Implement powerful and flexible security
The explosive growth of the Internet, e-commerce, and data communications challenges fundamental network security technologies. When companies don't have an adequate security infrastructure, intruders can enter corporate networks and steal or tamper with sensitive business information. To protect your business, you must apply cryptographic technologies in your network. Public key cryptography, digital certificates, Certificate Authorities (CAs), and security policies pertaining to public keys are known collectively as public key infrastructure (PKI). Microsoft has built a comprehensive PKI into Windows NT 4.0 and Windows 2000 (Win2Kformerly NT 5.0) that can compete with
third-party solutions in the Windows environment. In particular, PKI in Win2K lets you establish and customize a comprehensive PKI for your enterprise. In this article, I'll take you on a tour of most of the components that make up Microsoft's PKI. Although I will point out PKI components in NT 4.0, I'll focus my discussion on PKI in NT 5.0.
PKI Basics
Public key cryptography uses two keys--a public key to encrypt
information and a private key to decrypt information--to provide a high level of security in private intranets and the public Internet. Users keep their private key private--for example, by storing it in their local computer. Users publish their public key to the public--for example, by listing their public key in their company's directory. You use a person's public key to encrypt a message to that person or to verify that person's digital signature. You use your private key to decrypt messages others send to you via your public key. CAs certify public keys with digital certificates, and they manage complicated key and certificate transactions (e.g., provide key backup and recovery; certificate storage; and key publishing, retrieval, renewal, and revocation). To learn more about CAs, the services they provide, and digital certificates, see "You Can Be a Web Certification Authority," October 1997.
Although digital certificates provide the means to validate public keys, companies still need to define policies governing how to use certificates and public keys. For example, if a company uses public key encryption to exchange secure email messages with its business partners, the company needs to define whether its users must encrypt messages, digitally sign messages, or do both. The company also needs to define how to establish
trust relationships between its CA and its partners' CAs. Microsoft's PKI gives your company the means to define and implement effective certificate and public key policy, and it lets you establish a variety of trust relationships between CAs.
Microsoft PKI Components
The foundation of Microsoft's PKI is its cryptographic API--CryptoAPI 2.0. This API provides a cryptographic service and a certificate management service for public key security. CryptoAPI's cryptographic service performs functions such as key generation, message hashing, digital signature, and encryption. The certificate management service provides X.509v3 digital certificate management and storage. PKI in Win2K comprises various components: Cryptographic Service Providers (CSPs), Certificate Server, smartcard service, a secure channel, Authenticode, Encrypting File System (EFS), Microsoft Exchange Server Key Management (KM) Server, and PKI applications. Figure 1 shows the components and architecture of Win2K's PKI.
Win2K has a modular PKI architecture, which lets administrators easily
upgrade, integrate, extend, and develop their enterprise's PKI without changing underlying OS kernels. For example, Exchange Server 5.5 uses only its KM server to issue and manage Exchange Server client certificates. With Service Pack 1 (SP1) in Exchange Server 5.5, Exchange Server uses Certificate Server, rather than Exchange Server KM Server, to issue and manage Exchange Server client certificates. (To learn more about Exchange Server KM Server, see Tony Redmond, "Maintaining Secure Exchange Servers," October 1997.)
Developers can build PKI-enabled applications based on Microsoft-provided PKI components and CryptoAPI. For example, you can employ CryptoAPI and digital certificates to encrypt and authenticate messages in Microsoft Message Queue Server (MSMQ) applications. You can also selectively use Microsoft PKI
components according to your business needs. For example, if your company
requires a secure Web site, you can use Certificate Server and the secure
channel function built into Internet Information Server (IIS) and Internet
Explorer (IE).
Let's take a closer look now at some of Win2K's PKI components. I'll
describe CSPs; Certificate Server, its Certificate Manager and Certificate
Server Manager tools, and the certificate policies it generates; smartcard
service; the secure channel function; Authenticode; and EFS.
Previous
Register
