Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Windows NT ® 5.0 Public Key Infrastructure Charlie Chase Program Manager Windows NT Security Microsoft Corporation.

Published byBrianne Nelson Modified over 9 years ago

Similar presentations

Presentation on theme: "The Windows NT ® 5.0 Public Key Infrastructure Charlie Chase Program Manager Windows NT Security Microsoft Corporation."— Presentation transcript:

1 The Windows NT ® 5.0 Public Key Infrastructure Charlie Chase Program Manager Windows NT Security Microsoft Corporation

2 Public Key Enables…  Secure Intranet Certificate enrollment Certificate enrollment Smart card logon Smart card logon Signed objects Signed objects  Secure Remote Access Strong authentication Strong authentication Virtual Private Networks (VPN) Virtual Private Networks (VPN) Data protection Data protection Secure e-mail (S/MIME) Secure e-mail (S/MIME)

3 Leveraging The Windows NT 5.0 PKI  Deploy Windows NT 5.0 Certificate Services Certification Authorities Certification Authorities Certificate enrollment and policy Certificate enrollment and policy  Strong authentication Smart card logon (Kerberos, EAP/TLS) Smart card logon (Kerberos, EAP/TLS)  Data protection File system, transport layer File system, transport layer  Code sign using Authenticode Win32 ® controls, CABs, catalog files Win32 ® controls, CABs, catalog files

4 Active Directory Certificate Services Reader SC Cert Clients Application Services Public Key Infrastructure

5 Enterprise Root CA Enterprise Sub CA Forest of Domains Enterprise Root CA One Way Trust Standalone CA Standalone Domain Two-way Trust PKI Trust Relationships

6 Secure Web Server Active Directory Reader Client SC Cert Certification Authority HTTP with SSL/TLS CertificateEnrollment CertificateMapping Secure Intranet Application

7 Active Directory Reader SC Cert Client Root CA Subordinate CA Certificate Request and Installation Publish Certificate Certificate Enrollment

8 Microsoft Certificate Enrollment Control  Signed ActiveX ® control  Scriptable interface using HTML and Visual Basic ® Script or Java ™ script Certificate Services SDK on MSDN Certificate Services SDK on MSDN  Built on PKCS#7 and PKCS#10 standard messaging formats  Installs certificate into system store for use by all applications Supports smart cards Supports smart cards

9 Code Sample: Certificate Enrollment Control  Client Set certificate values, extensions Set certificate values, extensions Call createPKCS10() method Call createPKCS10() method Submit request to server Submit request to server Call acceptPKCS7() method Call acceptPKCS7() method  Server Process PKCS#10 message Process PKCS#10 message Return PKCS#7 message Return PKCS#7 message

10 My CryptoAPI User DS CA Root Smart Card CSPDefault Store Provider LDAP Physical Store Layer Logical Store Layer Smart Card Services Trust Certificate Storage Model

11 SSL Protection Using SSPI  Server Open server certificate context handle Open server certificate context handle AcceptSecurityContext() until handshake completes AcceptSecurityContext() until handshake completes EncryptMessage(), DecryptMessage() EncryptMessage(), DecryptMessage()  Client Open client certificate context handle Open client certificate context handle InitializeSecurityContext() until handshake completes InitializeSecurityContext() until handshake completes DecryptMessage(), EncryptMessage() DecryptMessage(), EncryptMessage()

12 End-entity Cert Root CA Cert Issuing CA Cert Certificate Verification  Build certificate chain CertGetCertificateChain() CertGetCertificateChain()  Apply policy to the chain CertVerifyCertificateChainPolicy() CertVerifyCertificateChainPolicy()  Make trust decision based on status

13 PCCERT_CONTEXT pCertContext;... fresult = CertGetCertificateChain( HCCE_CURRENT_USER,// chain engine pCertContext,// certificate context NULL,// current system time NULL,// additional store &ChainPara,// parameters to use 0,// processing flags NULL,// reserved &pChainContext);// context to built chain Code Sample

14 PCCERT_CONTEXT pCertContext;... fresult = CertVerifyCertificateChainPolicy( CERT_CHAIN_POLICY_BASE,// policy to use pChainContext,// chain context &PolicyPara,// additional checks &PolicyStatus);// chain status...

