be used to provide authentication support, including secure e-mail, Web-based authentication, and smart card authentication.
Typically, a permanent storage where certificates, certificate revocation lists (CRLs), and certificate trust lists (CTLs) are stored. It is possible, however, to create and open a certificate store solely in memory when working with certificates that do not need to be put in permanent storage.<BR>The certificate store is central to much of the certificate functionality in CryptoAPI.<BR>
Functions that manage the storage and retrieval data such as certificates, certificate revocation lists (CRLs), and certificate trust lists (CTLs). These functions can be separated into common certificate functions, certificate revocation list functions, and certificate trust list functions.
A Windows construct that profiles certificates (that is, it prespecifies the format and content) based on their intended usage. When requesting a certificate from a Windows enterprise certification authority (CA), certificate requesters are, depending on their access rights, able to select from a variety of certificate types that are based on certificate templates, such as User and Code Signing.
(CTL) A predefined list of items that have been signed by a trusted entity. A CTL can be anything, such as a list of hashes of certificates, or a list of file names. All the items in the list are authenticated (approved) by the signing entity.
(CA) An entity entrusted to issue certificates that assert that the recipient individual, computer, or organization requesting the certificate fulfills the conditions of an established policy.
A block cipher mode that introduces feedback by combining ciphertext and plaintext.<BR>
A cryptographic algorithm used to encrypt data; that is, to transform plaintext into ciphertext using a predefined key.
(CBC) A method of operating a symmetric block cipher that uses feedback to combine previously generated ciphertext with new plaintext. Each plaintext block is combined with the ciphertext of the previous block by a bitwise-XOR operation before it is encrypted. Combining ciphertext and plaintext ensures that even if the plaintext contains many identical blocks, they will each encrypt to a different ciphertext block. When the Microsoft Base Cryptographic Provider is used, CBC is the default cipher mode.
A block cipher method that encrypts the base data with a block cipher and then uses the last encrypted block as the hash value. The encryption algorithm used to build the Message Authentication Code (MAC) is the one that was specified when the session key was created.
(CFB) A block cipher mode that processes small increments of plaintext into ciphertext, instead of processing an entire block at a time.<BR>This mode uses a shift register that is one block size in length and divided into sections. For example, if the block size is 64 bits with eight bits processed at a time, then the shift register would be divided into eight sections.<BR>
A block cipher mode (each block is encrypted individually) that can be specified by using the CryptSetKeyParam function. If the application does not explicitly specify one of these modes, then the cipher block chaining (CBC) cipher mode is used.<BR>ECB: A block cipher mode that uses no feedback.<BR><BR>CBC: A block cipher mode that introduces feedback by combining ciphertext and plaintext.<BR><BR>CFB: A block cipher mode that processes small increments of plaintext into ciphertext, instead of processing an entire block at a time.<BR><BR>OFB: A block cipher mode that uses feedback similar to CFB.<BR>
A message that has been encrypted.
The application, rather than the server application, that initiates a connection to a server.
Refers to a certificate used for client authentication, such as authenticating a Web browser on a Web server. When a Web browser client attempts to access a secured Web server, the client sends its certificate to the server to allow it to verify the client`s identity.
Certificate management protocol using cryptographic message syntax.
The method in which data is serialized (converted to a string of ones and zeros) and deserialized. The protocol is controlled by both software and data-transmission hardware.<BR>Typically discussed in terms of layers, a simplified communication protocol might consist of an application layer, encode/decode layer, and hardware layer.<BR>
Behavior that allows the server to forward requests on behalf of the client only to a specified list of services.<BR>Windows XP, Windows 2000, and Windows NT: Constrained delegation is not supported.
The security data relevant to a connection. A context contains information such as a session key and duration of the session.
Functions used to connect to a cryptographic service provider (CSP). These functions enable applications to choose a specific CSP by name or get one with a needed class of functionality.
A signature of an existing signature and message or a signature of an existing signature. A countersignature is used to sign the encrypted hash of an existing signature or to time stamp a message.
Previously authenticated logon data used by a security principal to establish its own identity, such as a password, or a Kerberos protocol ticket.
Encoding type that specifies certificate encoding. Certificate encoding types are stored in the low-order word of a DWORD (value is: 0x00000001). This encoding type is functionally the same as the X509_ASN_ENCODING encoding type.
Cryptanalysis is the art and science of breaking ciphertext. In contrast, the art and science of keeping messages secure is cryptography.
Application programming interface that enables application developers to add authentication, encoding, and encryption to Windows-based applications.
A mathematical function used for encryption and decryption. Most cryptographic algorithms are based on a substitution cipher, a transposition cipher, or a combination of both.
A one-way hash function that takes a variable-length input string and converts it to a fixed-length output string (called a cryptographic digest.) This fixed-length output string is probabilistically unique for every different input string and thus can act as a fingerprint of a file. When a file with a cryptographic digest is downloaded, the receiver recomputes the digest. If the output string matches the digest contained in the file, the receiver has proof that the received file was not tampered with and is identical to the file originally sent.
The session (symmetric) key used during the encryption and decryption processes, and the public and private keys used during the authentication process. Of these three keys, the session key and private key must always remain secret.
(CSP) An independent software module that actually performs cryptography algorithms for authentication, encoding, and encryption.
The art and science of information security. It includes information confidentiality, data integrity, entity authentication, and data origin authentication.
(CNG) The second generation of the CryptoAPI. CNG allows you to replace existing algorithm providers with your own providers and add new algorithms as they become available. CNG also allows the same APIs to be used from user and kernel mode applications.
The branch of mathematics that encompasses both cryptography and cryptanalysis.
The system program interface used with a cryptographic service provider (CSP).
A unique group of CSPs that use the same set of data formats and perform their function in the same way. Even when two CSP families use the same algorithm (for example, the RC2 block cipher), their different padding schemes, keys lengths, or default modes make each group distinct. CryptoAPI has been designed so that each CSP type represents a particular family.
The textual name of the CSP. If the CSP has been signed by Microsoft, this name must exactly match the CSP name that was specified in the Export Compliance Certificate (ECC).
Indicates the CSP family associated with a provider. When an application connects to a CSP of a particular type, each of the CryptoAPI functions will, by default, operate in a way prescribed by the family that corresponds to that CSP type.
An encryption algorithm that uses a 40-bit variant of a DES key where 16 bits of the 56-bit DES key are set to zero. This algorithm is implemented as specified in the IETF Draft specification for 40-bit DES. The draft specification, at the time of this writing can be found at ftp://ftp.ietf.org/internet-drafts/draft-hoffman-des40-02.txt. This algorithm is used with the ALG_ID value CALG_CYLINK_MEK.
