Presentation is loading. Please wait.

Presentation is loading. Please wait.

Windows Security si Microsoft - O privire din interior -

Published byAnnika Hoch Modified over 6 years ago

Similar presentations

Presentation on theme: "Windows Security si Microsoft - O privire din interior -"— Presentation transcript:

1 Windows Security si PKI @ Microsoft - O privire din interior -
11/20/ :38 AM Windows Security si Microsoft - O privire din interior - Monica Ene-Pietrosanu Senior Consultant Microsoft Romania ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

2 Agenda Scurt indrumar de criptografie Windows PKI
11/20/ :38 AM Agenda Scurt indrumar de criptografie Windows PKI Certificate si Servicii de Certificare Ierarhii de Autoritati de Certificare Proiectarea unei ierarhii de AC Windows Redmond Intrebari ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

3 Ce este criptografia? In-criptarea este procesul de transformare a unui text clar intr-un text cifrat De-criptarea este procesul invers Criptarea/decriptarea necesita: Un algoritm, o cheie si date Doua tipuri: Cu cheie simetrica si asimetrica (publica)

4 Criptografia cu cheie simetrica
11/20/ :38 AM Criptografia cu cheie simetrica Necesita o cheie secreta partajata intre doua entitati Hello, Bob! *&^1 Hello, Bob! ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

5 Criptografia cu cheie simetrica
Este rapida De multe ori este numita si criptografie de masa (bulk cryptography) Exemple de algoritmi simetrici: DES DESX 3DES RC4 AES

6 Criptografia cu chei publice
Fara secret partajat Doua chei generate simultan Numite “pereche de chei” – key pair In relatie matematica Numere foarte, foarte, foarte mari Nefezabil sa se determine una din cealalta Cheia publica Cheia privata

7 Folosirea criptografiei cu chei publice
Cheia publica este facuta publica Cheia privata este pastrata secreta In general nu paraseste niciodata masina sau dispozitivul pe care a fost generata Daca cheia privata este folosita pentru a cripta => doar cheia publica poate decripta

8 Criptografia cu cheie publica -Mod de operare
Alice sending a private message to Bob Hello, Mom! *&^1 Hello, Mom! Bob’s private key Bob’s public key A “provable” message from Bob Hello, Mom! c&16 (^%1 Hello, Mom!

9 Algoritmi cu chei publice
Criptografia cu chei publice este mult mai lenta decat criptografia cu cheie simetrica Nepotrivita pentru criptarea de masa Exemple de algoritmi: RSA Diffie-Hellman Curbe eliptice

10 Functii Hash One-Way Folosite pentru a determina daca datele au fost modificate Ca un CRC insa mult mai mai complex De obicei au lungime de 128-biti sau 160-biti Nefezabil sa se produca un document care sa se potriveasca cu o valoare hash Un bit schimbat in mesaj afecteaza aproape jumatate din bitii valorii hash.

11 Functii hash one-way Alice vrea sa trimita o comanda lui Bob
si sa fie sigura ca aceasta nu este modificata Order#: 100 x Widget 50 x Foo 80 x Bar 200 x Wotsits Digest Hash Algorithm Order#: 100 x Widget 50 x Foo 80 x Bar 200 x Wotsits Send to Bob Digest

12 Functii hash one-way Bob primeste comanda si verifica
daca a fost modificata Order#: 100 x Widget 50 x Foo 80 x Bar 200 x Wotsits Digest Digest Hash Algorithm if Digest == Digest Then J

13 Autentificarea Cum stie Bob ca mesajul provine de la Alice?
Alice cripteaza valoarea hash a comenzii cu cheia ei privata (“semnare”) Bob decripteaza valoarea hash cu cheia publica a lui Alice Daca valoarea hash decriptata este aceeasi cu valoarea hash calculata => comanda este autentica Deoarece certificatul este unul valid si de incredere => dovedeste identitatea lui Alice Continutul nu este in mod necesar criptat!

