- S/MIME
See
Secure/Multipurpose Internet Mail Extensions.
- SACL
See
system access control list.
- salt value
Random data that is sometimes included as part of a session key. When added to a session key, the plaintext
salt data is placed in front of the encrypted key data. Salt values are added to increase the work required to
mount a brute-force (dictionary) attack against data encrypted with a symmetric-key cipher. Salt values are
generated by calling CryptGenRandom.
- SAM
See
Security Accounts Manager.
- sanitized name
The form of a certification authority (CA) name that is used in file names (such as for a
certificate revocation list)
and in registry keys. The process of sanitizing the CA name is necessary to remove characters that are illegal
for file names, registry key names, or Distinguished Name values, or that are illegal for technology-specific
reasons. In Certificate Services, the sanitization process converts any illegal character in the common name of
the CA to a 5-character representation in the format !xxxx, where
! is used as an escape character and xxxx represents four
hexadecimal integers that uniquely identify the character being converted.
- SAS
See
secure attention sequence.
- SCard$DefaultReaders
A terminal reader group that contains all readers assigned to that terminal, however, it is not reserved for
this specific use.
- SCard$AllReaders
A smart card system-wide reader group that includes all readers introduced to the smart card resource
manager. Readers are automatically added to the group when they are introduced to the system.
- SCARD_AUTOALLOCATE
A smart card system constant that tells the smart card resource manager to allocate sufficient memory
itself, returning a pointer to the allocated buffer instead of filling in a user-supplied buffer. The returned
buffer must then eventually be freed by calling SCardFreeMemory.
- SCEP
See
Simple Certificate Enrollment Protocol
- Schannel
A security package that provides authentication between clients and servers.
- secure attention sequence
(SAS) A key sequence that begins the process of logging on or off. The default sequence is
CTRL+ALT+DEL.
- Secure Electronic Transaction
(SET) A protocol for secure electronic transactions over the Internet.
- Secure Hash Algorithm
(SHA) A hashing algorithm that generates a message digest. SHA is used with the Digital Signature Algorithm
(DSA) in the Digital Signature Standard (DSS), among other places. CryptoAPI references this algorithm by the
algorithm's identifier (CALG_SHA), name (SHA), and class (ALG_CLASS_HASH). There are four varieties of SHA:
SHA-1, SHA-256, SHA-384, and SHA-512. SHA-1 generates a 160-bit message digest. SHA-256, SHA-384, and SHA-512
generate 256-bit, 384-bit, and 512-bit message digests, respectively. SHA was developed by the National Institute
of Standards and Technology (NIST) and by the National Security Agency (NSA).
- Secure Hash Standard
A standard designed by NIST and NSA. This standard defines the Secure Hash Algorithm (SHA-1) for use with
the Digital Signature Standard (DSS).
See also
Secure Hash Algorithm.
- Secure Sockets Layer protocol
(SSL) A protocol for secure network communications using a combination of public and secret key
technology.
- Secure/Multipurpose Internet Mail Extensions
(S/MIME) An e-mail security standard that makes use of public key encryption.
- Security Accounts Manager
(SAM) A Windows service used during the logon process. SAM maintains user account information, including
groups to which a user belongs.
- security context
The security attributes or rules that are currently in effect. For example, the current user logged on to
the computer or the personal identification number entered by the smart card user. For SSPI, a security context
is an opaque data structure that contains security data relevant to a connection, such as a session key or an
indication of the duration of the session.
- security descriptor
A structure and associated data that contains the security information for a securable object. A security
descriptor identifies the object's owner and primary group. It can also contain a DACL that controls access to
the object, and a SACL that controls the logging of attempts to access the object.
See also
absolute security descriptor,
discretionary access control list,
self-relative security descriptor,
system access control list.
- security identifier
(SID) A data structure of variable length that identifies user, group, and computer accounts. Every account
on a network is issued a unique SID when the account is first created. Internal processes in Windows refer to an
account's SID rather than the account's user or group name.
- security package
The software implementation of a security protocol. Security packages are contained in security support
provider DLLs or security support provider/authentication package DLLs.
- security protocol
A specification that defines security-related data objects and rules about how the objects are used to
maintain security on a computer system.
- security principal
An entity recognized by the security system. Principals can include human users as well as autonomous
processes.
- security support provider
(SSP) A dynamic-link library (DLL) that implements the SSPI by making one or more security packages
available to applications. Each security package provides mappings between an application's SSPI function calls
and an actual security model's functions. Security packages support security protocols such as Kerberos
authentication and the Microsoft LAN Manager.
