Public Key Infrastructure (PKI) uses public and private key cryptography to authenticate users and devices. Digital certificates, issued by a Certificate Authority (CA), bind a public key to a user's identity. Enterprise CAs issue certificates only to internal users while stand-alone CAs can issue to external users. Active Directory, a Windows directory service, enables single sign-on access to network resources and authenticates external users without an Active Directory account.

1. Session 10 Implementing Certificate Services in a Windows 2003 Network

2. Review Computers in a network can be categorized as: Server Desktop workstation Portable workstation While selecting the operating systems consider the following: Application compatibility Support issues Security features Cost

3. Review Contd… File permissions serve as an important security tool on a network Registry of windows gets modified when we install different applications Group policy Object enables us to configure the security parameters

4. Review Contd… Active directory permission enables us to modify the permissions for accessing and managing objects in the Active Directory database Domain controller requires more security, as the failure of domain controller may be a disaster to the network

5. Objectives Explain the Public Key Infrastructure concepts Implement Certificate Services Use and manage Certificates Configure Active Directory for Certificates Troubleshoot Certificate Services

6. Private Key Infrastructure Collection of software components and operational policies These policies govern the distribution and use of public and private keys, using digital certificates Public key encryption, every user has two keys, such as: Public Key Private Key

7. Private Key Authentication Private key enables us to authenticate the identity of the private key Every private key has a corresponding public key Any data that has been encrypted using a private key can only be decrypted using the corresponding public key Similarly, any data that has been encrypted using a public key can only be decrypted using the corresponding private key

8. Private Key Authentication Contd… Private key includes: Plaintext : Text message to which an algorithm is applied Encryption Algorithm: Performs mathematical operations to conduct substitutions and transformations to the plaintext Secret Key: Dictates the outcome of encrypted message Cipertext: Encrypted message that the algorithm applies to the plaintext message using the secret key Decryption Algorithm : Uses cipertext and secret key to derive the plaintext message

9. Public Key Authentication Uses the public key technique to authenticate and verify the authenticity of the sender Digital Signatures are used for this purpose

10. Digital Certificate Verifies the identity of a person or an organization by associating the public key of that person or organization Includes: Public key for a particular entity Information about the entity Information about certification authority that issues the certificate

11. Digital Certificate Contd… Certificates are used for the following purpose Server authentication Client authentication Code Signing Secure e-mail Encrypted File System IPSec

12. Digital Certificate Contd… Attributes of a digital certificates are as listed in the table Indicates the algorithm that CA uses to calculate the digital signature of the certificate Signature algorithm identifier Uniquely identifies the certificate assigned by CA Serial Number Identifies the version number of the X.509 standard used to format the certificate Version Description Attribute

13. Digital Certificate Contd… Indicates the name of the entity for whom the certificate is issued Subject name Indicates the time period during which the certificate is valid Validity period Indicates the name of the entity who issues the certificate Issuer Name Description Attribute

14. Certificate Authority Signature of CA on a certificate ensures easy detection of any modifications made to the contents Each CA decides: kind of information to be included in the certificates Verification method for the information

15. CA Hierarchy Certificate issued to the subordinate CAs enables them to issue certificates to other users Subordinate CAs can also issue certificates to other CAs authorizing them issue certificates to other users

16. Types of CA Enterprise - Enables CA to issue certificate only for users within the organization Stand-alone - Intended for situations in which users outside the enterprise submit requests for certificates

17. Request Certificate An entity can request certificate using: Certificate Request Wizard Auto-Enrollment Manual Enrollment Windows Server 2003 Certificate Services Web pages

18. Revoking Certificate Administrator can revoke a certificate under certain situation, such as: User leaves an organization User loses a private key Misuse of certificate Reasons for Revocation include: Unspecified Key Compromise CA Compromise Affiliation Changed Superseded Certificate Hold

19. CRL Administrators can publish CRL Manually Automating the process Published in systemroot\system32\CertSrv\CertEnroll

20. Backup CA Data Certificate Services data can be backed up using: Windows 2000 Backup tool Certification Authority console Frequency of data backup is directly proportional to the number of certificates

21. Import/Export Certificate Certificates can be imported or exported are of the following certificate file formats: Base64 Encoded X.509 Cryptographic Message Syntax Standard (PKCS # 7) DER Encoded Binary X.509 Personal Information Exchange (PKCS # 12)

22. Active Directory for Certificate Windows-based directory service Enables network users access resources anywhere on the network using a single logon process External user needs to be authenticated but do not have an account in Active Directory

23. Summary Public Key infrastructure is a collection of software components and operational policies Private key is the means by which an identity is authenticated Public keys provide identification service and private keys provide authentication service

24. Summary Contd… Public Key Authentication uses the public key technique to authenticate and verify the authenticity of the sender Digital signatures are the electronic equivalent of the hand-written signature Signature of CA on a certificate ensures easy detection of any modifications made to the contents

25. Summary Contd… Two types of Windows Server 2003 CA: Enterprise Stand-alone Active Directory is a Windows-based directory service