A base content type defined by PKCS #7. Data content is simply an octet (byte) string. <br><br> *<a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secgloss/security/security_glossary.asp " target=_blank>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secgloss/security/security_glossary.asp</a>
(DES) A block cipher that encrypts data in 64-bit blocks. DES is a symmetric algorithm that uses the same algorithm and key for encryption and decryption. <BR>Developed in the early 1970s, DES is also known as the DEA (Data Encryption Algorithm) by ANSI and the DEA-1 by ISO.<BR><BR>
A communication channel that uses information routed through a packet-switching network. This information includes separate packets of information and the delivery information associated with those packets, such as the destination address. In a packet-switching network, data packets are routed independently of one another and may follow different routes. They may also arrive in a different order from the one in which they were sent.
The process of translating an encoded object (such as a certificate) or data back to its original format. <BR>In general terms, data is decoded by the Encoding/Decoding layer of the communication protocol. Certificates are decoded by a call to the CryptDecodeObject function.<BR>
The process of translating an encoded object (such as a certificate) or data back to its original format. <BR>In general terms, data is decoded by the Encoding/Decoding layer of the communication protocol. Certificates are decoded by a call to the CryptDecodeObject function.<BR>
The process of converting ciphertext to plaintext. Decryption is the opposite of encryption.
Default settings, such as the block encryption cipher mode or the block encryption padding method.
A cryptographic key created by a call to the CryptDeriveKey function. A derived key can be created from a password, or any other user data. Derived keys allow applications to create session keys as needed, eliminating the need to store a particular key.
The CryptoAPI algorithm name for the Diffie-Hellman key-exchange algorithm.
A dialing software used to make calls or access services through a modem or Internet connection. It may cause unexpected toll calls to be made and charged to the user or may allow access to desired services. <br><br> *<a href="http://antispywarecoalition.org/documents/glossary.htm" target=_blank>Anti-Spyware Coalition Definitions and Supporting Documents</a>
A Diffie-Hellman algorithm where the exchange key value is purged from the CSP when the key handle is destroyed.
A Diffie-Hellman algorithm where the exchange key values are retained (in the CSP) after the key handle has been destroyed.
(DH) A public key algorithm used for secure key exchange. Diffie-Hellman cannot be used for data encryption. This algorithm is specified as the key exchange algorithm for PROV_DSS_DH provider types.
A data content type defined by PKCS #7 that consists of any type of data plus a message hash (digest) of the content.
Private messages encrypted using the recipient`s public key. Enveloped messages can only be decrypted by using the recipient`s private key, allowing only the recipient to understand the message.
Data that binds a sender`s identity to the information being sent. A digital signature may be bundled with any message, file, or other digitally encoded information, or transmitted separately. Digital signatures are used in public key environments and provide authentication and integrity services.
(DSA) A public key algorithm specified by Digital Signature Standard (DSS). DSA is only used to generate digital signatures. It cannot be used for data encryption.
(DSS) A standard that specifies the Digital Signature Algorithm (DSA) for its signature algorithm and SHA-1 as its message hash algorithm. DSA is a public key cipher that is only used to generate digital signatures and cannot be used for data encryption. DSS is specified by PROV_DSS, PROV_DSS_DH, and PROV_FORTEZZA provider types.
(DACL) An access control list that is controlled by the owner of an object and that specifies the access particular users or groups can have to the object.
(DER) A set of rules for encoding ASN.1 defined data as a stream of bits for external storage or transmission. Every ASN.1 object has exactly one corresponding DER encoding. DER is defined in CCITT Recommendation X.509, Section 8.7. This is one of two encoding methods currently used by CryptoAPI.
(DLL) A file that contains executable routines that can be called from other applications.
(ECB) A block cipher mode (each block is encrypted individually) that uses no feedback. This means any blocks of plaintext that are identical (either in the same message or in a different message that is encrypted with the same key) is transformed into identical ciphertext blocks. Initialization vectors cannot be used with this cipher mode. If a single bit of the ciphertext block is garbled, then the entire corresponding plaintext block is also garbled. <br><br> *<a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secgloss/security/security_glossary.asp" target=_blank>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secgloss/security/security_glossary.asp </a>
The process of turning data into a stream of bits. Encoding is part of the serialization process that converts data into a stream of ones and zeros.
Refers to which type of encoding is used for certificate and message encoding. The encoding types are specified as a DWORD, with the type of certificate encoding stored in the low-order word and the type of message encoding stored in the high-order word. Although some functions or structure fields require only one of the encoding types, it is always acceptable to specify both.
Data that has been converted from plaintext into ciphertext. Encrypted messages are used to disguise the content of a message when it is sent or stored.
(EFS) A feature in the Windows operating system that enables users to encrypt files and folders on an NTFS volume disk to keep them safe from access by intruders.
The process of converting plaintext to ciphertext to help prevent it from being read and understood by an unauthorized party. Encryption is the opposite of decryption.
Simplified message functions used to encode and encrypt (or decode and decrypt) data. As a set, these functions include support for simultaneously encrypting and decrypting data.
A class of data contained in a PKCS #7 message that contains data (possibly encrypted), plus cryptographic enhancements such as hashes or signatures. Types of enhanced data defined by PKCS #7 include signed data, enveloped data, signed-and-enveloped data, and digested (hashed) data.
(EKU) Both a certificate extension and a certificate extended property value. An EKU specifies the uses for which a certificate is valid.
A PKCS #7 enhanced content that consists of encrypted content (of any type) and content-encryption keys (for one or more recipients). The combination of encrypted content and encryption key for a recipient is called a digital envelope for that recipient. This type of message should be used when you want to keep the contents of the message secret and allow only specified persons or entities to retrieve the contents.
A public/private key pair used to encrypt session keys so that they can be safely stored and exchanged with other users. Exchange key pairs are created by calling the CryptGenKey function.
A certificate store that maintains its certificates, CRLs, and CTLs in a location external to cached memory, such as in a database on a network server. An external store does not read and decode its certificates, CRLs, and CTL when the CertOpenStore function is called. Reading and decoding is deferred until an enumeration or find method is called.
