PKI in a Windows Environment

1
PKI in a Windows Environment

• Cosic Seminar - 3 / 3/ 99
• Jan.DeClercq_at_Compaq.com

2
Introduction Public Key Security

• Asymmetric cryptography
• Certificates
• Certification Authorities (CAs)
• Public Key Infrastructures (PKIs)

3
Public Key in a Windows Environment

• Why?
• Core components
• Public key applications
• Deployment steps

4
Why Public PKI in Windows?

• Stronger security
• Enables new opportunities
• Based on open standards

5
Available today...

• NT4 SP4
• NT4 Option Pack
• Internet Information Server V4
• Certificate Server V1
• Exchange 5.5 SP2
• Windows 2000 (ex NT5) Beta 3 RC0

6
Windows 2000 PKI Core Components

• Active Directory (AD)
• Certificate server
• Client workstation

7
The Active Directory
8
Active Directory Integration
Policies
Client
Server
Cert Lookup Logon
Cert Lookup Logon
Active Directory
UserID-Cert Mapping
Certification Authority
9
AD Integration Certificate Mapping Smartcard
Logon
Active Directory
Kerberos
X.509 Public Key Certificate
KDC
Client
10
AD Integration Certificate Mapping IIS
Extranet
Intranet
Secure Web Server
HTTP withSSL/TLS
Certificate Mapping
Certificate Enrollment
Active Directory
Certification Authority
11
Active Directory Integration Public Key Policy
Settings

• Certificate trust lists
• Automatic certificate enrollment
• Trusted root certification authorities
• Data recovery agents

12
Certificate Server

• Architecture
• Topologies
• Certificate Server (CS) Management Interface

13
Certificate Server Architecture
Policy Module
Admin Tools
Server Engine
Intermediary
?
Issued Certificate
Certificate Request
Server Queue
Server Database
Server Log
14
Certificate Server Topologies
Active Directory
Standalone CA
One-way trust
Enterprise Root CA
Standalone Sub CA
Enterprise Sub CA
15
Certificate Server Management Interface

• Start/stop CS service
• Backup/restore CS service
• Configure CS policy
• Revoke certificates
• Configure, view, force publishing of CRL
• View CS database

16
Client Issues

• Enrollment
• Storage model
• Certificate management
• Certificate Revocation

17
Certificate Enrollment

• Protocols based on standards
• PKCS10
• PKCS7
• Different certificates for different applications
  and uses
• Client authentication -gt Internet Explorer
• Email protection -gt Outlook 98, Outlook Express
• Authenticated requests via policy

18
Client IssuesCertificate Storage Model
CryptoAPI
Root
My
User DS
CA
Trust
Logical Store Layer
Smart Card CSP
Default Store Provider
LDAP
Physical Store Layer
Smartcard Services
19
Client IssuesCertificate Management

• Viewing certificates
• Installation of a root certificate
• Enrollment and Renewal
• Export and Import
• Roaming
• Trust
• Revocation

20
Client IssuesCertificate Revocation
Certificate Server
CRLDP
Certificate
LDAP URL
AD
X.509 Extension CRLDP Pointer
HTTP URL
WWW
UNC
NTFS
Client Cache
21
Windows 2000 PK Applications

• S/MIME - MS Exchange
• Encrypting File System (EFS)
• Not covered
• Smartcard logon
• IPSec
• Authenticode
• Secure channel support (SSL, TLS)

22
Exchange PK Security Deployment

• Determine topology
• Deploy Exchange 5.5
• Deploy Outlook 98 (S/MIME client)
• Setup MS Certificate Servers
• Install Exchange 5.5 SP1 / SP2
• Configure Exchange Server settings
• Set up trust network

23
KMS Exchange 5.5 SP2 Architecture
Microsoft Exchange Server
Directory Service
Encryption certs
Revocation lists
Trust lists
MS Certificate Server
Key Management Service
System attendant
CSP
Policy module
Key archive (encrypted .EDB)
Certification authority
Exchange Admin
24
Encrypting File System (EFS) Concepts and Design

• Hybrid cryptographic solution
• Multiple key pair system
• Data encryption
• Data decryption and recovery

25
EFS Encryption
EFS
1
26
EFS Decryption and Recovery
1
EFS Driver
NTFS
27
PKI Deployment Steps

• Planning and design
• Rollout
• Configuration

28
(No Transcript)