Home > Articles > Operating Systems, Server > Microsoft Servers

Public Key Technology in Windows 2000

The Windows 2000 operating system has a built-in public key infrastructure (PKI) to address the business needs of enterprises that want to conduct e-commerce over the Internet. In this chapter, the authors discuss PKI architecture, interoperability issues, and applications that use Windows 2000's PKI infrastructure.

Like this article? We recommend

The Windows 2000 operating system has a built-in public key infrastructure (PKI) to address the business needs of enterprises that want to conduct e-commerce over the Internet. The built-in PKI provides a distributed authentication model that scales to the Internet and that interfaces with existing PKI trust infrastructures, enabling large-scale deployment of e-commerce applications. Furthermore, an enterprise can leverage the built-in PKI to enhance the security of its internal networks by using, for example, smart cards instead of passwords for domain network log-on.

We start by presenting a list of Windows 2000 applications that use public key technology to address their security needs. We then discuss the Windows 2000 public key security architecture and provide basic information on the Windows 2000 PKI. Finally, we turn our attention to the interoperability issues and examine the various levels of interoperability between Windows 2000 PKI and a third-party PKI.

Public Key Security

Windows 2000 leverages public key technology to address the security needs of a wide range of real-world business-to-consumer and business-to-business applications. This section presents the major applications that have an underlying public key security.

Secure E-Commerce: TLS/SSL

The Internet has already crossed the chasm between a publishing platform and a platform to conduct on-line business. Shopping malls and merchants have set up secure Web sites to extend their businesses to on-line consumers and to receive payments. The secure Web sites enable consumers to verify the identity of merchants and to ensure the privacy of their transactions and payment information.

Windows 2000 provides an infrastructure to enable business-to-consumer e-commerce. The support for Secure Socket Layer (SSL) 3.0 [FRIE96] and Transport Layer Security (TLS) 1.0 protocols [DIER99], public key certificates, and embedded trust points in browsers are the key cornerstones of this infrastructure. The TLS/SSL protocols provide security over public networks and prevent communications eavesdropping, tampering, and forgery. Client/server applications use the TLS handshake protocol to authenticate each other and to negotiate an encryption algorithm and cryptographic keys before an application starts transmitting data. The handshake protocol uses public key cryptography, such as RSA [RIVE78] or DSS [DSS94], to authenticate peers and to negotiate a shared secret. Public key certificates provide evidence for the identity of merchants; consumers use their own local policies to decide how much trust to place in these certificates.

Once a channel is authenticated, TLS uses symmetric cryptography, such as DES [DES83] or RC4, to encrypt the application data in the negotiated shared secret prior to transmission over the network. Message transmission includes a message integrity check, using a keyed message authentication code (MAC) [KRAW97], computed by applying a secure hash function, such as SHA [SHA94] or MD5 [RIVE92]. Encryption of application data ensures the privacy of communications and payment information with a Web server, whereas message integrity checks prevent communications tampering and forgery.

Supporting Distributed Business Partners: TLS/SSL Client-Side Authentication

The Internet is undoubtedly the ultimate platform for distributed computing. The general public uses the Internet to access information, to view catalog information, and to place orders. Company employees who are on the road or working from home connect to their favorite Internet service providers and access their company's intra-net to carry out their tasks. Similarly, a company's business partners use the Internet to access privileged resources from the company's extranet and to perform a variety of business-to-business processes, such as supply chain management and customer relations management.

Supporting on-line business-to-business relationships poses a unique challenge: the need for distributed authentication. An enterprise must be able to reliably authenticate its distributed partners to determine and to enforce their access rights to its internal resources. The authentication mechanism must scale to thousands of partners-millions of consumers for business-to-consumer applications-and must be flexible; it must be administratively easy to add a new business partner or to remove a partner no longer authorized to use the extranet.

Windows 2000 leverages public key technology to offer a flexible solution for distributed authentication. An enterprise can issue client certificates for its business partners or consumers and use Windows 2000 PKI to authenticate partners, based on their certificates. The authentication hinges on the client-side authentication in TLS, public key certificates, and trust points in a Web server. During the TLS handshake protocol, a Web server can ask a client for its certificate and confirm the client's identity, based on the submitted certificate and the Web server's trust policy. The protocol allows a browser to display a suitable list of available certificates to a client; browsers enhanced with additional software can further customize this list and provide branding information.1 After a Web server verifies a client certificate, Windows 2000 provides a mapping mechanism to relate the external identity of a distributed user to an internal enterprise identity. Windows NT 4.0 supports the mapping within the Internet Information Services (IIS); Windows 2000 provides an alternative approach by defining the mappings within Active Directory. The mapping can be either many-to-one, associating many clients to one Windows account, or one-to-one, relating one client to one Windows account. Windows 2000 provides a great deal of flexibility for setting up the mapping relationships between client public key certificates and Windows accounts, such as using the certificate issuer or subject fields as mapping parameters.

Windows 2000 uses the enterprise identity of an external client for updating account information and generating audit trails. Equally important is enforcing access-control rules and ensuring that a distributed partner accesses only the intended resources. When mapping an external user to a Windows account, Windows 2000 uses the access rights of the mapped account to determine and to enforce access rights. An enterprise can set up an account for each distributed partner with the proper access rights to its extranet; Windows 2000 provides built-in operating system support to enforce the rights.

Strong Network Authentication: Smart Cards

Passwords have traditionally been a weak link in the overall security of an authentication system [FEGH98]. Passwords have poor random qualities because humans need to be able to memorize them. Users typically need to remember a number of passwords to access various systems and tend to forget their passwords, requiring an administrative process to reissue new passwords, which further weakens the overall security of a system.