A Graphical Identification and Authentication dynamic-link library (DLL). The GINA is a replaceable DLL component that is loaded by the Winlogon executable. The GINA implements the authentication policy of the interactive logon model and is expected to perform all identification and authentication user interactions. <br><br> *<a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secgloss/security/security_glossary.asp" target=_blank>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secgloss/security/security_glossary.asp </a>
The executable program that processes graphical function calls from a Windows-based application and passes those calls to the appropriate device driver, which performs the hardware-specific functions that generate output. <BR>
A security analysis software that is used by a computer user to analyze or circumvent security protections and are frequently used nefariously. Its presence may violate corporate policies or family understandings and can be used for security research and other legitimate security purposes. <br><br> *<a href="http://antispywarecoalition.org/documents/glossary.htm" target=_blank>Anti-Spyware Coalition Definitions and Supporting Documents</a>
A token used to identify or access an object, such as the handle to a cryptographic provider, certificate store, message, or key pair. <br><br> *<a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secgloss/security/security_glossary.asp " target=_blank>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secgloss/security/security_glossary.asp </a>
A fixed-size result obtained by applying a mathematical function (the hashing algorithm) to an arbitrary amount of data. (Also known as "message digest.")
An object used to hash messages or session keys. The hash object is created by a call to CryptCreateHash. The definition of the object is defined by the CSP specified in the call.
(HMAC) A symmetric keyed hashing algorithm implemented by Microsoft cryptographic service providers. An HMAC is used to verify the integrity of data to help ensure it has not been modified while in storage or transit. It can be used with any iterated cryptographic hash algorithm, such as MD5 or SHA-1. CryptoAPI references this algorithm by its algorithm identifier (CALG_HMAC) and class (ALG_CLASS_HASH).
An algorithm used to produce a hash value of some piece of data, such as a message or session key. Typical hashing algorithms include MD2, MD4, MD5, and SHA-1.
A set of functions used to create and destroy hash objects, get or set the parameters of a hash object, and hash data and session keys.
Data type which serves as a handle to a Certificate Services backup context. Its role is to maintain context state between the server and the backup APIs when a backup is being performed.
A system modifying software that is used to modify system and change user experience: e.g. home page, search page, default media player, or lower level system functions. Without appropriate consent, system modification is hijacking, it can compromise system integrity and security, can drive user to spoofed web sites in order to steal their ID and may be used for desirable customization. <br><br> *<a href="http://antispywarecoalition.org/documents/glossary.htm" target=_blank>Anti-Spyware Coalition Definitions and Supporting Documents</a>
Software services that support Web site creation, configuration, and management, along with other Internet functions. Internet Information Services include Network News Transfer Protocol (NNTP), File Transfer Protocol (FTP), and Simple Mail Transfer Protocol (SMTP). IIS incorporates various functions for security, allows for CGI applications, and provides for Gopher and FTP servers. <br><br> *<a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secgloss/security/security_glossary.asp ">http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secgloss/security/security_glossary.asp</a>
An access token that has been created to capture the security information of a client process, allowing a server to "impersonate" the client process in security operations.
(IV) A sequence of random bytes appended to the front of the plaintext before encryption by a block cipher. Adding the initialization vector to the beginning of the plaintext eliminates the possibility of having the initial ciphertext block the same for any two messages. For example, if messages always start with a common header (a letterhead or "From" line) their initial ciphertext would always be the same, assuming that the same cryptographic algorithm and symmetric key was used. Adding a random initialization vector eliminates this from happening.
Data that is enhanced, such as with a digital signature. This term is used primarily when discussing enhanced data in a PKCS #7 message.
Any encoded data used as the message for another encoded message. For example, an enveloped message and its hash value may be the inner data for a second message.
The completeness and accuracy of a message after it has been sent or stored.
A protocol that defines how clients interact with a network authentication service. Clients obtain tickets from the Kerberos Key Distribution Center (KDC), and they present these tickets to servers when connections are established. Kerberos tickets represent the client`s network credentials. <br><br> *<a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secgloss/security/security_glossary.asp " target=_blank>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secgloss/security/security_glossary.asp </a>
A BLOB containing an encrypted private key. Key BLOBs provide a way to store keys outside the CSP. Key BLOBs are created by exporting an existing key from the CSP by calling the CryptExportKey function. Later, the key BLOB can be imported into a provider (often a different CSP on a different computer) by calling the CryptImportKey function. This creates a key in the CSP that is a duplicate of the one that was exported.
The format of the key BLOB when a public or session key is exported from a CSP. The format is specified by the provider type of the exporting CSP. A key BLOB is created by calling CryptExportKey.
(KCA) A trusted entity that typically keeps a secure database of compound messages signed with the KCA`s private key. In practical implementations, the compound messages consist of the user`s name, the user`s public key, and any other important information about the user. When the receiving application gets a signed message from a user, the application can then verify the public key received with the message by comparing it to the public key stored in the KCA database.
A part of the key database that contains all the key pairs (exchange and signature key pairs) belonging to a specific user. Each container has a unique name that is used when calling the CryptAcquireContext function to get a handle to the container.
A database that contains the persistent cryptographic keys for a specific CSP. The database contains one or more key containers, which individually store all the cryptographic key pairs for a specific user.
(KDC) A network service that supplies session tickets and temporary session keys used in the Kerberos V5 authentication protocol. The KDC runs as a privileged process on all domain controllers.
An algorithm used to encrypt and decrypt exchange keys (symmetric session keys). Some common key exchange algorithms include DH and KEA. Each provider type can specify only one key exchange algorithm.
(KEA) The key exchange algorithm specified by a PROV_FORTEZZA provider type. This algorithm is an improved version of the Diffie-Hellman algorithm.
A certificate used to encrypt information sent to another party. The certification authority (CA) key exchange certificate can be used by a client to encrypt information sent to the CA.
A set of functions used to exchange or transmit keys. Key exchange functions can also be used to implement fully authenticated three-phase key exchanges.
The private key of an exchange key pair.
A protocol by which two parties exchange information to establish a shared secret. The shared secret is then typically used as a symmetric encryption key.
The public key of an exchange key pair.
A set of functions used by applications to generate and customize cryptographic keys. These functions include full support for changing chaining modes, initialization vectors, and other encryption features.
Values specified by some providers that indicate the length of the public/private key pairs and session keys used with that provider.
A private key and its related public key.
A more easily implemented subset of the X.500 DAP standard for directory services. <br><br> *<a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secgloss/security/security_glossary.asp" target= _blank> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secgloss/security/security_glossary.asp </a>
A memory or data format in which the least significant byte is stored at the lower address or arrives first.
(LRA) An intermediary between a publisher and a certification authority (CA). The LRA can, for example, verify a publisher`s credentials before sending them to the CA.