- Security Support Provider Interface
(SSPI) A common interface between transport-level applications, such as Microsoft Remote Procedure Call
(RPC), and security providers, such as Windows Distributed Security. SSPI allows a transport application to call
one of several security providers to obtain an authenticated connection. These calls do not require extensive
knowledge of the security protocol's details.
- self-relative security descriptor
A security descriptor that stores all its security information in a contiguous block of memory.
See also
security descriptor.
- serialize
The process of converting data into a string of ones and zeros so that it can be transmitted serially.
Encoding is part of this process.
- Serialized Certificate Store format
(SST) The Serialized Certificate Store format is the only format that preserves all certificate store
properties. It is useful in cases such as when roots have been configured with custom EKU properties, and you
want to move them to another computer.
- server
A computer that responds to commands from a client computer. The client and server work together to perform
distributive application functionality.
See also client.
- server certificate
Refers to a certificate used for server authentication, such as authenticating a Web server to a Web
browser. When a Web browser client attempts to access a secured Web server, the server sends its certificate to
the browser to allow it to verify the server's identity.
- server-gated cryptography
(SGC) An extension of
Secure Sockets Layer (SSL)
that enables organizations, such as financial institutions, that have export versions of Internet Information
Services (IIS) to use strong encryption (for example, 128-bit encryption).
- service principal name
(SPN) The name by which a client uniquely identifies an instance of a service. If you install multiple
instances of a service on computers throughout a forest, each instance must have its own SPN. A given service
instance can have multiple SPNs if there are multiple names that clients might use for authentication
- service provider (smart card)
A smart card subsystem component that provides access to specific smart card services by means of COM
interfaces.
See also
primary service provider.
- session
An exchange of messages under the protection of a single piece of keying material. For example, SSL sessions
use a single key to send multiple messages back and forth under that key.
- session key
A relatively short-lived cryptographic key, often negotiated by a client and a server based on a shared secret. A session key's lifespan is bounded by the session to which it is associated. A session key should be strong enough to withstand cryptanalysis for the lifespan of the session. When session keys are transmitted, they are generally protected with key exchange keys (which are usually asymmetric keys) so that only the intended recipient can access them. Session keys can be derived from hash values by calling the CryptDeriveKey function.
- session-key derivation scheme
Specifies when a key is derived from a hash. Methods used depend on the CSP type.
- SET
See
Secure Electronic Transaction.
- SHA
The CryptoAPI name for the Secure Hash Algorithm, SHA-1. Other hashing algorithms include
MD2,
MD4, and
MD5.
See also
Secure Hash Algorithm.
- SHS
See Secure Hash Standard.
- SID
See security identifier.
- signature and data verification functions
Simplified message functions used to sign outgoing messages and verify the authenticity of applied
signatures in received messages and related data.
See
simplified message functions.
- signature certificate
A certificate that contains a public key that is used to verify digital signatures.
- signature file
A file that contains the signature of a particular
cryptographic service provider (CSP). The
signature file is necessary to ensure that CryptoAPI recognizes the CSP. CryptoAPI validates this signature
periodically to ensure the CSP has not been tampered with.
- signature functions
Functions used to create and verify digital signatures.
See also
simplified message functions.
- signature key pair
The public/private key pair used for authenticating (digitally signing) messages. Signature key pairs are
created by calling CryptGenKey.
See also exchange key pair.
- signature private key
The private key of a signature key pair.
See signature key pair.
- signed and enveloped data
A data content type defined by PKCS #7. This data type consists of encrypted content of any type, encrypted
content-encryption keys for one or more recipients, and doubly encrypted message hashes for one or more signers.
The double encryption consists of an encryption with a signer's private key followed by an encryption with the
content-encryption key.
- signed data
A data content type defined by PKCS #7. This data type consists of any type of content plus encrypted
message hashes (digests) of the content for zero or more signers. The resulting hashes can be used to confirm who
signed the message. These hashes also confirm that the original message has not been modified since the message
was signed.
- Simple Certificate Enrollment Protocol
(SCEP) An acronym that stands for Simple Certificate Enrollment Protocol. The protocol is currently a draft
Internet standard which defines the communication between network devices and a registration authority (RA) for
certificate enrollment. For more information, see
Microsoft SCEP Implementation White Paper.
- simple key BLOB
A session key encrypted with the key-exchange public key of the destination user. This key BLOB type is used
when storing a session key or transmitting a session key to another user. A key BLOB is created by calling
CryptExportKey.
- simplified message functions
Message management functions, such as message encryption, decryption, signing, and signature verification
functions. Simplified message functions operate at a higher level than the base cryptographic functions or the
low-level message functions. Simplified message functions wrap several of the base cryptographic, low-level
message, and certificate functions into a single function that performs a specific task in a specific manner,
such as encrypting a PKCS #7 message or signing a message.
