S (Security Glossary)



See Secure/Multipurpose Internet Mail Extensions.


See system access control list.

salt value

Random data that is sometimes included as part of a session key. When added to a session key, the plaintext salt data is placed in front of the encrypted key data. Salt values are added to increase the work required to mount a brute-force (dictionary) attack against data encrypted with a symmetric-key cipher. Salt values are generated by calling CryptGenRandom.


See Security Accounts Manager.

sanitized name

The form of a certification authority (CA) name that is used in file names (such as for a certificate revocation list) and in registry keys. The process of sanitizing the CA name is necessary to remove characters that are illegal for file names, registry key names, or Distinguished Name values, or that are illegal for technology-specific reasons. In Certificate Services, the sanitization process converts any illegal character in the common name of the CA to a 5-character representation in the format **!**xxxx, where ! is used as an escape character and xxxx represents four hexadecimal integers that uniquely identify the character being converted.


See secure attention sequence.


A terminal reader group that contains all readers assigned to that terminal, however, it is not reserved for this specific use.


A smart card system-wide reader group that includes all readers introduced to the smart card resource manager. Readers are automatically added to the group when they are introduced to the system.


A smart card system constant that tells the smart card resource manager to allocate sufficient memory itself, returning a pointer to the allocated buffer instead of filling in a user-supplied buffer. The returned buffer must then eventually be freed by calling SCardFreeMemory.


See Simple Certificate Enrollment Protocol


A security package that provides authentication between clients and servers.

secure attention sequence

(SAS) A key sequence that begins the process of logging on or off. The default sequence is CTRL+ALT+DEL.

Secure Electronic Transaction

(SET) A protocol for secure electronic transactions over the Internet.

Secure Hash Algorithm

(SHA) A hashing algorithm that generates a message digest. SHA is used with the Digital Signature Algorithm (DSA) in the Digital Signature Standard (DSS), among other places. CryptoAPI references this algorithm by the algorithm's identifier (CALG_SHA), name (SHA), and class (ALG_CLASS_HASH). There are four varieties of SHA: SHA-1, SHA-256, SHA-384, and SHA-512. SHA-1 generates a 160-bit message digest. SHA-256, SHA-384, and SHA-512 generate 256-bit, 384-bit, and 512-bit message digests, respectively. SHA was developed by the National Institute of Standards and Technology (NIST) and by the National Security Agency (NSA).

Secure Hash Standard

A standard designed by NIST and NSA. This standard defines the Secure Hash Algorithm (SHA-1) for use with the Digital Signature Standard (DSS).

See also Secure Hash Algorithm.

Secure Sockets Layer protocol

(SSL) A protocol for secure network communications using a combination of public and secret key technology.

Secure/Multipurpose Internet Mail Extensions

(S/MIME) An email security standard that makes use of public key encryption.

Security Accounts Manager

(SAM) A Windows service used during the logon process. SAM maintains user account information, including groups to which a user belongs.

security context

The security attributes or rules that are currently in effect. For example, the current user logged on to the computer or the personal identification number entered by the smart card user. For SSPI, a security context is an opaque data structure that contains security data relevant to a connection, such as a session key or an indication of the duration of the session.

security descriptor

A structure and associated data that contains the security information for a securable object. A security descriptor identifies the object's owner and primary group. It can also contain a DACL that controls access to the object, and a SACL that controls the logging of attempts to access the object.

See also absolute security descriptor, discretionary access control list, self-relative security descriptor, system access control list.

security identifier

(SID) A data structure of variable length that identifies user, group, and computer accounts. Every account on a network is issued a unique SID when the account is first created. Internal processes in Windows refer to an account's SID rather than the account's user or group name.

security package

The software implementation of a security protocol. Security packages are contained in security support provider DLLs or security support provider/authentication package DLLs.

security protocol

A specification that defines security-related data objects and rules about how the objects are used to maintain security on a computer system.

security principal

An entity recognized by the security system. Principals can include human users as well as autonomous processes.

security support provider

(SSP) A dynamic-link library (DLL) that implements the SSPI by making one or more security packages available to applications. Each security package provides mappings between an application's SSPI function calls and an actual security model's functions. Security packages support security protocols such as Kerberos authentication and the Microsoft LAN Manager.

