Presentation is loading. Please wait.

Presentation is loading. Please wait.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "DESIGNING A PUBLIC KEY INFRASTRUCTURE"— Presentation transcript:

1 DESIGNING A PUBLIC KEY INFRASTRUCTURE
Chapter 9 DESIGNING A PUBLIC KEY INFRASTRUCTURE

2 Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE
OVERVIEW Describe the elements and functions of a public key infrastructure (PKI). Understand the functions of certificates and certification authorities (CAs). Describe the structure of a CA hierarchy. List the differences between enterprise and stand-alone CAs. Install and configure a CA. Understand the certificate enrollment process. Publish certificate revocation lists.

3 INTRODUCING THE PUBLIC KEY INFRASTRUCTURE
Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE INTRODUCING THE PUBLIC KEY INFRASTRUCTURE A public key infrastructure is a collection of software components and operational policies that govern the distribution and use of public and private keys using digital certificates.

4 UNDERSTANDING SECRET KEY ENCRYPTION
Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE UNDERSTANDING SECRET KEY ENCRYPTION Encryption is a system in which one character is substituted for another. Encryption on a data network typically uses a form of public key encryption. In public key encryption, every user has two keys, a public key and a private key. Data encrypted with the public key can be decrypted using the private key, and vice versa.

5 Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE
ENCRYPTING DATA

6 DIGITALLY SIGNING DATA
Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE DIGITALLY SIGNING DATA Digital signing refers to the process of using your private key to encrypt all or part of a piece of data. Digitally signed data, encrypted with your private key, can only be decrypted with your public key. Digital signing prevents other users from impersonating you by sending data in your name.

7 Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE
VERIFYING DATA Hash values, or checksums, are used to guarantee the data has not been modified since the checksum was created. The receiving system verifies the checksum to determine whether or not the data has been altered.

8 Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE
USING CERTIFICATES Digital certificates are documents that verifiably associate a public key with a particular person or organization. Certificates are obtained from an administrative entity called a certification authority (CA). The CA issues a public key and a private key as a matched pair. The private key is stored on the user’s computer, and the public key is issued as part of a certificate.

9 UNDERSTANDING CERTIFICATE CONTENTS
Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE UNDERSTANDING CERTIFICATE CONTENTS Digital certificates contain the public key for a particular entity plus information about the entity. Almost all certificates conform to the ITU-T standard X.509 (03/00), “The Directory: Public-Key and Attribute Certificate Frameworks.” Standardization of certificate format is important, otherwise exchange of certifications and keys would be difficult.

10 DOWNLOADING CERTIFICATES FROM THE INTERNET
Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE DOWNLOADING CERTIFICATES FROM THE INTERNET

11 USING INTERNAL AND EXTERNAL CAs
Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE USING INTERNAL AND EXTERNAL CAs For a certificate to be useful, it must be issued by an authority that both parties trust to verify each other’s identities. Within an organization, you can use Windows Server 2003 Certificate Services, a service that enables the computer to function as a CA. When communicating with external entities, a trusted third-party certificate issuer can be used.

12 UNDERSTANDING PKI FUNCTIONS
Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE UNDERSTANDING PKI FUNCTIONS Having a PKI in place provides additional security on a Windows Server 2003 network. Using the management tools provided, administrators can publish, use, renew, and revoke certificates. They can also enroll clients in the PKI. Users can use certificates to provide additional security.

13 DESIGNING A PUBLIC KEY INFRASTRUCTURE
Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE DESIGNING A PUBLIC KEY INFRASTRUCTURE Planning a PKI typically consists of the following basic steps: Defining certificate requirements Creating a CA infrastructure Configuring certificates

14 DEFINING CERTIFICATE REQUIREMENTS
Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE DEFINING CERTIFICATE REQUIREMENTS When designing a PKI, you must determine the client’s security needs and how certificates can help provide that security. You must determine which users, computers, services, and applications will use certificates, and what kinds of certificates will be needed. Best practice dictates that a small set of security definitions are created, and then applied to users and computers as needed.

15 CREATING A CA INFRASTRUCTURE
Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE CREATING A CA INFRASTRUCTURE Planning the creation of certification authorities requires an understanding of CA hierarchy. A CA hierarchy refers to a structure in which each CA is validated by a CA at a higher level. The root CA is considered the ultimate authority for the organization.

16 WHEN TO USE INTERNAL AND EXTERNAL CAs
Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE WHEN TO USE INTERNAL AND EXTERNAL CAs A d v a n t g e s D i I r l C Direct control over certificates No per-certificate fees Can be integrated into Active Dire c tory Allows configuring and expanding PKI for minimal cost Increased certificate management ove head Longer, more complex deployment Organization must accept liability for PKI failures Limited trust by external customers E x Instills customers with greater conf dence in the organization Provider liable for PKI failures Expertise in the technical and legal ramifications of certificate use Reduced management overhead High cost per certificate No auto-enrollment possible Less flexibility in configuring and ma aging certificates Limited integration with the organiz tion’s infrastructure

17 Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE
HOW MANY CAs? A single CA running on Windows Server 2003 can support as many as 35 million certificates and can issue two million or more a day depending on the system specifications. System performance is a factor in determining how many CAs should be implemented. Issuing certificates can be disk and processor intensive. Multiple CAs can be implemented for fault-tolerant or load-distribution reasons.