See also
low-level message functions.
- SIP
See
subject interface package.
- site certificate
Both server certificates and
certification authority (CA)
certificates are sometimes called site certificates. When referring to a server certificate, the certificate
identifies the Web server presenting the certificate. When referring to a CA certificate, the certificate
identifies the CA that issues server and/or client authentication certificates to the servers and clients that
request these certificates.
- Skipjack
An encryption algorithm specified as part of the Fortezza encryption suite. Skipjack is a symmetric cipher
with a fixed key length of 80 bits. Skipjack is a classified algorithm created by the United States National
Security Agency (NSA). The technical details of the Skipjack algorithm are secret.
- smart card
An integrated circuit card (ICC) owned by an individual or a group whose information must be protected
according to specific ownership assignments. It provides its own physical access control; without the smart card
subsystem placing additional access control on the smart card. A smart card is a plastic card that contains an
integrated circuit that is compatible with ISO 7816.
- smart card common dialog box
A common dialog box that assists the user in selecting and locating a smart card. It works with the smart
card database management services and reader services to help the application, and, if necessary, the user, to
identify which smart card to use for a given purpose.
- smart card database
The database used by the resource manager to manage resources. It contains a list of known smart cards, the
interfaces and primary service provider of each card, and known smart card readers and reader groups.
- smart card subsystem
The subsystem used to provide a link between smart card readers and smart card–aware
applications.
- Software Publisher Certificate
(SPC) A PKCS #7 signed-data object that contains X.509 certificates.
- SPC
See
Software Publisher Certificate.
- SPN
See
service principal name.
- SSL
See
Secure Sockets Layer protocol.
- SSL3 Client Authentication algorithm
An algorithm used for client authentication in Secure Sockets Layer (SSL) version 3. In the SSL3 protocol, a
concatenation of an MD5 hash and a SHA-1 hash is signed with an RSA private key. CryptoAPI and the Microsoft Base
and Enhanced Cryptographic Providers support SSL3 with the hash type CALG_SSL3_SHAMD5.
- SSL3 protocol
Version 3 of the Secure Sockets Layer (SSL) protocol.
- SSP
See
security support provider.
- SSPI
See
Security Support Provider Interface.
- SST
See
Serialized Certificate Store format.
- state
The set of all persisted values associated with a cryptographic entity such as a key or a hash. This set can
include such things as the
initialization vector (IV) being
used, the algorithm being used, or the value of the entity already calculated.
- stream cipher
A cipher that serially encrypts data, one bit at a time.
See also block cipher.
- subauthentication package
An optional DLL that provides additional authentication functionality, usually by extending the
authentication algorithm. If a subauthentication package is installed, the authentication package will call the
subauthentication package before returning its authentication result to the Local Security Authority (LSA).
See also
Local Security Authority.
- subject interface package
(SIP) A Microsoft proprietary specification for a software layer that enables applications to create, store,
retrieve, and verify a subject signature. Subjects include, but are not limited to, portable executable images
(.exe), cabinet (.cab) images, flat files, and catalog files. Each subject type uses a different subset of its
data for hash calculation and requires a different procedure for storage and retrieval. Therefore each subject
type has a unique subject interface package specification.
- Suite B
A set of cryptographic algorithms openly declared by the U.S. National Security Agency as part of its
cryptographic modernization program.
- supplemental credentials
Credentials for use in authenticating a
security principal to foreign security
domains.
See also primary credentials.
- symmetric algorithm
A cryptographic algorithm that typically uses a single key, often referred to as a session key, for
encryption and decryption. Symmetric algorithms can be divided into two categories, stream algorithms and block
algorithms (also called stream and
block ciphers).
- symmetric encryption
Encryption that uses a single key for both encryption and decryption. Symmetric encryption is preferred when
encrypting large amounts of data. Some of the more common symmetric encryption algorithms are
RC2,
RC4, and
Data Encryption Standard (DES).
See also
public key encryption.
- symmetric key
A secret key used with a symmetric cryptographic algorithm (that is, an algorithm that uses the same key for both encryption and decryption). Such a key needs to be known to all communicating parties.
- system access control list
(SACL) An ACL that controls the generation of audit messages for attempts to access a securable object. The
ability to get or set an object's SACL is controlled by a privilege typically held only by system administrators.
See also
access control list,
discretionary access control list,
privilege.
- system program interface
The set of functions provided by a
cryptographic service provider
(CSP) that implements an application's functions.