15 Verification and NT user account lookup Logon request using Public Key Kerberos Ticket Granting Ticket (TGT) Key Distribution Center (KDC) Active Directory Reader Client SC Cert Smart Card Logon

16 Code Signing Process  Enroll for Code Signing certificate VeriSign or internal CA VeriSign or internal CA  Sign your objects Use signcode.exe for executables Use signcode.exe for executables Internet Client SDK Internet Client SDK Use makecat.exe for all other types Use makecat.exe for all other types Windows NT 5.0 SDK Windows NT 5.0 SDK  Publish

17 Authenticode  Individual objects Most flexible, highest overhead Most flexible, highest overhead  Archives (CABs, self-extracting exes) Efficient for multiple, related objects Efficient for multiple, related objects Signature bound to container Signature bound to container  Manifests (catalog files) Efficient for large collections Efficient for large collections Useful for signing different file types Useful for signing different file types New for Windows ® 98 and Windows NT 5.0 New for Windows ® 98 and Windows NT 5.0

18 Secure Remote Access  Strong authentication  Virtual Private Networks (VPN)  Data protection  Secure email (S/MIME)

19 Reader Client SC Cert Remote Access Server Internet LDAP with SSL/TLS EAP/TLSLogon Active Directory PPTPIPSEC Remote Access Application

20 Strong Authentication For Dial-up Networking  Public key certificate accepted by Remote Access Server (RAS) User certificate store User certificate store Smart card Smart card  Transport Layer Security (TLS) Authentication protocol for PPTP Authentication protocol for PPTP  Extensible Authentication Protocol (EAP)

21 Virtual Private Networks  Client passes user certificate to server to authenticate connection Supports EAP/TLS and smart card Supports EAP/TLS and smart card  Data encrypted between connection points Point-to-Point Tunneling Protocol (PPTP) Point-to-Point Tunneling Protocol (PPTP) Layer two Tunneling Protocol (L2TP) Layer two Tunneling Protocol (L2TP) IP Security Protocol (IPSec) IP Security Protocol (IPSec)

22 Internet Reader SC Cert Outlook 98 Active Directory Outlook ™ Express Retrieve user’s certificate (LDAP) Exchange 5.5 SP1 S/MIME Secure Email

23 Signing Messages  Get handle to default provider  Get context to signing certificate  Include other certificates (optional)  Set algorithm info CRYPT_ALGORITHM_IDENTIFIER CRYPT_ALGORITHM_IDENTIFIER  Set signature info CRYPT_SIGN_MESSAGE_PARA CRYPT_SIGN_MESSAGE_PARA  Call CryptSignMessage()

24 CRYPT_SIGN_MESSAGE_PARA SigParams; CryptSignMessage( &SigParams,// signature parameters FALSE,// signature not detached 1,// number of messages MessageArray,// message(s) MessageSizeArray,// size of message(s) NULL,// *get buffer size &cbSignedMessageBlob)// size of buffer Code Sample

25 Verifying Signed Messages  Get handle to default provider  Set signature info CRYPT_VERIFY_MESSAGE_PARA CRYPT_VERIFY_MESSAGE_PARA Callback function to get signing certificate from system store Callback function to get signing certificate from system store  Call CryptVerifyMessageSignature()

26 Code Sample CRYPT_VERIFY_MESSAGE_PARA VerifyParams; CryptVerifyMessageSignature( &VerifyParams,// verification parameters 0,// signer index pbSignedMessageBlob,// signed blob cbSignedMessageBlob,// size of signed blob NULL,// decoded msg buffer NULL,// buffer size NULL)// pointer to signer cert

27 Developer Tools  Windows Platform SDK Base Services Cryptographic Service Providers Cryptographic Service Providers CryptoAPI 2.0 CryptoAPI 2.0 Certificate Server Certificate Server Smart Card Smart Card Security Security  Visual Studio ™

28 Summary  Secure Intranet Client and server certificates Client and server certificates Smart card logon Smart card logon Code signing Code signing  Secure Remote Access Certificates for dial-up networking Certificates for dial-up networking Secure e-mail using S/MIME Secure e-mail using S/MIME Transport level security Transport level security

29 Call To Action  Leverage the Windows NT 5.0 Public Key Infrastructure to secure your applications  Use CryptoAPI to add encryption and signed messaging to your applications  Use SSPI to add channel data protection to your applications  Use Authenticode to sign your code

30 Resources  Windows Platform http://www.Microsoft.com/windows/ http://www.Microsoft.com/windows/  Windows NT ® Server http://www.Microsoft.com/ntserver/ http://www.Microsoft.com/ntserver/  Security Advisor http://www.Microsoft.com/security/ http://www.Microsoft.com/security/  Developer Information and Tools http://www.Microsoft.com/msdn/ http://www.Microsoft.com/msdn/

31

Download ppt "The Windows NT ® 5.0 Public Key Infrastructure Charlie Chase Program Manager Windows NT Security Microsoft Corporation."

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Chapter 9 Deploying IIS and Active Directory Certificate Services

Chapter 9 Deploying IIS and Active Directory Certificate Services
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.
Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.

Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.
Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.

Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
COMP3123 Internet Security Richard Henson University of Worcester October 2010.

COMP3123 Internet Security Richard Henson University of Worcester October 2010.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
X.509 at the University of Michigan CIC-RPG Meeting June 7, 1999 Kevin Coffman Bill Doster

X.509 at the University of Michigan CIC-RPG Meeting June 7, 1999 Kevin Coffman Bill Doster
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Similar presentations

Ads by Google