Session 10 Tp 10


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Session 10 Tp 10

  1. 1. Session 10 Implementing Certificate Services in a Windows 2003 Network
  2. 2. Review <ul><li>Computers in a network can be categorized as: </li></ul><ul><ul><li>Server </li></ul></ul><ul><ul><li>Desktop workstation </li></ul></ul><ul><ul><li>Portable workstation </li></ul></ul><ul><li>While selecting the operating systems consider the following: </li></ul><ul><ul><li>Application compatibility </li></ul></ul><ul><ul><li>Support issues </li></ul></ul><ul><ul><li>Security features </li></ul></ul><ul><ul><li>Cost </li></ul></ul>
  3. 3. Review Contd… <ul><li>File permissions serve as an important security tool on a network </li></ul><ul><li>Registry of windows gets modified when we install different applications </li></ul><ul><li>Group policy Object enables us to configure the security parameters </li></ul>
  4. 4. Review Contd… <ul><li>Active directory permission enables us to modify the permissions for accessing and managing objects in the Active Directory database </li></ul><ul><li>Domain controller requires more security, as the failure of domain controller may be a disaster to the network </li></ul>
  5. 5. Objectives <ul><li>Explain the Public Key Infrastructure concepts </li></ul><ul><li>Implement Certificate Services </li></ul><ul><li>Use and manage Certificates </li></ul><ul><li>Configure Active Directory for Certificates </li></ul><ul><li>Troubleshoot Certificate Services </li></ul>
  6. 6. Private Key Infrastructure <ul><li>Collection of software components and operational policies </li></ul><ul><li>These policies govern the distribution and use of public and private keys, using digital certificates </li></ul><ul><li>Public key encryption, every user has two keys, such as: </li></ul><ul><ul><li>Public Key </li></ul></ul><ul><ul><li>Private Key </li></ul></ul>
  7. 7. Private Key Authentication <ul><li>Private key enables us to authenticate the identity of the private key </li></ul><ul><li>Every private key has a corresponding public key </li></ul><ul><li>Any data that has been encrypted using a private key can only be decrypted using the corresponding public key </li></ul><ul><li>Similarly, any data that has been encrypted using a public key can only be decrypted using the corresponding private key </li></ul>
  8. 8. Private Key Authentication Contd… <ul><li>Private key includes: </li></ul><ul><ul><li>Plaintext : Text message to which an algorithm is applied </li></ul></ul><ul><ul><li>Encryption Algorithm: Performs mathematical operations to conduct substitutions and transformations to the plaintext </li></ul></ul><ul><ul><li>Secret Key: Dictates the outcome of encrypted message </li></ul></ul><ul><ul><li>Cipertext: Encrypted message that the algorithm applies to the plaintext message using the secret key </li></ul></ul><ul><ul><li>Decryption Algorithm : Uses cipertext and secret key to derive the plaintext message </li></ul></ul>
  9. 9. Public Key Authentication <ul><li>Uses the public key technique to authenticate and verify the authenticity of the sender </li></ul><ul><li>Digital Signatures are used for this purpose </li></ul>
  10. 10. Digital Certificate <ul><li>Verifies the identity of a person or an organization by associating the public key of that person or organization </li></ul><ul><li>Includes: </li></ul><ul><ul><li>Public key for a particular entity </li></ul></ul><ul><ul><li>Information about the entity </li></ul></ul><ul><ul><li>Information about certification authority that issues the certificate </li></ul></ul>
  11. 11. Digital Certificate Contd… <ul><li>Certificates are used for the following purpose </li></ul><ul><ul><li>Server authentication </li></ul></ul><ul><ul><li>Client authentication </li></ul></ul><ul><ul><li>Code Signing </li></ul></ul><ul><ul><li>Secure e-mail </li></ul></ul><ul><ul><li>Encrypted File System </li></ul></ul><ul><ul><li>IPSec </li></ul></ul>
  12. 12. Digital Certificate Contd… <ul><li>Attributes of a digital certificates are as listed in the table </li></ul>Indicates the algorithm that CA uses to calculate the digital signature of the certificate Signature algorithm identifier Uniquely identifies the certificate assigned by CA Serial Number Identifies the version number of the X.509 standard used to format the certificate Version Description Attribute
