New Authentication Functionality in Windows Vista

  • Article

 

GINAs Replaced with New Credential Providers

In previous releases, the customization of interactive user logon was done by creating a custom GINA. Despite the name, GINAs were responsible for more than simply gathering authentication information and rendering the UI to collect it. Because of this, custom GINAs were complex to create and usually required Microsoft® Product Support Services (PSS) support for successful implementation. Often, using a custom GINA resulted in unintended side effects such as preventing fast user switching (FUS) and smartcard login. In Windows Vista GINAs are replaced with a new modular Credential Provider model that is easier to program to.

 

New Credential Security Service Provider, CredSSP

Credential Security Service Provider (CredSSP) is a new security service provider available via the Security Support Provider Interface (SSPI) in Windows. CredSSP enables an application to delegate the user’s credentials from the client (by using the client-side SSP) to the target server (via the server-side SSP). CredSSP is used by Terminal Services to provide SSO.

Stored User Names and Passwords Backup and Restore Wizard

Stored User Names and Passwords in Windows Vista includes a Backup and Restore Wizard, which allows users to back up user names and passwords they have requested Windows to remember for them. This new functionality allows users to restore the user names and passwords on any Windows Vista system. Restoring user names and passwords from a backup file will replace any existing saved user names and passwords the user has on the system.

 

SSL/TLS Enhancements

Microsoft has added new SSL and TLS extensions, which enable the support of both AES and new ECC cipher suites. The support for AES—not available in Microsoft Windows 2000 or Windows Server 2003—is important as AES has become a National Institute of Standards and Technology (NIST) standard. In order to ease the process of bulk encryption, several cipher suites have been added that support AES.

 

Schannel ECC Cipher Suite Support

Elliptical curve cryptography, known as ECC is an encryption technique that uses a public key. ECC is based on elliptic curve theory and is used to create more efficient and smaller cryptographic keys. ECC differs from other forms that use the product of very large prime numbers to create keys; ECC instead makes use of an elliptic curve equation to create keys.

In Windows Vista, the Schannel SSP includes new cipher suites that support ECC cryptography. Now, ECC cipher suites can be negotiated as part of the standard TLS handshake.

               

Schannel Crypto Agility

Windows Vista offers an Open Cryptographic Interface (OCI) and crypto agile capabilities for Schannel. By providing crypto agnostic capability, Microsoft enables government organizations to substitute a higher level of functionality, including advanced combinations of cipher suites. Organizations can now create new cipher suites and then plug them into Schannel.

 

Kerberos support for AES

This Windows Vista security enhancement will enable the use of AES encryption with Kerberos. This enhancement includes the following changes from Windows XP:

• AES support for the base Kerberos protocol: The base Kerberos protocol in Windows Vista will support AES for encryption of TGTs, Service tickets, and session keys.

• AES support for Generic Security Services (GSS)-Kerberos mechanism: In addition to enabling AES for the base protocol, GSS messages—which make up client/server communications in Windows Vista are protected with AES.

               

Authentication Support for Branch Domain Controllers

Windows Server code name “Longhorn” includes new authentication feature changes to support the branch office DC feature in Longhorn.

               

Flexible Smartcard Authentication Support

Although Microsoft Windows Server 2003 included support for smartcards as well, the types of certificates that smartcards could contain were limited by strict requirements. First of all, each certificate needed to have a user principal name (UPN) it was associated with and needed to contain the smartcard logon OID in the extended key usage (EKU) field. In addition, each certificate required that signing was used in conjunction with encryption.

To better support smartcard deployments, Microsoft has made changes to the Windows operating system to enable support for a range of certificates. Now, customers can deploy smartcards with certificates that are not limited by the previous requirements.

                               

Last Login Time

This feature displays the time of the last successful interactive logon, and the number of failed logon attempts since the last successful logon, during a successful interactive logon. This will enable a user to determine if the account was used without his or her knowledge.

 

- The Windows Authentication Team