Microsoft PKI

1
Microsoft PKI Smart Cardoverview

• Nguyen An Que
• Technology Specialist
• Microsoft Vietnam
• Que.Nguyen_at_microsoft.com

2
Topic to be covered

• PKI
• Smart Card
• Microsoft Identity Lifecycle Manager 2007
• Deployment inside Microsoft

3
PKI definition

• Symmetric encryption
• Same cryptographic key for encryption
  decryption
• Secret key should be kept confidential
• Asymmetric encryption
• Uses 2 cryptographic keys
• Public Key Passed openly around
• Private Key Remains secret
• Public Key cryptography usage
• Digital signatures data integrity
• Authentication
• Confidentiality
• Public Key Infrastructure (PKI)
• Software, encryption technologies, processes, and
  services
• To secure communications and business
  transactions.
• By exchanging digital certificates authenticated
  users ??trusted resources.

4
Public Key Certificates

• Certificate Authority (CA)
• What other people will say when they see this
  certificate
• I trust the Issuing CA
• because it was guaranteed by a public CA, e.g.
  VeriSign
• and all public CAs were hard-coded into the OS
• I trust that this certificate was issued to John
  Smith
• because his private key was previously used to
  encrypt the certificate data
• and signature on certificate guarantees data
  integrity

5
PKI components
Company Root CA
AD Domain Controller
Intranetusers(Domain)
6
PKI components
Offline Root CA
AD Domain Controller
Online Issuing CA
Public CA TimeStamp service(VeriSign)
ISA firewall
Intranetusers(Domain)
Customers(non-domain)
Mobile user(Domain)
7
Example VCB certificate
8
PKI usage

• Digital Signature Integrity
• Mechanism
• Sender encrypts its signature using its private
  key
• Recipients use senders public key to decrypt
  senders signature
• Signing scenarios
• Email (MS Outlook, Outlook Express)
• Word, Excel, InfoPath form in workflow legal
  docs
• Authenticity origin Code Signing for ActiveX
  EXE files
• Authentication
• Local VPN user authentication using Smart Card
• Wireless client 802.1x authentication using
  certificate
• Data encryption
• Mechanism
• Sender encrypts data using recipients public
  keys (obtained in advance)
• Each recipient uses its own private key to
  decrypt
• Internet environment
• Secure e-commerce, e-banking, extranet web
  servers using https thru ISA 2006
• Secure application access for mobile users using
  https thru ISA 2006
• Email Outlook Web Access, Microsoft Outlook,
  Pocket Outlook (Windows Mobile)

9
PKI Deployment inside MicrosoftWindows Server
2003 PKI
10
PKI Deployment inside MicrosoftWindows Server
2003 PKI
11
PKI Deployment inside MicrosoftWindows Server
2003 PKI
12
Smart Card overview

• 2-factor authentication methods
• Smart Card
• Smart USB Token
• Biometrics
• RSA SecurID
• What is a Smart Card?
• EEPROM RAM chip on a card
• Store and process information
• Tamper resistant
• Requiring Smart Card for interactive logon
• AD Group Policy
• Password changed to random
• Smart Card removal behavior
• VPN authentication using Smart Card

13
Smart Card inside Microsoft

• Need to integrate with existing RFID name badge
• Interface a mixture of USB PCMCIA
• Mobile computers
• Remote Access to Microsoft Intranet via VPN
  requires Smart Card
• Home computers
• Not managed by Microsoft IT
• Smart Card not required for
• Outlook Web Access using https
• Microsoft Outlook using https

14
Smart Card inside Microsoft
15
Microsoft Identity Lifecycle Manager (ILM) 2007

• Components
• MS Identity Integration Server (MIIS) 2003 SP2
• User synchronization with non-Microsoft systems
• MS Certificate Lifecycle Manager (CLM) 2007
• Supports large deployment of Smart Cards
• Estimated pricing
• ILM Server 2007 OLP 16,185
• ILM CAL 2007 OLP 27
• SQL 2005 Standard

www.microsoft.com/windowsserver/ilm2007
16
Federal Case Studies

• Electronic Federal Tax Payment System (EFTPS)
• http//www.eftps.gov/
• Individual and business taxpayers can make their
  federal tax payments electronically
• Current statistics
• Enrollments (as of May 12, 2001) 3,454,923
• Number of payments since 1996 197 million
• Dollars transmitted electronically 5 trillion.
• Internal Revenue Service (IRS) e-file
• http//www.irs.gov/elec_svs/index.html
• Provide a more convenient method of filing taxes
  for taxpayers.
• U.S. Postal Service To be first federally
  protected identity service based on PKI

17
Commercial Case Studies

• Covad Communications
• http//www.microsoft.com/casestudies/casestudy.asp
  x?casestudyid52010
• Italys Guardia di Finanza
• Under Ministry of Economy and Finance
• http//www.microsoft.com/casestudies/casestudy.asp
  x?casestudyid51232
• QUALCOMM
• http//www.microsoft.com/casestudies/casestudy.asp
  x?casestudyid50525

18
Que.Nguyen_at_microsoft.com
19
Example of using a public TimeStamp service
20
Core IO exampleIdentity Access Management

• No AD for Authentication for 80 users
• Users operate in admin mode

• AD for Authentication and Authorization
• Users operate in admin mode
• Desktops and servers not controlled by Group
  Policy

• AD Group Policy and Security templates used to
  manage desktops servers for security and
  configurations
• Information Protection Infrastructure using RMS

• Centrally manage users provisioning across
  heterogeneous systems using ILM
• Federated Identity Management across
  organizational boundaries using ADFS