(LSA) A protected subsystem that authenticates and logs users onto the local system. LSA also maintains information about all aspects of local security on a system, collectively known as the Local Security Policy of the system.
(LUID) A 64-bit value that is guaranteed to be unique on the operating system that generated it until the system is restarted.
Information presented to the system by a security principal for authentication.
An LUID that identifies a logon session. A logon ID is valid until the user logs off. A logon ID is unique while the computer is running; no other logon session will have the same logon ID. However, the set of possible logon IDs is reset when the computer starts up. To retrieve the logon ID from an access token, call the GetTokenInformation function for TokenStatistics; the logon ID is in the AuthenticationId member.
A logon session begins whenever a user logs on to a computer. All processes in a logon session have the same primary access token. The access token contains information about the security context of the logon session, including the user`s SID, the logon identifier, and the logon SID.
A security identifier (SID) that identifies a logon session. You can use the logon SID in a DACL to control access during a logon session. A logon SID is valid until the user logs off. A logon SID is unique while the computer is running; no other logon session will have the same logon SID. However, the set of possible logon SIDs is reset when the computer starts up. To retrieve the logon SID from an access token, call the GetTokenInformation function for TokenGroups.
Message management functions that operate at a higher level than the base cryptographic functions. These functions provide functionality for encoding data for transmission and for decoding data that has been received. Low-level message functions provide more flexibility than simplified message functions, but require more function calls.
A message authentication code key used with Schannel protocols. <br><br> *<a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secgloss/security/security_glossary.asp " target=_blank>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secgloss/security/security_glossary.asp </a>
The key used by the client and server for all session key generation. The master key is used to generate the client-read key, the client-write key, the server-read key, and the server-write key. Master keys can be exported as simple key BLOBs.
The CryptoAPI algorithm name for the MD2 hash algorithm. Other hashing algorithms include MD4, MD5, and SHA.
(MD2) A hashing algorithm that creates a 128-bit hash value. MD2 was optimized for use with 8-bit computers. CryptoAPI references this algorithm by its type (CALG_MD2), name (MAC), and class (ALG_CLASS_HASH). MD2 was developed by RSA Data Security, Inc.
The CryptoAPI algorithm name for the MD4 hash algorithm. Other hashing algorithms include MD2, MD5, and SHA.
(MD4) A hashing algorithm that creates a 128-bit hash value. MD4 was optimized for 32-bit computers. It is now considered broken because collisions can be found too quickly and easily. MD4 was developed by RSA Data Security, Inc.
The CryptoAPI algorithm name for the MD5 hash algorithm. Other hashing algorithms include MD2, MD4, and SHA.
(MD5) A hashing algorithm that creates a 128-bit hash value. MD5 was optimized for 32-bit computers. CryptoAPI references this algorithm by its algorithm identifier (CALG_MD5), name (MD5), and class (ALG_CLASS_HASH). MD5 was developed by RSA Data Security, Inc. and is specified by PROV_RSA_FULL, PROV_RSA_SIG, PROV_DSS, PROV_DSS_DH, and PROV_MS_EXCHANGE provider types.
Any data that has been encoded for transmission to or received from a person or entity. Messages may be encrypted for privacy, digitally signed for authentication purposes, or both.
(MAC) A keyed hashing algorithm that uses a symmetric session key to help ensure that a block of data has retained its integrity from the time it was sent until the time it was received. When using this type of algorithm, the receiving application must also possess the session key to recompute the hash value so it can verify that the base data has not changed. CryptoAPI references this algorithm by its type (CALG_MAC), name (MAC), and class (ALG_CLASS_HASH).
Defines how the message is encoded. The message encoding type is stored in the high-order word of the encoding type structure. Current defined encoding types are: CRYPT_ASN_ENCODING, X509_ASN_ENCODING, and PKCS_7_ASN_ENCODING.
Functions that provide two levels of message management: low-level message functions and simplified message functions. The low-level message functions provide more flexibility than the simplified message functions; however, they require more function calls.
Functions used to sign messages and data.
(MPR) A system component that handles communications between the system and all network providers. The MPR calls the network provider functions that are exposed by each network provider.
(NIST) A division of the United States Department of Commerce that publishes official standards for both government and private sector computer systems. These standards are published as Federal Information Processing Standards(FIPS) publications. In 1987, NIST was directed to define standards for ensuring the security of sensitive but unclassified information in government computer systems. <br><br> *<a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secgloss/security/security_glossary.asp" target=_blank>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secgloss/security/security_glossary.asp</a>
A security support provider (SSP) that acts as an application layer between Security Support Provider Interface (SSPI) and the other SSPs. When an application calls into SSPI to log on to a network, it can specify an SSP to process the request. If the application specifies Negotiate, Negotiate analyzes the request and picks the best SSP to handle the request based on customer-configured security policy.
A randomly generated value used to defeat "replay" attacks.
The ability to identify users who performed certain actions, thus irrefutably countering any attempts by a user to deny responsibility. For example, a system may log the ID of a user whenever a file is deleted. <BR>
(OID) A number that uniquely identifies an object class or attribute. An object identifier is represented as a dotted decimal string, such as 1.2.3.4. Object identifiers are organized into a global hierarchy. National registration authorities issue root object identifiers to individuals or organizations, who manage the hierarchy below their root object identifier. <br><br> *<a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secgloss/security/security_glossary.asp " target=_blank>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secgloss/security/security_glossary.asp </a>
A sequence of bytes used to store session keys. Opaque BLOBs contain the base key material and all current state information. This includes information such as the salt value, the initialization vector, and the key table. The format of opaque BLOBs is unpublished. Each CSP vendor determines its own BLOB format which should include encrypting the opaque BLOBs with some sort of symmetric key.
The enhancements for some encapsulated data. This term is used primarily when discussing enhanced data (the inner content) in PKCS #7 messages.
(OFB) A block cipher mode that uses feedback similar to the Cipher Feedback (CFB) mode. The only difference between the two modes is how the shift register is filled.
A string, typically added when the last plaintext block is short. For example, if the block length is 64 bits and the last block contains only 40 bits, then 24 bits of padding must be added to the last block. The padding string may contain zeros, alternating zeros and ones, or some other pattern. Applications that use CryptoAPI need not add padding to their plaintext before it is encrypted, nor do they have to remove it after decrypting. This is all handled automatically. <br><br> *<a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secgloss/security/security_glossary.asp " target=_blank>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secgloss/security/security_glossary.asp </a>
A DLL that provides password policy enforcement and change notification. The functions implemented by password filters are called by the Local Security Authority.
