Title: PKI in a Windows Environment
1PKI in a Windows Environment
- Cosic Seminar - 3 / 3/ 99
- Jan.DeClercq_at_Compaq.com
2Introduction Public Key Security
- Asymmetric cryptography
- Certificates
- Certification Authorities (CAs)
- Public Key Infrastructures (PKIs)
3Public Key in a Windows Environment
- Why?
- Core components
- Public key applications
- Deployment steps
4Why Public PKI in Windows?
- Stronger security
- Enables new opportunities
- Based on open standards
5Available today...
- NT4 SP4
- NT4 Option Pack
- Internet Information Server V4
- Certificate Server V1
- Exchange 5.5 SP2
- Windows 2000 (ex NT5) Beta 3 RC0
6Windows 2000 PKI Core Components
- Active Directory (AD)
- Certificate server
- Client workstation
7The Active Directory
8Active Directory Integration
Policies
Client
Server
Cert Lookup Logon
Cert Lookup Logon
Active Directory
UserID-Cert Mapping
Certification Authority
9AD Integration Certificate Mapping Smartcard
Logon
Active Directory
Kerberos
X.509 Public Key Certificate
KDC
Client
10AD Integration Certificate Mapping IIS
Extranet
Intranet
Secure Web Server
HTTP withSSL/TLS
Certificate Mapping
Certificate Enrollment
Active Directory
Certification Authority
11Active Directory Integration Public Key Policy
Settings
- Certificate trust lists
- Automatic certificate enrollment
- Trusted root certification authorities
- Data recovery agents
12Certificate Server
- Architecture
- Topologies
- Certificate Server (CS) Management Interface
13Certificate Server Architecture
Policy Module
Admin Tools
Server Engine
Intermediary
?
Issued Certificate
Certificate Request
Server Queue
Server Database
Server Log
14Certificate Server Topologies
Active Directory
Standalone CA
One-way trust
Enterprise Root CA
Standalone Sub CA
Enterprise Sub CA
15Certificate Server Management Interface
- Start/stop CS service
- Backup/restore CS service
- Configure CS policy
- Revoke certificates
- Configure, view, force publishing of CRL
- View CS database
16Client Issues
- Enrollment
- Storage model
- Certificate management
- Certificate Revocation
17Certificate Enrollment
- Protocols based on standards
- PKCS10
- PKCS7
- Different certificates for different applications
and uses - Client authentication -gt Internet Explorer
- Email protection -gt Outlook 98, Outlook Express
- Authenticated requests via policy
18Client IssuesCertificate Storage Model
CryptoAPI
Root
My
User DS
CA
Trust
Logical Store Layer
Smart Card CSP
Default Store Provider
LDAP
Physical Store Layer
Smartcard Services
19Client IssuesCertificate Management
- Viewing certificates
- Installation of a root certificate
- Enrollment and Renewal
- Export and Import
- Roaming
- Trust
- Revocation
20Client IssuesCertificate Revocation
Certificate Server
CRLDP
Certificate
LDAP URL
AD
X.509 Extension CRLDP Pointer
HTTP URL
WWW
UNC
NTFS
Client Cache
21Windows 2000 PK Applications
- S/MIME - MS Exchange
- Encrypting File System (EFS)
- Not covered
- Smartcard logon
- IPSec
- Authenticode
- Secure channel support (SSL, TLS)
22Exchange PK Security Deployment
- Determine topology
- Deploy Exchange 5.5
- Deploy Outlook 98 (S/MIME client)
- Setup MS Certificate Servers
- Install Exchange 5.5 SP1 / SP2
- Configure Exchange Server settings
- Set up trust network
23KMS Exchange 5.5 SP2 Architecture
Microsoft Exchange Server
Directory Service
Encryption certs
Revocation lists
Trust lists
MS Certificate Server
Key Management Service
System attendant
CSP
Policy module
Key archive (encrypted .EDB)
Certification authority
Exchange Admin
24Encrypting File System (EFS) Concepts and Design
- Hybrid cryptographic solution
- Multiple key pair system
- Data encryption
- Data decryption and recovery
25EFS Encryption
EFS
1
26EFS Decryption and Recovery
1
EFS Driver
NTFS
27PKI Deployment Steps
- Planning and design
- Rollout
- Configuration
28(No Transcript)