Public Key Infrastructure in Windows 2000

Implement powerful and flexible security

The explosive growth of the Internet, e-commerce, and data communications challenges fundamental network security technologies. When companies don't have an adequate security infrastructure, intruders can enter corporate networks and steal or tamper with sensitive business information. To protect your business, you must apply cryptographic technologies in your network. Public key cryptography, digital certificates, Certificate Authorities (CAs), and security policies pertaining to public keys are known collectively as public key infrastructure (PKI). Microsoft has built a comprehensive PKI into Windows NT 4.0 and Windows 2000 (Win2Kformerly NT 5.0) that can compete with third-party solutions in the Windows environment. In particular, PKI in Win2K lets you establish and customize a comprehensive PKI for your enterprise. In this article, I'll take you on a tour of most of the components that make up Microsoft's PKI. Although I will point out PKI components in NT 4.0, I'll focus my discussion on PKI in NT 5.0.

PKI Basics
Public key cryptography uses two keys--a public key to encrypt information and a private key to decrypt information--to provide a high level of security in private intranets and the public Internet. Users keep their private key private--for example, by storing it in their local computer. Users publish their public key to the public--for example, by listing their public key in their company's directory. You use a person's public key to encrypt a message to that person or to verify that person's digital signature. You use your private key to decrypt messages others send to you via your public key. CAs certify public keys with digital certificates, and they manage complicated key and certificate transactions (e.g., provide key backup and recovery; certificate storage; and key publishing, retrieval, renewal, and revocation). To learn more about CAs, the services they provide, and digital certificates, see "You Can Be a Web Certification Authority," October 1997.

Although digital certificates provide the means to validate public keys, companies still need to define policies governing how to use certificates and public keys. For example, if a company uses public key encryption to exchange secure email messages with its business partners, the company needs to define whether its users must encrypt messages, digitally sign messages, or do both. The company also needs to define how to establish trust relationships between its CA and its partners' CAs. Microsoft's PKI gives your company the means to define and implement effective certificate and public key policy, and it lets you establish a variety of trust relationships between CAs.

Microsoft PKI Components
The foundation of Microsoft's PKI is its cryptographic API--CryptoAPI 2.0. This API provides a cryptographic service and a certificate management service for public key security. CryptoAPI's cryptographic service performs functions such as key generation, message hashing, digital signature, and encryption. The certificate management service provides X.509v3 digital certificate management and storage. PKI in Win2K comprises various components: Cryptographic Service Providers (CSPs), Certificate Server, smartcard service, a secure channel, Authenticode, Encrypting File System (EFS), Microsoft Exchange Server Key Management (KM) Server, and PKI applications. Figure 1 shows the components and architecture of Win2K's PKI.

Win2K has a modular PKI architecture, which lets administrators easily upgrade, integrate, extend, and develop their enterprise's PKI without changing underlying OS kernels. For example, Exchange Server 5.5 uses only its KM server to issue and manage Exchange Server client certificates. With Service Pack 1 (SP1) in Exchange Server 5.5, Exchange Server uses Certificate Server, rather than Exchange Server KM Server, to issue and manage Exchange Server client certificates. (To learn more about Exchange Server KM Server, see Tony Redmond, "Maintaining Secure Exchange Servers," October 1997.)

Developers can build PKI-enabled applications based on Microsoft-provided PKI components and CryptoAPI. For example, you can employ CryptoAPI and digital certificates to encrypt and authenticate messages in Microsoft Message Queue Server (MSMQ) applications. You can also selectively use Microsoft PKI components according to your business needs. For example, if your company requires a secure Web site, you can use Certificate Server and the secure channel function built into Internet Information Server (IIS) and Internet Explorer (IE).

Let's take a closer look now at some of Win2K's PKI components. I'll describe CSPs; Certificate Server, its Certificate Manager and Certificate Server Manager tools, and the certificate policies it generates; smartcard service; the secure channel function; Authenticode; and EFS.

Previous [1] 2 3 4 5 Next

The article states that PKI uses a private key for encryption and a public key for decryption. To my knowledge any useful asymetric encryption uses both private and public keys for decryption and encryption. When encrypting with private key decryption happens with public, when encrypting with public key decryption happes with private key. To ensure the identity of both sender and reciever messages have to be encrypted with recievers public key followed by encryption with senders private key.

John Dsane Andersen June 29, 2000

I would be interested in obtaining a Best Practice if it exists for setting up CA within Windows 2000. Understanding that the way CA is implemented is going to be different for each individual organization, having a baseline or template to follow would be extremely helpful for those going through this process for the first time.

Stacy M. Williams April 12, 2001

You must log on before posting a comment.

If you don't have a username & password, please register now.