14 Combinand cheile simetrice si publice
Nu vom folosi criptografia cu chei publice pentru a cripta intreaga comanda de plata – prea lenta Folosim chei simetrice Cum transferam in mod sigur cheia simetrica de la Alice la Bob? Combinand cele doua tehnologii

15 Chei simetrice & publice combinate
Alice generates a random number and transfers it securely to Bob using his public key - this is a “session” key c&16 (^%1 Rand # Rand # Alice can now use the session key to send data to Bob in a secure manner Hello, Mom! *&^1 Bob’s private key Bob’s public key Random sym key

16 ► Certificate Un certificat este o asociere intre o identitate (subiect) si o cheie publica Certificatele contin Cheia publica a subiectului Detalii despre subject Detalii despre emitatorul certificatului Data de expirare O semnatura digitala asupra continutului certificatului Certificatul este semnat de catre o AC emitenta

17 Certificat X.509

18 Certificatele Beneficiul folosirii lor – relatie de incredere
Alice si Bob trebuie sa aiba incredere in aceeasi AC emitenta VeriSign, Entrust, Thawte, etc. AC’ul intern al companiei/organizatiei AC poate folosi certificate “auto-semnate” Certificate radacina

19 Creeare Certificate Cum obtine Bob un certificat
Bob genereaza o pereche de chei publica/privata Bob trimite o cerere de certificat (ce contine cheia publica) la AC AC trebuie sa valideze ca Bob este cine pretinde a fi AC emite certificat lui Bob Software-ul lui Bob memoreaza certificatul Bob si AC fac certificatul lui Bob cunoscut public.

20 Lantul de certificare

21 Folosirea certificatelor
Multe aplicatii nu necesita un director Au doar nevoie sa gaseasca certificatul destinatarului Clientul isi prezinta certificatul (sau lantul de certificare) la server in timpul autentificarii SSL, TLS, Smart card logon /SMIME, IPSec Certificatul este asociat cu contul de utilizator din Windows

22 Revocarea Certificatelor
Certificatele pot deveni invalide inainte de a expira. Cheia privata este compromisa sau pierduta Schimbare nume utilizator Cum afla utilizatorul de revocare? Certificate Revocation Lists (CRLs) Online certificate status protocol (OCSP)

23 Microsoft Certificate Server
11/20/ :38 AM Microsoft Certificate Server Componenta standard a Windows 2000 Server si Windows Server 2003 Componenta centrala a PKI Primeste si valideaza cereri de certificate Genereaza si publica certificate Revoca certificate Integrat cu Active Directory Publicare certificat Informatie de revocare Management ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

24 Tipuri de instalari pentru Certificate Server
11/20/ :38 AM Tipuri de instalari pentru Certificate Server Enterprise Online Necesita Active Directory directory service Clientii de Windows 2000, XP si 2003 Server gasesc AC in Active Directory Stand-alone Offline si domenii Microsoft Windows NT 4.0 ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

25 Aplicatii PKI Secure Email / S/MIME Web authentication / SSL
11/20/ :38 AM Aplicatii PKI Secure / S/MIME Web authentication / SSL SmartCard logon Encrypting File System (EFS) IPSec machine certificate Exchange 2000/5.5 KMS ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

26 11/20/ :38 AM Increderea Relatia de incredere intre AC este intotdeauna bazata pe ierarhii Ierarhie cu o radacina AC este fie radacina, fie subordonat Posibilitate ca AC sa fie luat offline–securitate Ierarhie cross-certificata AC este atat radacina cat si subordonat Ac offline - poate sa nu fie posibil ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

27 Ierarhii de certificare cu o radacina
11/20/ :38 AM Ierarhii de certificare cu o radacina Issuer: CorpCA Subject: CorpCA Issuer: CorpCA Subject: SubCA Issuer: CorpCA Subject: SubCA Issuer: CorpCA Subject: ProjectCA Issuer: CorpCA Subject: ProjectCA Issuer: SubCA Subject: MailCA ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

28 Avantaje Securitate crescuta Scalabilitate marita
11/20/ :38 AM Avantaje Securitate crescuta Scalabilitate marita Model de administrare flexibil Suport AC comerciale Verisign, GTE, Thawte… Modelul suportat cel mai comun de aplicatii: Microsoft Internet Explorer, Internet Information Server, Netscape, Apache ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

29 Ierarhii de AC cu Certificare incrucisata
11/20/ :38 AM Ierarhii de AC cu Certificare incrucisata Issuer: SubCA Subject: PartnerCA Issuer: IssuingCA Subject: CorpCA Issuer: CorpCA Subject: CorpCA Issuer: PartnerCA Subject: PartnerCA Issuer: CorpCA Subject: SubCA Issuer: PartnerCA Subject: IssuingCA Cross-Certificates ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

30 Certificarea incrucisata - utilizari
11/20/ :38 AM Certificarea incrucisata - utilizari Interoperabilitate business-to-business Bridge CAs INteroperabilitate intre produse Domenii PKI disparate Implica incredere totala intr-o ierarhie de AC straina ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

