New in W2K: Public Key Infrastructure services

New in W2K: Public Key Infrastructure services

March 18, 2001

Bart Teunis


One of the things we are all concerned about is security, specially when we start to do business through the internet. When your business model is business-to-costumer Secure Socket Layer (SSL) will do, this makes secure payments to you possible. The problem is that this is just a one way security. You say who you are, but you don't know who the other person is. To make this a more reliable system you can make use of Public Key Infrastructure (PKI).

Public Key Infrastructure:
To understand the PKI services in W2K a brief introduction will be at its place. The basic principal of PKI is the fact that there are two types of keys involved:

  • The public key, which is known to everybody
  • The private key, which is only known to the owner.

PKI is based on a mathematical relation between the public key and the private key. It's not feasible to drive one from the other.

How does it work ?

For example: Bob wants to send a message to Ann that is not for everyone's eyes. He uses Ann's public key to encrypt the message and sends it to Ann. She uses her private key to decrypt the message. The important thing here is that Ann can freely distribute her public key in order to allow anyone to have copies of the public key. When Bill intercept the message which Bob sends to Ann while having a copy of Ann's public key he is not able to decrypt the message, only Ann's private makes it possible to decrypt the message.

One of the greatest problems in NT 4.0 was the security part, it was out in the world that was very difficult to secure a NT 4.0 environment. To make the W2K environment more secure the people from Microsoft integrated PKI in the new system.

PKI in W2K:

The W2K PKI is build on four pillars:

  • Interoperability, or the ability to exchange messages, certificates, and services with other standard-based PKI components
  • Security, provided both by using robust security algorithms and procedures and by depending on mature well-tested code and algorithms
  • Flexibility, or the ability to configure a PKI that precisely matches your specific organizational and business needs with minimum hassle
  • Ease of use, for PKI administrators, the end users who obtain and use certificates, and the application developers who create PKI-enabled applications

The primary components of the W2K PKI are:

  • Certificate services, a core operating system service that allows businesses to act as their own Certificate Associate's and issue and manage digital services
  • Active Directory directory service, a core operating service that provides a single place to find network resources; it serves as the publication service in the PKI
  • PKI enabled applications like IE, MS money, IIS, Outlook and Outlook express, as well as myriad third-party applications
  • The Exchange Key Management Service (KMS), a component of MS Exchange that allows for the archiving and retrieval of keys used to encrypt e-mail in a future version of Windows, the KMS will become subsumed into the Windows operating system as an enterprise-wide KMS.

The PKI in W2K relies on the following standards.

So as we can see MS is very concerned on security in the W2K operating system and integrates a lot a features standard into the W2K platform.

In a future article I will discuss how you can activate these features in W2K.

Bart Teunis

Standards supported by W2K

Standard What it defines Why it matters
X.509 version 3 Format and content of digital certificates Without a standard for certificate formats, there's no way to exchange certificates between vendors
CRL version Formats and content of certificate revocation lists Sites need to have a way to interchange revocation information
PKCS family Format and behavior for Public key exchange and distribution Allows different vendors' implementations to request and move certificates in a way that all understand
PKIX Format and behavior for Public key exchange and distribution PKIX is an emerging PKI standard that many major vendors and enterprises are adopting in place of the PKCS standard
SSL version 3 Encryption for web sessions SSL in the best-known and most widely used security protocol on the internet , but it's subject to export controls
SGC Provides SSL-like security without export complications SGC allows full 128-bit security and is exportable for certain uses
IPSec Encryption for network sessions using the internet protocol (IP) IPSec promises to offer transparent and automatic encryption of network connections
PKINIT Emerging standard for using Public keys to log on to networks that use the Kerberos authentication protocol Kerberos identifies users on the network; PKINIT allows Kerberos to use digital certificates on smart cards as credentials
PG/SC Standard for interfacing to smart cards Any vendor's smart cards that adhere to this standard can be used under W2K without the need for proprietary software