  13. 13. Digital Certificate Contd… Indicates the name of the entity for whom the certificate is issued Subject name Indicates the time period during which the certificate is valid Validity period Indicates the name of the entity who issues the certificate Issuer Name Description Attribute
  14. 14. Certificate Authority <ul><li>Signature of CA on a certificate ensures easy detection of any modifications made to the contents </li></ul><ul><li>Each CA decides: </li></ul><ul><ul><li>kind of information to be included in the certificates </li></ul></ul><ul><ul><li>Verification method for the information </li></ul></ul>
  15. 15. CA Hierarchy <ul><li>Certificate issued to the subordinate CAs enables them to issue certificates to other users </li></ul><ul><li>Subordinate CAs can also issue certificates to other CAs authorizing them issue certificates to other users </li></ul>
  16. 16. Types of CA <ul><li>Enterprise - Enables CA to issue certificate only for users within the organization </li></ul><ul><li>Stand-alone - Intended for situations in which users outside the enterprise submit requests for certificates </li></ul>
  17. 17. Request Certificate <ul><li>An entity can request certificate using: </li></ul><ul><ul><li>Certificate Request Wizard </li></ul></ul><ul><ul><li>Auto-Enrollment </li></ul></ul><ul><ul><li>Manual Enrollment </li></ul></ul><ul><ul><li>Windows Server 2003 Certificate Services Web pages </li></ul></ul>
  18. 18. Revoking Certificate <ul><li>Administrator can revoke a certificate under certain situation, such as: </li></ul><ul><ul><li>User leaves an organization </li></ul></ul><ul><ul><li>User loses a private key </li></ul></ul><ul><ul><li>Misuse of certificate </li></ul></ul><ul><li>Reasons for Revocation include: </li></ul><ul><ul><li>Unspecified </li></ul></ul><ul><ul><li>Key Compromise </li></ul></ul><ul><ul><li>CA Compromise </li></ul></ul><ul><ul><li>Affiliation Changed </li></ul></ul><ul><ul><li>Superseded </li></ul></ul><ul><ul><li>Certificate Hold </li></ul></ul>
  19. 19. CRL <ul><li>Administrators can publish CRL </li></ul><ul><ul><li>Manually </li></ul></ul><ul><ul><li>Automating the process </li></ul></ul><ul><li>Published in systemrootsystem32CertSrvCertEnroll </li></ul>
  20. 20. Backup CA Data <ul><li>Certificate Services data can be backed up using: </li></ul><ul><ul><li>Windows 2000 Backup tool </li></ul></ul><ul><ul><li>Certification Authority console </li></ul></ul><ul><li>Frequency of data backup is directly proportional to the number of certificates </li></ul>
  21. 21. Import/Export Certificate <ul><li>Certificates can be imported or exported are of the following certificate file formats: </li></ul><ul><ul><li>Base64 Encoded X.509 </li></ul></ul><ul><ul><li>Cryptographic Message Syntax Standard (PKCS # 7) </li></ul></ul><ul><ul><li>DER Encoded Binary X.509 </li></ul></ul><ul><ul><li>Personal Information Exchange (PKCS # 12) </li></ul></ul>
  22. 22. Active Directory for Certificate <ul><li>Windows-based directory service </li></ul><ul><li>Enables network users access resources anywhere on the network using a single logon process </li></ul><ul><li>External user needs to be authenticated but do not have an account in Active Directory </li></ul>
  23. 23. Summary <ul><li>Public Key infrastructure is a collection of software components and operational policies </li></ul><ul><li>Private key is the means by which an identity is authenticated </li></ul><ul><li>Public keys provide identification service and private keys provide authentication service </li></ul>
  24. 24. Summary Contd… <ul><li>Public Key Authentication uses the public key technique to authenticate and verify the authenticity of the sender </li></ul><ul><li>Digital signatures are the electronic equivalent of the hand-written signature </li></ul><ul><li>Signature of CA on a certificate ensures easy detection of any modifications made to the contents </li></ul>
  25. 25. Summary Contd… <ul><li>Two types of Windows Server 2003 CA: </li></ul><ul><ul><li>Enterprise </li></ul></ul><ul><ul><li>Stand-alone </li></ul></ul><ul><li>Active Directory is a Windows-based directory service </li></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.