New in W2K: Public Key Infrastructure services
March 18, 2001
One of the things we are all concerned about is security, specially when we start to do business through the internet. When your business model is business-to-costumer Secure Socket Layer (SSL) will do, this makes secure payments to you possible. The problem is that this is just a one way security. You say who you are, but you don't know who the other person is. To make this a more reliable system you can make use of Public Key Infrastructure (PKI).
Public Key Infrastructure:
PKI is based on a mathematical relation between the public key and the private key. It's not feasible to drive one from the other.
How does it work ?
For example: Bob wants to send a message to Ann that is not for everyone's eyes. He uses Ann's public key to encrypt the message and sends it to Ann. She uses her private key to decrypt the message. The important thing here is that Ann can freely distribute her public key in order to allow anyone to have copies of the public key. When Bill intercept the message which Bob sends to Ann while having a copy of Ann's public key he is not able to decrypt the message, only Ann's private makes it possible to decrypt the message.
One of the greatest problems in NT 4.0 was the security part, it was out in the world that was very difficult to secure a NT 4.0 environment. To make the W2K environment more secure the people from Microsoft integrated PKI in the new system.
PKI in W2K:
The W2K PKI is build on four pillars:
The primary components of the W2K PKI are:
So as we can see MS is very concerned on security in the W2K operating system and integrates a lot a features standard into the W2K platform.
In a future article I will discuss how you can activate these features in W2K.Bart Teunis
|Standard||What it defines||Why it matters|
|X.509 version 3||Format and content of digital certificates||Without a standard for certificate formats, there's no way to exchange certificates between vendors|
|CRL version||Formats and content of certificate revocation lists||Sites need to have a way to interchange revocation information|
|PKCS family||Format and behavior for Public key exchange and distribution||Allows different vendors' implementations to request and move certificates in a way that all understand|
|PKIX||Format and behavior for Public key exchange and distribution||PKIX is an emerging PKI standard that many major vendors and enterprises are adopting in place of the PKCS standard|
|SSL version 3||Encryption for web sessions||SSL in the best-known and most widely used security protocol on the internet , but it's subject to export controls|
|SGC||Provides SSL-like security without export complications||SGC allows full 128-bit security and is exportable for certain uses|
|IPSec||Encryption for network sessions using the internet protocol (IP)||IPSec promises to offer transparent and automatic encryption of network connections|
|PKINIT||Emerging standard for using Public keys to log on to networks that use the Kerberos authentication protocol||Kerberos identifies users on the network; PKINIT allows Kerberos to use digital certificates on smart cards as credentials|
|PG/SC||Standard for interfacing to smart cards||Any vendor's smart cards that adhere to this standard can be used under W2K without the need for proprietary software|