Protecting Messages Using Microsoft Digest

HTTP and SASL

As a means of detecting certain types of security violations, the client and server use the security support provider interface (SSPI) message integrity functions MakeSignature and VerifySignature to protect messages.

A client calls the MakeSignature function to sign a message using its security context. The server uses the VerifySignature function to verify the message's origin. In addition to verifying the signature that accompanies the message, the VerifySignature function also checks that the nonce count (specified by the nc directive) is one greater than the last count sent for the nonce. If this is not the case, the VerifySignature function returns an SEC_OUT_OF_SEQUENCE error code.

SASL Only

The EncryptMessage (General) and DecryptMessage (General) functions supply confidentiality for post-authentication messages exchanged between client and server.

In order to use the message confidentiality functions, the server and client must have established a security context with the following attributes:

  • Quality of protection, specified by the qop directive, must be "auth-conf".
  • An encryption mechanism must have been specified by means of the cipher directive.