Any storage medium that remains intact when the power to it is disconnected. Many certificate store databases are forms of persistent storage.
The Personal Information Exchange Syntax Standard, developed and maintained by RSA Data Security, Inc. This syntax standard specifies a portable format for storing or transporting a user`s private keys, certificates, and miscellaneous secrets.
The Cryptographic Message Syntax Standard. A general syntax for data to which cryptography may be applied, such as digital signatures and encryption. It also provides a syntax for disseminating certificates or certificate revocation lists and other message attributes, such as time stamps, to the message.
A data object that is signed with the Public Key Cryptography Standard #7 (PKCS #7) and that encapsulates the information used to sign a file. Typically, it includes the signer`s certificate and the root certificate.
A message encoding type. Message encoding types are stored in the high-order word of a DWORD (value is: 0x00010000).
A message that is not encrypted. Plaintext messages are sometimes referred to as cleartext messages.
The standard Windows executable format.
The MsV1_0 authentication package defines a primary credential key string value: The primary credentials string holds the credentials provided at initial logon time. It includes the user name and both case-sensitive and case-insensitive forms of the user`s password.
The service provider that supplies the control interfaces to the card. Each smart card can register its primary service provider in the smart card database.
An access token that is typically created only by the Windows kernel. It may be assigned to a process to represent the default security information for that process.
The condition of being isolated from view or secret. With respect to messages, private messages are encrypted messages whose text is hidden from view. With respect to keys, a private key is a secret key concealed from others.
The secret half of a key pair used in a public key algorithm. Private keys are typically used to encrypt a symmetric session key, digitally sign a message, or decrypt a message that has been encrypted with the corresponding public key.
A key BLOB that contains a complete public/private key pair. Private key BLOBs are used by administrative programs to transport key pairs. As the private key portion of the key pair is extremely confidential, these BLOBs are typically kept encrypted with a symmetric cipher. These key BLOBs can also be used by advanced applications where the key pairs are stored within the application, rather than relying on the CSP`s storage mechanism. A key BLOB is created by calling the CryptExportKey function.
The right of a user to perform various system-related operations, such as shutting down the system, loading device drivers, or changing the system time. A user`s access token contains a list of the privileges held by either the user or the user`s groups.
The security context under which an application runs. Typically, the security context is associated with a user, so all applications running under a given process take on the permissions and privileges of the owning user.
Predefined provider type that only supports digital signatures and hashes. It specifies the DSA signature algorithm, and the MD5 and SHA-1 hashing algorithms.
Predefined provider type that provides key exchange, digital signature, and hashing algorithms. It is similar to the PROV_DSS provider type.
Predefined provider type that provides key exchange, digital signature, encryption, and hashing algorithms. The cryptographic protocols and algorithms specified by this provider type are owned by the National Institute of Standards and Technology (NIST).
Predefined provider type designed for the needs of Microsoft Exchange, as well as other applications that are compatible with Microsoft Mail. It provides key exchange, digital signature, encryption, and hashing algorithms.
Predefined provider type defined by Microsoft and RSA Data Security, Inc. This general purpose provider type provides key exchange, digital signature, encryption, and hashing algorithms. The key exchange, digital signature, and encryption algorithms are based on RSA public key cryptography.
Predefined provider type defined by Microsoft and RSA Data Security. This provider type is a subset of PROV_RSA_FULL that provides only digital signature and hashing algorithms. The digital signature algorithm is an RSA public key algorithm.
Predefined provider type that supports the Secure Sockets Layer (SSL) protocol. This type provides key encryption, digital signature, encryption, and hashing algorithms. A specification explaining SSL is available from Netscape Communications Corp.
A name used to identify a CSP. For example, the Microsoft Base Cryptographic Provider version 1.0. The provider name is typically used when calling the CryptAcquireContext function to connect to a CSP.
A term used to identify a type of cryptographic service provider (CSP). CSPs are grouped into different provider types that represent a specific families of standard data formats and protocols. In contrast to a CSP`s unique provider name, provider types are not unique for a given CSP. The provider type is typically used when calling the CryptAcquireContext function to connect to a CSP.
(PRF) A function that takes a key, label, and seed as input, then produces an output of arbitrary length.
A cryptographic key typically used when decrypting a session key or a digital signature. The public key can also be used to encrypt a message, guaranteeing that only the person with the corresponding private key can decrypt the message.
An asymmetric cipher that uses two keys, one for encryption, the public key, and the other for decryption, the private key. As implied by the key names, the public key used to encode plaintext can be made available to anyone. However, the private key must remain secret. Only the private key can decrypt the ciphertext. The public key algorithm used in this process is slow (on the order of 1,000 times slower than symmetric algorithms), and is typically used to encrypt session keys or digitally sign a message.
A BLOB used to store the public key portion of a public/private key pair. Public key BLOBs are not encrypted as the public key contained within is not secret. A public key BLOB is created by calling the CryptExportKey function.
(PKCS) A set of syntax standards for public key cryptography covering security functions, including methods for signing data, exchanging keys, requesting certificates, public key encryption and decryption, and other security functions.
Encryption that uses a pair of keys, one key to encrypt data and the other key to decrypt data. In contrast, symmetric encryption algorithms that use the same key for both encryption and decryption. In practice, public key cryptography is typically used to protect the session key used by a symmetric encryption algorithm. In this case, the public key is used to encrypt the session key, which in turn was used to encrypt some data, and the private key is used for decryption. In addition to protecting session keys, public key cryptography may also be used to digitally sign a message (using the private key) and validate the signature (using the public key).
A set of cryptographic keys used for public key cryptography. For each user, a CSP usually maintains two public/private key pairs: an exchange key pair and a digital signature key pair. Both key pairs are maintained from session to session.
The CryptoAPI algorithm name for the RC2 algorithm. <br><br> *<a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secgloss/security/security_glossary.asp " target=_blank>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secgloss/security/security_glossary.asp </a>
A data encryption algorithm based on the RC2 64-bit symmetric block cipher. RC2 is specified by PROV_RSA_FULL provider types. CryptoAPI references this algorithm by its identifier (CALG_RC2), name (RC2), and class (ALG_CLASS_DATA_ENCRYPT).
The CryptoAPI algorithm name for the RC4 algorithm.
A data encryption algorithm based on the RC4 symmetric stream cipher. RC4 is specified by PROV_RSA_FULL provider types. CryptoAPI references this algorithm by its identifier (CALG_RC4), name (RC4), and class (ALG_CLASS_DATA_ENCRYPT).