Security Support Provider Interface

(SSPI) A common interface between transport-level applications, such as Microsoft Remote Procedure Call (RPC), and security providers, such as Windows Distributed Security. SSPI allows a transport application to call one of several security providers to obtain an authenticated connection. These calls do not require extensive knowledge of the security protocol's details.

self-relative security descriptor

A security descriptor that stores all its security information in a contiguous block of memory.

See also security descriptor.


The process of converting data into a string of ones and zeros so that it can be transmitted serially. Encoding is part of this process.

Serialized Certificate Store format

(SST) The Serialized Certificate Store format is the only format that preserves all certificate store properties. It is useful in cases such as when roots have been configured with custom EKU properties, and you want to move them to another computer.


A computer that responds to commands from a client computer. The client and server work together to perform distributive application functionality.

See also client.

server certificate

Refers to a certificate used for server authentication, such as authenticating a web server to a web browser. When a web browser client attempts to access a secured web server, the server sends its certificate to the browser to allow it to verify the server's identity.

server-gated cryptography

(SGC) An extension of Secure Sockets Layer (SSL) that enables organizations, such as financial institutions, that have export versions of Internet Information Services (IIS) to use strong encryption (for example, 128-bit encryption).

service principal name

(SPN) The name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication

service provider (smart card)

A smart card subsystem component that provides access to specific smart card services by means of COM interfaces.

See also primary service provider.


An exchange of messages under the protection of a single piece of keying material. For example, SSL sessions use a single key to send multiple messages back and forth under that key.

session key

A relatively short-lived cryptographic key, often negotiated by a client and a server based on a shared secret. A session key's lifespan is bounded by the session to which it is associated. A session key should be strong enough to withstand cryptanalysis for the lifespan of the session. When session keys are transmitted, they are generally protected with key exchange keys (which are usually asymmetric keys) so that only the intended recipient can access them. Session keys can be derived from hash values by calling the CryptDeriveKey function.

session-key derivation scheme

Specifies when a key is derived from a hash. Methods used depend on the CSP type.


See Secure Electronic Transaction.


The CryptoAPI name for the Secure Hash Algorithm, SHA-1. Other hashing algorithms include MD2, MD4, and MD5.

See also Secure Hash Algorithm.


See Secure Hash Standard.


See security identifier.

signature and data verification functions

Simplified message functions used to sign outgoing messages and verify the authenticity of applied signatures in received messages and related data.

See simplified message functions.

signature certificate

A certificate that contains a public key that is used to verify digital signatures.

signature file

A file that contains the signature of a particular cryptographic service provider (CSP). The signature file is necessary to ensure that CryptoAPI recognizes the CSP. CryptoAPI validates this signature periodically to ensure the CSP has not been tampered with.

signature functions

Functions used to create and verify digital signatures.

See also simplified message functions.

signature key pair

The public/private key pair used for authenticating (digitally signing) messages. Signature key pairs are created by calling CryptGenKey.

See also exchange key pair.

signature private key

The private key of a signature key pair.

See signature key pair.

signed and enveloped data

A data content type defined by PKCS #7. This data type consists of encrypted content of any type, encrypted content-encryption keys for one or more recipients, and doubly encrypted message hashes for one or more signers. The double encryption consists of an encryption with a signer's private key followed by an encryption with the content-encryption key.

signed data

A data content type defined by PKCS #7. This data type consists of any type of content plus encrypted message hashes (digests) of the content for zero or more signers. The resulting hashes can be used to confirm who signed the message. These hashes also confirm that the original message has not been modified since the message was signed.

Simple Certificate Enrollment Protocol

(SCEP) An acronym that stands for Simple Certificate Enrollment Protocol. The protocol is currently a draft Internet standard which defines the communication between network devices and a registration authority (RA) for certificate enrollment. For more information, see Microsoft SCEP Implementation White Paper.

simple key BLOB

A session key encrypted with the key-exchange public key of the destination user. This key BLOB type is used when storing a session key or transmitting a session key to another user. A key BLOB is created by calling CryptExportKey.

simplified message functions

Message management functions, such as message encryption, decryption, signing, and signature verification functions. Simplified message functions operate at a higher level than the base cryptographic functions or the low-level message functions. Simplified message functions wrap several of the base cryptographic, low-level message, and certificate functions into a single function that performs a specific task in a specific manner, such as encrypting a PKCS #7 message or signing a message.

