dcsimg

New in W2K: Public Key Infrastructure services

By ServerWatch Staff (Send Email)
Posted Mar 18, 2001


Bart Teunis

Introduction:

One of the things we are all concerned about is security, specially when we start to do business through the internet. When your business model is business-to-costumer Secure Socket Layer (SSL) will do, this makes secure payments to you possible. The problem is that this is just a one way security. You say who you are, but you don't know who the other person is. To make this a more reliable system you can make use of Public Key Infrastructure (PKI).

One of the things we are all concerned about is security, specially when we start to do business through the internet. When your business model is business-to-costumer Secure Socket Layer (SSL) will do, this makes secure payments to you possible. The problem is that this is just a one way security. You say who you are, but you don't know who the other person is. To make this a more reliable system you can make use of Public Key Infrastructure (PKI).

Public Key Infrastructure:
To understand the PKI services in W2K a brief introduction will be at its place. The basic principal of PKI is the fact that there are two types of keys involved:

  • The public key, which is known to everybody
  • The private key, which is only known to the owner.

PKI is based on a mathematical relation between the public key and the private key. It's not feasible to drive one from the other.

How does it work ?

For example: Bob wants to send a message to Ann that is not for everyone's eyes. He uses Ann's public key to encrypt the message and sends it to Ann. She uses her private key to decrypt the message. The important thing here is that Ann can freely distribute her public key in order to allow anyone to have copies of the public key. When Bill intercept the message which Bob sends to Ann while having a copy of Ann's public key he is not able to decrypt the message, only Ann's private makes it possible to decrypt the message.

One of the greatest problems in NT 4.0 was the security part, it was out in the world that was very difficult to secure a NT 4.0 environment. To make the W2K environment more secure the people from Microsoft integrated PKI in the new system.

PKI in W2K:

The W2K PKI is build on four pillars:

  • Interoperability, or the ability to exchange messages, certificates, and services with other standard-based PKI components
  • Security, provided both by using robust security algorithms and procedures and by depending on mature well-tested code and algorithms
  • Flexibility, or the ability to configure a PKI that precisely matches your specific organizational and business needs with minimum hassle
  • Ease of use, for PKI administrators, the end users who obtain and use certificates, and the application developers who create PKI-enabled applications

The primary components of the W2K PKI are:

  • Certificate services, a core operating system service that allows businesses to act as their own Certificate Associate's and issue and manage digital services
  • Active Directory directory service, a core operating service that provides a single place to find network resources; it serves as the publication service in the PKI
  • PKI enabled applications like IE, MS money, IIS, Outlook and Outlook express, as well as myriad third-party applications
  • The Exchange Key Management Service (KMS), a component of MS Exchange that allows for the archiving and retrieval of keys used to encrypt e-mail in a future version of Windows, the KMS will become subsumed into the Windows operating system as an enterprise-wide KMS.

The PKI in W2K relies on the following standards.

So as we can see MS is very concerned on security in the W2K operating system and integrates a lot a features standard into the W2K platform.

In a future article I will discuss how you can activate these features in W2K.

Page 1 of 2


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.