31 Securizarea AC AC Radacina AC subordonate
11/20/ :38 AM Securizarea AC AC Radacina Nivel maxim de securitate fizica Offline in permanenta (masina mai putin perf) Intr-o zona cu acces restrictionat (vault) Nivel inalt de securitate criptografica Cheia cea mai mare Hardware security module (HSM) Nivel inalt de administrare securizata Access multi-party auditat AC subordonate Cerintele descresc cu distanta de la radacina ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

32 Documentatie Windows Server 2003 docs - Its both good and free!
Help and Support Center (instalat pe masina) Resource Kit and Deployment Guide Whitepapers Network Security, 2nd Edition Kaufman, Perlman, Speciner Excellent theoretical reference

33 Intrebari?

34 Let’s take a break The fun part begins 

35 Campusul din Redmond La 13 mile de Seattle

36 Campusul din Redmond Aprox 25K angajati in Redmond. Varsta medie 36 ani

37 Windows Headquarters Buildings 40, 26, 27, 28, 9 ….

38 Around the campus

39 Windows Security - echipe
~300 oameni Windows Trust Management PKI (X.509, EFS, CAPI2, Enrollment, Certificate Services) RMS (client, server) SLS Core Security Base Crypto (CAPI1, CSPs, DPAPI) Authentication Protocols (Kerb, SSL, NTLM, …) Logons (Smart Cards, WinLogon, CredMan) Security Tools Authorization NGSCB Next Generation Secure Computing Base

40 Hello from the AIM team 
Authentication and ID Management Team ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Download ppt "Windows Security si Microsoft - O privire din interior -"

Similar presentations

Public Key Infrastructure and Applications

Public Key Infrastructure and Applications
Virtual Private Networks. Cuprins Introducere Tipuri de VPN-uri Componentele VPN Caracteristicile Secure VPN-urilor VPN Tunneling Integritatea datelor.

Virtual Private Networks. Cuprins Introducere Tipuri de VPN-uri Componentele VPN Caracteristicile Secure VPN-urilor VPN Tunneling Integritatea datelor.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.

Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
Curs 7 – Stocarea sigura a datelor, PKI, securitate Bogdan Carstoiu 1.

Curs 7 – Stocarea sigura a datelor, PKI, securitate Bogdan Carstoiu 1.
Z IDURILE SECOLULUI XX Ziduri politice Bariere comerciale Ziduri in domeniul transporturilor Ziduri in zona comunicarii si comunicatiilor.

Z IDURILE SECOLULUI XX Ziduri politice Bariere comerciale Ziduri in domeniul transporturilor Ziduri in zona comunicarii si comunicatiilor.
Noua generaţie de clienţi. Noua generaţie de clienţi este....... aici.

Noua generaţie de clienţi. Noua generaţie de clienţi este aici.
Batalia sexelor O lume dominata de barbati vs o lume dominata de femei.

Batalia sexelor O lume dominata de barbati vs o lume dominata de femei.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
C HAPTER 13 Asymmetric Key Cryptography Slides adapted from Foundations of Security: What Every Programmer Needs To Know by Neil Daswani, Christoph Kern,

C HAPTER 13 Asymmetric Key Cryptography Slides adapted from "Foundations of Security: What Every Programmer Needs To Know" by Neil Daswani, Christoph Kern,
Computer Science Public Key Management Lecture 5.

Computer Science Public Key Management Lecture 5.
Deploying PKI Inside Microsoft The experience of Microsoft in deploying its own corporate PKI Published: December 2003.

Deploying PKI Inside Microsoft The experience of Microsoft in deploying its own corporate PKI Published: December 2003.
Lecture 5.3: Key Distribution: Public Key Setting CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 5.3: Key Distribution: Public Key Setting CS 436/636/736 Spring 2012 Nitesh Saxena.
Module 9: Fundamentals of Securing Network Communication.

Module 9: Fundamentals of Securing Network Communication.
Security fundamentals Topic 5 Using a Public Key Infrastructure.

Security fundamentals Topic 5 Using a Public Key Infrastructure.
Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.

Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.
Computer and Network Security - Message Digests, Kerberos, PKI –

Computer and Network Security - Message Digests, Kerberos, PKI –
Encryption and Security Tools for IA Management Nick Hornick COSC 481 Spring 2007.

Encryption and Security Tools for IA Management Nick Hornick COSC 481 Spring 2007.

Similar presentations

Ads by Google