A standard device within the smart card subsystem. An interface device (IFD) that supports bidirectional input/output to a smart card. It may be associated with an entire system, one or more reader groups, or with a specific terminal. The smart card subsystem allows a reader to be dedicated to the terminal to which it is assigned. However, currently only one terminal exists on a computer.
A specific driver that maps driver services to a specific hardware reader device. It must communicate card insertion and removal events to the smart card class driver for forwarding to the smart card resource manager, and it must provide data exchange capabilities to the card by any raw, T=0, T=1, or PTS protocol.
A logical group of readers. Reader groups can be defined by the system or created by users or administrators. Reader groups are used by smart card functions that can act upon groups of readers. To avoid naming collisions with user-defined groups, Microsoft reserves the use of any name that contains the dollar sign ($).
Provides common smart card driver support routines and additional T=0 and T=1 protocol support to specific drivers as needed.
An integer value used to keep track of a COM object. When an object is created, its reference count is set to one. Every time an interface is bound to the object, its reference count is incremented; when the interface connection is destroyed, the reference count is decremented. The object is destroyed when the reference count reaches zero. All interfaces to that object are then invalid.
(RDN) An entity included as the subject in a request for a certificate. The elements in an RDN are defined by its attributes and do not need to include a name. With respect to CryptoAPI, an RDN is defined by a CERT_RDN structure, which in turn points to an array of CERT_RDN_ATTR attribute structures. Each attribute structure specifies a single attribute.
(RID) The portion of a security identifier (SID) that identifies a user or group in relation to the authority that issued the SID.
A certificate store that has been moved from its default registry location to a different location in the registry.
A certificate store located on another computer, such as a file server or some other shared remote computer.
An application protocol data unit (APDU) sent in reply to a received APDU.
The ability of a user to falsely deny having performed an action while other parties cannot prove otherwise. For example, a user who deleted a file and who can successfully deny having done so.
The component of the smart card subsystem that manages access to multiple readers and smart cards. The resource manager identifies and tracks resources, allocates readers and resources across multiple applications, and supports transaction primitives for accessing services available on a given card.
A set of Windows functions that provide direct access to the resource manager`s services.
The context used by the resource manager when accessing the smart card database. The resource manager context is primarily used by the query and management functions when accessing the database. The scope of the resource manager context can be the current user or the system.
The certification authority (CA) at the top of a CA hierarchy. The root authority certifies CAs in the next level of the hierarchy.
A self-signed certification authority (CA) certificate that identifies a CA. It is called a root certificate because it is the certificate for the root CA. The root CA must sign its own CA certificate because by definition there is no higher certifying authority to sign its CA certificate.
A set of software tools frequently used by a third party (usually an intruder) after gaining access to a computer system. These tools are intended to conceal running processes, files or system data, which helps an intruder maintain access to a system without the users knowledge. <br><br> *Wikipedia the free encyclopedia
RSA Data Security, Inc., a major developer and publisher of public key cryptography standards (PKCS). The "RSA" in the name stands for the names of the company`s three developers and the owners: Rivest, Shamir, and Adleman.
A key exchange and signature algorithm based on the popular RSA Public Key cipher. This algorithm is used by PROV_RSA_FULL, PROV_RSA_SIG, PROV_MS_EXCHANGE, and PROV_SSL provider types. CryptoAPI references this algorithm by its identifiers (CALG_RSA_KEYX and CALG_RSA_SIGN), names (RSA_KEYX and RSA_SIGN) and class (ALG_CLASS_KEY_EXCHANGE). <BR>
The CryptoAPI algorithm name for the RSA key exchange algorithm. CryptoAPI also references this algorithm by its algorithm identifier (CALG_RSA_KEYX) and class (ALG_CLASS_KEY_EXCHANGE).
The CryptoAPI algorithm name for the RSA signature algorithm. CryptoAPI also references this algorithm by its algorithm identifier (CALG_RSA_SIGN) and class (ALG_CLASS_SIGNATURE).
Random data that is sometimes included as part of a session key. When added to a session key, the plaintext salt data is placed in front of the encrypted key data. Salt values are added to increase the work required to mount a brute-force (dictionary) attack against data encrypted with a symmetric-key cipher. Salt values are generated by calling CryptGenRandom. <br><br> *<a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secgloss/security/security_glossary.asp " target=_blank>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secgloss/security/security_glossary.asp </a>
The form of a certification authority (CA) name that is used in file names (such as for a certificate revocation list) and in registry keys. The process of sanitizing the CA name is necessary to remove characters that are illegal for file names, registry key names, or Distinguished Name values, or that are illegal for technology-specific reasons. In Certificate Services, the sanitization process converts any illegal character in the common name of the CA to a 5-character representation in the format !xxxx, where ! is used as an escape character and xxxx represents four hexadecimal integers that uniquely identify the character being converted.
A smart card system-wide reader group that includes all readers introduced to the smart card resource manager. Readers are automatically added to the group when they are introduced to the system.
A terminal reader group that contains all readers assigned to that terminal, however, it is not reserved for this specific use.
A smart card system constant that tells the smart card resource manager to allocate sufficient memory itself, returning a pointer to the allocated buffer instead of filling in a user-supplied buffer. The returned buffer must then eventually be freed by calling SCardFreeMemory.
A security package that provides authentication between clients and servers.
(SAS) A key sequence that begins the process of logging on or off. The default sequence is CTRL+ALT+DEL.
(SET) A protocol for secure electronic transactions over the Internet.
(SHA) A hashing algorithm that generates a message digest. SHA is used with the Digital Signature Algorithm (DSA) in the Digital Signature Standard (DSS), among other places. CryptoAPI references this algorithm by the algorithm`s identifier (CALG_SHA), name (SHA), and class (ALG_CLASS_HASH). There are four varieties of SHA: SHA-1, SHA-256, SHA-384, and SHA-512. SHA-1 generates a 160-bit message digest. SHA-256, SHA-384, and SHA-512 generate 256-bit, 384-bit, and 512-bit message digests, respectively. SHA was developed by the National Institute of Standards and Technology (NIST) and by the National Security Agency (NSA).
A standard designed by NIST and NSA. This standard defines the Secure Hash Algorithm (SHA-1) for use with the Digital Signature Standard (DSS).
(SSL) A protocol for secure network communications using a combination of public and secret key technology.