See also low-level message functions.

single sign on

(SSO) The ability to link a Microsoft account (such as an Microsoft Outlook.com account) with a local account so that one logon allows the user to use other applications that support signing in with their Microsoft account.


See subject interface package.

site certificate

Both server certificates and certification authority (CA) certificates are sometimes called site certificates. When referring to a server certificate, the certificate identifies the web server presenting the certificate. When referring to a CA certificate, the certificate identifies the CA that issues server and/or client authentication certificates to the servers and clients that request these certificates.


An encryption algorithm specified as part of the Fortezza encryption suite. Skipjack is a symmetric cipher with a fixed key length of 80 bits. Skipjack is a classified algorithm created by the United States National Security Agency (NSA). The technical details of the Skipjack algorithm are secret.

smart card

An integrated circuit card (ICC) owned by an individual or a group whose information must be protected according to specific ownership assignments. It provides its own physical access control; without the smart card subsystem placing additional access control on the smart card. A smart card is a plastic card that contains an integrated circuit that is compatible with ISO 7816.

smart card common dialog box

A common dialog box that assists the user in selecting and locating a smart card. It works with the smart card database management services and reader services to help the application, and, if necessary, the user, to identify which smart card to use for a given purpose.

smart card database

The database used by the resource manager to manage resources. It contains a list of known smart cards, the interfaces and primary service provider of each card, and known smart card readers and reader groups.

smart card subsystem

The subsystem used to provide a link between smart card readers and smart card–aware applications.

Software Publisher Certificate

(SPC) A PKCS #7 signed-data object that contains X.509 certificates.


See Software Publisher Certificate.


See service principal name.


See Secure Sockets Layer protocol.

SSL3 Client Authentication algorithm

An algorithm used for client authentication in Secure Sockets Layer (SSL) version 3. In the SSL3 protocol, a concatenation of an MD5 hash and a SHA-1 hash is signed with an RSA private key. CryptoAPI and the Microsoft Base and Enhanced Cryptographic Providers support SSL3 with the hash type CALG_SSL3_SHAMD5.

SSL3 protocol

Version 3 of the Secure Sockets Layer (SSL) protocol.


See single sign on.


See security support provider.


See Security Support Provider Interface.


See Serialized Certificate Store format.


The set of all persisted values associated with a cryptographic entity such as a key or a hash. This set can include such things as the initialization vector (IV) being used, the algorithm being used, or the value of the entity already calculated.

stream cipher

A cipher that serially encrypts data, one bit at a time.

See also block cipher.

subauthentication package

An optional DLL that provides additional authentication functionality, usually by extending the authentication algorithm. If a subauthentication package is installed, the authentication package will call the subauthentication package before returning its authentication result to the Local Security Authority (LSA).

See also Local Security Authority.

subject interface package

(SIP) A Microsoft proprietary specification for a software layer that enables applications to create, store, retrieve, and verify a subject signature. Subjects include, but are not limited to, portable executable images (.exe), cabinet (.cab) images, flat files, and catalog files. Each subject type uses a different subset of its data for hash calculation and requires a different procedure for storage and retrieval. Therefore each subject type has a unique subject interface package specification.

Suite B

A set of cryptographic algorithms openly declared by the U.S. National Security Agency as part of its cryptographic modernization program.

supplemental credentials

Credentials for use in authenticating a security principal to foreign security domains.

See also primary credentials.

symmetric algorithm

A cryptographic algorithm that typically uses a single key, often referred to as a session key, for encryption and decryption. Symmetric algorithms can be divided into two categories, stream algorithms and block algorithms (also called stream and block ciphers).

symmetric encryption

Encryption that uses a single key for both encryption and decryption. Symmetric encryption is preferred when encrypting large amounts of data. Some of the more common symmetric encryption algorithms are RC2, RC4, and Data Encryption Standard (DES).

See also public key encryption.

symmetric key

A secret key used with a symmetric cryptographic algorithm (that is, an algorithm that uses the same key for both encryption and decryption). Such a key needs to be known to all communicating parties.

system access control list

(SACL) An ACL that controls the generation of audit messages for attempts to access a securable object. The ability to get or set an object's SACL is controlled by a privilege typically held only by system administrators.

See also access control list, discretionary access control list, privilege.

system program interface

The set of functions provided by a cryptographic service provider (CSP) that implements an application's functions.