Commands related to cryptographical operations
This module is still experimental and liable to change.
This package provides procedures related to cryptographic services provided by the Windows platforms.
The Security Support Provider Interface (SSPI) is a standard interface to various security protocols that provide for security functions such as authentication, encryption and integrity. The SSPI interface allows establishment of a security context that can be used for signing and encrypting data passed between a client and a server.
On the client side, the application program starts off by retrieving the credentials to be used to authenticate itself to the server by calling sspi_new_credentials with the -outbound option. It then creates a new client security context by calling sspi_client_new_context specifying appropriate desired security characteristics. The application then exchanges messages with the server to complete the authentication.
Depending on the security protocol in use, the authentication between the client and the server may require multiple message exchanges between the client and the server. Once it obtains its security context, the client calls sspi_security_context_next passing it the security context. This command returns an indication of whether the authentication is complete, or more exchanges with the server are required. In the latter case, data returned by the command is sent to the server and the server response is passed back to the command. This sequence is repeated until the command indicates the authentication is complete or generates a Tcl exception indicating authentication failure. The security context generated in this manner can then be used to sign and encrypt messages between the client and the server.
On the server side, the application program starts off by retrieving its own credentials by calling sspi_new_credentials with the -inbound. It then creates a new server security context by calling sspi_server_new_context passing it the authentication data sent by the client. The server then enters the authentication loop described below. From this point on, the server follows the authentication loop calling sspi_security_context_next in the same manner as described above for the client.
Once a security context is established, either on the client or the server, its characteristics, including the negotiated parameters, security principal name etc. can be retrieved through commands sspi_get_security_context_flags, sspi_get_security_context_username and sspi_get_security_context_sizes.
When no longer required, both the server and client ends should free resources associated with their credentials by calling sspi_free_credentials. Similarly, the security context should be released when no longer needed by calling sspi_close_security_context.
Once a security context has been completely created as above, it can then be used to generate and verify messages signatures using sspi_generate_signature and sspi_verify_signature respectively.
Similarly, the security context can be used to encrypt and decrypt messages using sspi_encrypt and sspi_decrypt.
-confidentiality BOOL | If specified as true, messages are to be encrypted. |
-connection BOOL | If specified as true, the security context will not handle formatting of messages. |
-datarep DATAREP | Specifies the data representation on the target. DATAREP must be either network (default) or native. |
-delegate BOOL | If specified as true, the server can use the context to other servers as the client. Requires -mutualauth to also be specified as true. |
-extendederror BOOL | When true, the remote end is notified of errors. |
-integrity BOOL | If specified as true, messages are to be signed. |
-mutualauth BOOL | If specified as true, both the client and server are to be authenticated. |
-replaydetect BOOL | If specified as true, detection of replayed messages is desired. |
-sequencedetect BOOL | If specified as true, detection of out-of-sequence messages is desired. |
-stream BOOL | If specified as true, indicates a stream oriented connection. |
-target TARGET | Specifies the target of the security context. The format depends on the security service provider. |
-usesessionkey BOOL | If specified as true, a new session key must be negotiated. |
-confidentiality | If true, encryption is supported. |
-connection | If true, the security context will not handle formatting of messages. |
-delegate | If true, the server can use the context to other servers as the client. |
-extendederror | If true, the remote end is notified of errors. |
-integrity | If true, messages signing is supported. |
-mutualauth | If true, both the client and server are authenticated. |
-replaydetect | If true, detection of replayed messages is enabled. |
-sequencedetect | If true, detection of out-of-sequence messages is enabled. |
-stream | If true, indicates a stream oriented connection. |
-maxtoken | Maximum size of token used in the authentication exchange. |
-maxsig | Maximum size of signature. |
-blocksize | Messages should preferably be a multiple of this value. |
-trailersize | Size of security trailer to be appended to messages. |
-domain DOMAIN | Specifies the domain to which the user account belongs. Not all security providers support this. By default, the user account for the current process is used. |
-getexpiration | If specified, the expiration time for the returned credentials is also returned. See description of command return value above. |
-package SECURITYPACKAGE | Specifies the security package with which the credentials are to be used. By default, this is NTLM. The list of available security packages on a system can be obtained through sspi_enumerate_packages. |
-password PASSWORD | Specifies the password for retrieving credentials to the user account specified by the -user option. |
-principal.arg PRINCIPAL | Specifies the name of the principal whose credentials are to be referenced. By default, this is the user account under which the process is running. |
-usage DIRECTION | Indicates how the credentials will be used, based on DIRECTION - inbound, outbound or both (default). |
-user USERNAME | Specifies the name of the user account. Not all security providers support this. By default, the user account for the current process is used. |
-confidentiality BOOL | If specified as true, messages are to be encrypted. |
-connection BOOL | If specified as true, the security context will not handle formatting of messages. |
-datarep DATAREP | Specifies the data representation on the target. DATAREP must be either network (default) or native. |
-delegate BOOL | If specified as true, the server can use the context to other servers as the client. Requires -mutualauth to also be specified as true. |
-extendederror BOOL | When true, the remote end is notified of errors. |
-integrity BOOL | If specified as true, messages are to be signed. |
-mutualauth BOOL | If specified as true, both the client and server are to be authenticated. |
-replaydetect BOOL | If specified as true, detection of replayed messages is desired. |
-sequencedetect BOOL | If specified as true, detection of out-of-sequence messages is desired. |
-stream BOOL | If specified as true, indicates a stream oriented connection. |
Copyright © 2007 Ashok P. Nadkarni