(S/MIME) An e-mail security standard that makes use of public key encryption. <BR>
(SAM) A Windows service used during the logon process. SAM maintains user account information, including groups to which a user belongs.
The security attributes or rules that are currently in effect. For example, the current user logged on to the computer or the personal identification number entered by the smart card user. For SSPI, a security context is an opaque data structure that contains security data relevant to a connection, such as a session key or an indication of the duration of the session.
A structure and associated data that contains the security information for a securable object. A security descriptor identifies the object`s owner and primary group. It can also contain a DACL that controls access to the object, and a SACL that controls the logging of attempts to access the object.
(SID) A data structure of variable length that identifies user, group, and computer accounts. Every account on a network is issued a unique SID when the account is first created. Internal processes in Windows refer to an account`s SID rather than the account`s user or group name.
The software implementation of a security protocol. Security packages are contained in security support provider DLLs or security support provider/authentication package DLLs.
An entity recognized by the security system. Principals can include human users as well as autonomous processes.
A specification that defines security-related data objects and rules about how the objects are used to maintain security on a computer system.
(SSP) A dynamic-link library (DLL) that implements the SSPI by making one or more security packages available to applications. Each security package provides mappings between an application`s SSPI function calls and an actual security model`s functions. Security packages support security protocols such as Kerberos authentication and the Microsoft LAN Manager.
(SSPI) A common interface between transport-level applications, such as Microsoft Remote Procedure Call (RPC), and security providers, such as Windows Distributed Security. SSPI allows a transport application to call one of several security providers to obtain an authenticated connection. These calls do not require extensive knowledge of the security protocol`s details.
A security descriptor that stores all its security information in a contiguous block of memory.
The process of converting data into a string of ones and zeros so that it can be transmitted serially. Encoding is part of this process.
(SST) The Serialized Certificate Store format is the only format that preserves all certificate store properties. It is useful in cases such as when roots have been configured with custom EKU properties, and you want to move them to another computer.
A computer that responds to commands from a client computer. The client and server work together to perform distributive application functionality.
Refers to a certificate used for server authentication, such as authenticating a Web server to a Web browser. When a Web browser client attempts to access a secured Web server, the server sends its certificate to the browser to allow it to verify the server`s identity.
(SGC) An extension of Secure Sockets Layer (SSL) that enables organizations, such as financial institutions, that have export versions of Internet Information Services (IIS) to use strong encryption (for example, 128-bit encryption).
(SPN) The name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication
A smart card subsystem component that provides access to specific smart card services by means of COM interfaces.
An exchange of messages under the protection of a single piece of keying material. For example, SSL sessions use a single key to send multiple messages back and forth under that key.
A randomly-generated key that is used one time, then discarded. Session keys are symmetric (used for both encryption and decryption). They are sent with the message, protected by encryption with a public key from the intended recipient. A session key consists of a random number of approximately 40 to 2000 bits. Session keys can be derived from hash values by calling the CryptDeriveKey function.
Specifies when a key is derived from a hash. Methods used depend on the CSP type.
The CryptoAPI name for the Secure Hash algorithm, SHA-1. Other hashing algorithms include MD2, MD4, and MD5.
Simplified message functions used to sign outgoing messages and verify the authenticity of applied signatures in received messages and related data.
A certificate that contains a public key that is used to verify digital signatures.
A file that contains the signature of a particular cryptographic service provider (CSP). The signature file is necessary to ensure that CryptoAPI recognizes the CSP. CryptoAPI validates this signature periodically to ensure the CSP has not been tampered with.
Functions used to create and verify digital signatures.
The public/private key pair used for authenticating (digitally signing) messages. Signature key pairs are created by calling CryptGenKey.
The private key of a signature key pair.
A data content type defined by PKCS #7. This data type consists of encrypted content of any type, encrypted content-encryption keys for one or more recipients, and doubly encrypted message hashes for one or more signers. The double encryption consists of an encryption with a signer`s private key followed by an encryption with the content-encryption key.
A data content type defined by PKCS #7. This data type consists of any type of content plus encrypted message hashes (digests) of the content for zero or more signers. The resulting hashes can be used to confirm who signed the message. These hashes also confirm that the original message has not been modified since the message was signed.
A session key encrypted with the key-exchange public key of the destination user. This key BLOB type is used when storing a session key or transmitting a session key to another user. A key BLOB is created by calling CryptExportKey.
Message management functions, such as message encryption, decryption, signing, and signature verification functions. Simplified message functions operate at a higher level than the base cryptographic functions or the low-level message functions. Simplified message functions wrap several of the base cryptographic, low-level message, and certificate functions into a single function that performs a specific task in a specific manner, such as encrypting a PKCS #7 message or signing a message.
Both server certificates and certification authority (CA) certificates are sometimes called site certificates. When referring to a server certificate, the certificate identifies the Web server presenting the certificate. When referring to a CA certificate, the certificate identifies the CA that issues server and/or client authentication certificates to the servers and clients that request these certificates.
An encryption algorithm specified as part of the Fortezza encryption suite. Skipjack is a symmetric cipher with a fixed key length of 80 bits. Skipjack is a classified algorithm created by the United States National Security Agency (NSA). The technical details of the Skipjack algorithm are secret.
An integrated circuit card (ICC) owned by an individual or a group whose information must be protected according to specific ownership assignments. It provides its own physical access control; without the smart card subsystem placing additional access control on the smart card. A smart card is a plastic card that contains an integrated circuit that is compatible with ISO 7816.
A common dialog box that assists the user in selecting and locating a smart card. It works with the smart card database management services and reader services to help the application, and, if necessary, the user, to identify which smart card to use for a given purpose.
The database used by the resource manager to manage resources. It contains a list of known smart cards, the interfaces and primary service provider of each card, and known smart card readers and reader groups.
The subsystem used to provide a link between smart card readers and smart card–aware applications.
(SPC) A PKCS #7 signed-data object that contains X.509 certificates.
A Tracking software that is used to monitor user behavior or gather information about the user, sometimes including personally identifiable or other sensitive information. It may collect personal information that can be shared widely or stolen, resulting in fraud or ID theft; can be used in the commission of other crimes, including domestic violence and stalking; can slow machine down; may be associated with security risks and/or loss of data. It may be used for legitimate monitoring: e.g. by parents or companies; may be a necessary component of adware that is linked to wanted software; may allow customization. <br><br> *<a href="http://antispywarecoalition.org/documents/glossary.htm" target=_blank>Anti-Spyware Coalition Definitions and Supporting Documents </a>
An algorithm used for client authentication in Secure Sockets Layer (SSL) version 3. In the SSL3 protocol, a concatenation of an MD5 hash and a SHA-1 hash is signed with an RSA private key. CryptoAPI and the Microsoft Base and Enhanced Cryptographic Providers support SSL3 with the hash type CALG_SSL3_SHAMD5.