18 CREATING A CA HIERARCHY
Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE CREATING A CA HIERARCHY

19 UNDERSTANDING WINDOWS SERVER 2003 CA TYPES
Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE UNDERSTANDING WINDOWS SERVER 2003 CA TYPES Enterprise CAs: Are integrated into Active Directory Can only be used by Active Directory clients Stand-Alone CAs: Do not automatically respond to certificate enrollment requests Are intended for users outside the enterprise that submit requests for certificates

20 CONFIGURING CERTIFICATES
Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE CONFIGURING CERTIFICATES Criteria to consider when configuring certificates include: Certificate type Encryption key length and algorithm Certificate lifetime Renewal policies

21 USING CERTIFICATE TEMPLATES
Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE USING CERTIFICATE TEMPLATES Certificate templates determine what attributes are available or required for a given type of certificate. Windows Server 2003 includes a large number of certificate templates designed to satisfy most certificate requirements.

22 INSTALLING CERTIFICATE SERVICES
Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE INSTALLING CERTIFICATE SERVICES Install through Add/Remove Windows Components in Control Panel. Can be installed on either a domain controller or a member server running Windows Server 2003. When installing an enterprise CA, a DNS server must be available that supports service location (SRV) resource records. During installation, the desired CSP can be selected.

23 Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE
PROTECTING A CA CAs should be considered critical network services. Protection measures and plans should include: Physical protection Key management Restoration

24 Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE
CONFIGURING A CA

25 Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE
THE GENERAL TAB

26 Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE
THE POLICY MODULE TAB

27 Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE
THE EXIT MODULE TAB

28 Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE
THE EXTENSIONS TAB

29 Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE
THE STORAGE TAB

30 THE CERTIFICATE MANAGERS RESTRICTIONS TAB
Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE THE CERTIFICATE MANAGERS RESTRICTIONS TAB

31 Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE
THE AUDITING TAB

32 THE RECOVERY AGENTS TAB
Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE THE RECOVERY AGENTS TAB

33 Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE
THE SECURITY TAB

34 BACKING UP AND RESTORING A CA
Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE BACKING UP AND RESTORING A CA The Certificate Services database is always open, making it difficult to back up. Special software can be used to back up the files, or the Certification Authority console can provide a backup feature. The backup CA function of the Certification Authority console causes the Certificate Services database to be momentarily closed while a copy of the database is made.

35 UNDERSTANDING CERTIFICATE ENROLLMENT AND RENEWAL
Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE UNDERSTANDING CERTIFICATE ENROLLMENT AND RENEWAL Auto-enrollment The CA determines whether or not a certificate request is valid and issues or denies a certificate accordingly. Manual enrollment An administrator must monitor the CA for incoming requests and determine if a certificate should be issued on a request-by-request basis.

36 USING AUTO-ENROLLMENT
Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE USING AUTO-ENROLLMENT

37 USING MANUAL ENROLLMENT
Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE USING MANUAL ENROLLMENT When using stand-alone CAs, the administrator must grant or deny requests for certificates. Incoming certificate enrollment requests appear in the Pending Requests folder. The administrator must check the folder on a regular basis.

38 MANUALLY REQUESTING CERTIFICATES
Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE MANUALLY REQUESTING CERTIFICATES Applications can request certificates and receive them in the background. Alternately, users can explicitly request certificates.

39 USING THE CERTIFICATES SNAP-IN
Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE USING THE CERTIFICATES SNAP-IN

40 Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE
USING WEB ENROLLMENT

41 REVOKING CERTIFICATES
Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE REVOKING CERTIFICATES

42 Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE
CHAPTER SUMMARY Public key encryption uses two keys, a public key and a private key. Data encrypted with the public key can only be decrypted using the private key. Data encrypted using the private key can only be decrypted with the public key. A PKI is a collection of software components and operational policies that governs the distribution and use of public and private keys. Certificates are issued by a CA. You can run your own CA using Windows Server 2003 or obtain your certificates from a third-party commercial CA.

43 CHAPTER SUMMARY (continued)
Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE CHAPTER SUMMARY (continued) The first step in planning a PKI is to review the security enhancements the certificates can provide and determine which of your organization’s security requirements you can satisfy with the certificates. When running multiple CAs in an enterprise, you configure them in a hierarchy. The configuration parameters of certificates themselves include the certificate type, the encryption algorithm and key length the certificates use, the certificate’s lifetime, and the renewal policies.

44 CHAPTER SUMMARY (continued)
Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE CHAPTER SUMMARY (continued) Only enterprise CAs can use auto-enrollment, in which clients send certificate requests to a CA and the CA automatically issues or denies the certificate. For a client to receive certificates using auto-enrollment, it must have permission to use the certificate template for the type of certificate it is requesting.

45 CHAPTER SUMMARY (continued)
Chapter 9: DESIGNING A PUBLIC KEY INFRASTRUCTURE CHAPTER SUMMARY (continued) Stand-alone CAs do not use certificates or auto-enrollment. Certificate requests are stored in a queue on the CA until an administrator approves or denies them. CAs publish CRLs at regular intervals to inform authenticating computers of certificates they should no longer honor.

Download ppt "DESIGNING A PUBLIC KEY INFRASTRUCTURE"

Similar presentations

Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Planning a Public Key Infrastructure

Planning a Public Key Infrastructure
Deploying and Managing Active Directory Certificate Services

Deploying and Managing Active Directory Certificate Services
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.

Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Chapter 9 Deploying IIS and Active Directory Certificate Services

Chapter 9 Deploying IIS and Active Directory Certificate Services
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Chapter 11: Active Directory Certificate Services

Chapter 11: Active Directory Certificate Services
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

Similar presentations

Ads by Google