Guided path: Authentication path
Step 5 of 6
CNG, Schannel & crypto plumbing
How Windows centralizes algorithms, keys, and TLS for services and applications.
Official Microsoft docs
Closest official references related to this topic on Microsoft Learn.
Why it matters
LSASS, IIS, browsers, and VPN clients depend on CNG/BCrypt and Schannel rather than shipping their own crypto.
Mental model
CNG provides algorithm providers and key storage. Schannel plugs TLS into the Windows security stack for many services.
How it works
- 1Applications call CNG/BCrypt APIs for hashing, signing, and encryption.
- 2Keys may live in software stores or hardware (TPM).
- 3Schannel implements SSL/TLS for components that use the SSPI model.
Key terms
- CNG
- Cryptography Next Generation; modern Windows crypto API set.
- Schannel
- Security Support Provider implementing TLS for Windows components.
TLS to a domain controller
LDAP/S channel bindings and Kerberos-adjacent traffic often flow through Schannel and system trust stores.
Common misconception
OpenSSL bundled in an app is separate from system Schannel. Many Windows services use the built-in stack.
You should read next
Ranked from your current topic, related links, branch depth, and any active guided path.
intermediate
Access tokens
SIDs, privileges, impersonation, and the identity payload every process carries.
Next step in your guided path
intermediate
Kerberos, NTLM, and authentication packages
How Windows chooses and uses protocol packages to validate identities.
Related topic
intermediate
LSASS, SAM, and local security policy
The protected security process and data stores behind local accounts and policy decisions.
Related topic
Related topics
Kerberos, NTLM, and authentication packages
How Windows chooses and uses protocol packages to validate identities.
LSASS, SAM, and local security policy
The protected security process and data stores behind local accounts and policy decisions.
TCP/IP stack
The core protocol machinery behind Windows network communication.