Version 3 of the Secure Sockets Layer (SSL) protocol.
The set of all persisted values associated with a cryptographic entity such as a key or a hash. This set can include such things as the initialization vector (IV) being used, the algorithm being used, or the value of the entity already calculated.
A cipher that serially encrypts data, one bit at a time.
An optional DLL that provides additional authentication functionality, usually by extending the authentication algorithm. If a subauthentication package is installed, the authentication package will call the subauthentication package before returning its authentication result to the Local Security Authority (LSA).
Credentials for use in authenticating a security principal to foreign security domains.
A cryptographic algorithm that typically uses a single key, often referred to as a session key, for encryption and decryption. Symmetric algorithms can be divided into two categories, stream algorithms and block algorithms (also called stream and block ciphers).
Encryption that uses a single key for both encryption and decryption. Symmetric encryption is preferred when encrypting large amounts of data. Some of the more common symmetric encryption algorithms are RC2, RC4, and Data Encryption Standard (DES).
A single key used for both encryption and decryption. Session keys are usually symmetric.
(SACL) An ACL that controls the generation of audit messages for attempts to access a securable object. The ability to get or set an object`s SACL is controlled by a privilege typically held only by system administrators.
The set of functions provided by a cryptographic service provider (CSP) that implements an application`s functions.
An asynchronous, character-oriented half-duplex transmission protocol. <br><br> *<a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secgloss/security/security_glossary.asp " target=_blank>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secgloss/security/security_glossary.asp </a>
An asynchronous, block-oriented half-duplex transmission protocol.
A combination of monitor, keyboard, mouse, and co-located peripherals, such as smart card readers. Multiple processes may be associated with a single terminal, but only one process controls the terminal at any given time.
A protocol used to generate an authenticated and encrypted connection between two users on a nonsecure network. Users exchange a set of messages to negotiate a pair of encryption keys. One key is used by the sender to encrypt messages sent to the receiver and the other is used by the receiver to encrypt messages sent to the sender. This protocol ensures that both users are active and are sending messages directly to each other.
The SHA-1 hash of a certificate.
An operation that allows you to perform multiple interactions as a single operation. Intermediate steps are not actually taken until all interactions are completed successfully. If any interaction fails, all steps are returned to their original setting.
The network layer that is responsible for both quality of service and accurate delivery of information. Among the tasks performed in this layer are error detection and correction.
(TLS) A protocol that provides communications privacy and security between two applications communicating over a network.
An automatic download software that is used to download and install software without user interaction. It may be used to install unauthorized applications and may be used for automatic updates, or other automatic system maintenance. <br><br> *<a href="http://antispywarecoalition.org/documents/glossary.htm" target=_blank>Anti-Spyware Coalition Definitions and Supporting Documents </a>
A variation of the DES block cipher algorithm that encrypts plain text with one key, encrypts the resulting ciphertext with a second key, and finally, encrypts the result of the second encryption with a third key. Triple DES is a symmetric algorithm that uses the same algorithm and keys for encryption and decryption.
The software that decides whether a given file is trusted. This decision is based on the certificate associated with the file.
The user account, group account, or logon session to which an access control entry (ACE) applies. Each ACE in an access control list (ACL) applies to one trustee.
These are passive tracking technologies used to gather limited information about user activities without installing any software on the user’s computers. They may allow unwanted collection of information (for example, Web sites a user has visited), may be used for desired customization or personalization (example: “similar items you might like”) and may allow advertisers to avoid showing the same ad too often to the same person. <br><br> *<a href="http://antispywarecoalition.org/documents/glossary.htm" target=_blank>Anti-Spyware Coalition Definitions and Supporting Documents</a>
A worldwide character-encoding standard that allows more information to be contained in each string by defining 16-bit character strings rather than the standard 8-bit character strings. Unicode allows universal data exchange and improves multilingual text processing. Unicode strings are also called wide strings. <br><br> *<a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secgloss/security/security_glossary.asp " target=_blank>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secgloss/security/security_glossary.asp </a>
(UCS) A 16-bit character set.
(UCS) A 16-bit character set.
A security identifier (SID) that is known on all systems that adhere to the security model based on authenticated users and discretionary access control.
A user of a system is identified by a login procedure, which establishes a process by which applications can run and access other security-relevant objects. An example of a login procedure is to use a smart card, possibly in conjunction with a password or personal identification number (PIN).
A common dialog box that lets the user connect to a smart card and use it in an application. Using the dialog box, the user can specify a specific card or search for the smart card to open.
(UPN) A user account name (sometimes referred to as the user logon name) and a domain name identifying the domain in which the user account is located. This is the standard usage for logging on to a Windows domain. The format is: someone@example.com (as for an e-mail address).
A certificate store that consists of a collection of other certificate stores. A single search or enumeration function on a virtual store will search all of the stores that are members of the virtual stores collection. Any addition to a virtual store will add an element to one of the members of that store. <br><br> *<a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secgloss/security/security_glossary.asp " target=_blank>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secgloss/security/security_glossary.asp </a>
A component of the Windows operating system that provides interactive logon support. Winlogon is designed around an interactive logon model that consists of three components: the Winlogon executable, a Graphical Identification and Authentication dynamic-link library (DLL) referred to as the GINA, and any number of network providers. Windows Me/98/95: Winlogon is not supported. <br><br> *<a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secgloss/security/security_glossary.asp " target=_blank>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secgloss/security/security_glossary.asp </a>
An Open Systems Interconnect (OSI) standard. <br><br> *<a href=http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secgloss/security/security_glossary.asp target=_blank>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secgloss/security/security_glossary.asp </a>
The ITU standard defining ASN.1.
The ITU standard that defines BER encodings for ASN.1 objects.
The ITU standard that defines message tokens.
The ITU standard that defines the structure of a global dictionary.
An internationally recognized standard for certificates that defines their required parts.
Encoding type that specifies certificate encoding. Certificate encoding types are stored in the low-order word of a DWORD (value is: 0x00000001). This encoding type is functionally the same as CRYPT_ASN_ENCODING.
Exclusive OR. A Boolean operation that yields true only if one of its operands are true and the other is false. If both operands are the same (either true or false), the operation yields false.