Windows 2000 supports smart cards for strong, interactive network authentication. Smart cards hold cryptographic public key-based keys that have much better random qualities than do passwords. Users interactively log on to their domain accounts by proving that they are in possession of the private keys corresponding to their public key certificates. Windows 2000 implements the required public key extensions to Kerberos to enable smart card log-on. Furthermore, Windows 2000 PKI has the necessary machinery to issue certificates in smart cards for network users. See Chapter 2 for more information on Windows 2000 smart card interactive log-on.

Distributing Authenticated Code: Authenticode 2.0

The Internet provides an extremely effective platform for distributing software. Many Web sites have content containing downloadable code, such as ActiveX controls, Java applets, or scripts, that transports to browsers during Web surfing. Once downloaded, the code runs on the client computers and performs tasks ranging from simple error checking on HTML (Hypertext Markup Language) forms to such sensitive operations as reading personal files. Downloadable code adds programming logic to digital content, enhances the functionality of the browser, and improves the user experience. Unfortunately, rogue Web sites can use the same distribution channel to download harmful code to client computers for fraudulent purposes. Furthermore, attackers can infect downloadable code with a virus while in transit from a legitimate Web server to end users' desktops.

Authenticode 2.0 provides accountability for downloadable code and ensures the integrity of code while in transit. Authenticode uses public key certificates issued for software publishing to create a digital signature over an executable program, a cabinet file, a digital thumbprint, an ActiveX control, a dynamic link library (DLL), or a certificate trust list (CTL). The signature binds the code to the identity of its publisher; the software publishing certificate vouches for the identity of the publisher and creates accountability. When a Web surfer downloads digital content that contains signed code, a browser interrupts2 the download process and prompts the user for approval. Trust in the certification authority that has issued the software publishing certificate, the software publisher, and other local policy trust decisions determine whether the user approves the signed code. See [FEGH98] for an overview of the Authenticode technology.

Laptop and Desktop File System Security: EFS

The Windows NT file system (NTFS) protects sensitive files against improper access but is helpless to prevent an attacker from running another operating system, such as UNIX or MS-DOS, to inspect NTFS-based files on disk structures. An attacker can boot another operating system from the floppy when a computer boots or may physically remove a hard disk and install it in a computer with a different operating system. Tightening the physical security helps minimize such attacks, but such measures are not as effective against insider attacks and do not work when an employee carries around sensitive information on a laptop.

Data encryption provides the only safeguard against such attacks. A stolen lap-top or hard disk is useless if the attacker cannot decipher encrypted files. Although a number of products in the marketplace offer application-level file encryption, they generally suffer from inherently weak password-derived keys for encryption, are not transparent, and do not have recovery agents.

Windows 2000 provides a built-in data encryption service called Encrypting File System (EFS). EFS uses symmetric key cryptography for encryption and public key cryptography for securing the random symmetric keys. Encryption and decryption of files are transparent to end users and happen seamlessly when data travels to and from disk structures. EFS supports file sharing among any number of users by keeping a copy of a random symmetric key encrypted in the public key of each user. Built-in data recovery agents allow an enterprise to enforce its local policy on EFS, such as recovering encrypted files when employees leave or when they lose their private keys. Refer to [MICR00D] for an in-depth discussion of EFS.

Secure E-Mail: S/MIME

The use of e-mail for business-to-consumer transactions has already taken off as a replacement for regular mail. Businesses now use e-mail to inform consumers about their promotions, send monthly billing statements, confirm stock trades, and so on. Conventional Internet e-mail, however, does not provide the same quality of service that regular mail provides. E-mail is, for example, vulnerable to eavesdropping and counterfeiting. Secure e-mail, however, provides many of the protections that people associate with regular mail, providing message origin authentication, message integrity, nonrepudiation of origin, and message confidentiality. Secure e-mail furnishes writer-to-reader security, which protects an e-mail from the moment it leaves a sender's mailing tool until it arrives at a recipient's mailing tool.

Windows 2000 supports the S/MIME (Secure Multipurpose Internet Mail Exchange) protocol for securing e-mail messages in the Internet. S/MIME leverages symmetric key cryptography for confidentiality, public key cryptography for authentication and nonrepudiation, and a formal public key infrastructure for accountability. The Windows 2000 built-in PKI provides the required machinery to implement S/MIME in an enterprise.The flexibility of the Windows 2000 PKI allows an enterprise to chain an internal trust point to an external, commercial trust point, in order to extend the secure e-mail protections beyond its internal boundary.An enterprise also has the flex-ibility to outsource the entire management for its S/MIME PKI to a third-party trust provider, such as VeriSign. Chapter 5 and Chapter 9 discuss such integration considerations with third-party trust providers and external trust infrastructures in detail.

Network-Level Secure Communications: IPsec

Securing network traffic at the IP layer provides transparency and end-to-end security. Applications and higher-layer protocols, such as TCP or UDP, can transparently leverage the IP-layer security services without requiring any code changes. The provided end-to-end security services protect packets from the moment they leave a source IP node until they arrive at a destination IP node. In contrast, security services at a layer above the IP layer do not have the transparency property; security services at a layer below the IP layer do not have the end-to-end property.

IP Security (IPsec) lays a security architecture for the Internet Protocol and provides high-quality, cryptographically based security services for authentication, integrity, confidentiality, and access control. IPsec-enabled systems select the security features they need and communicate securely over insecure networks with other IPsec-enabled systems. IPsec secures IP packets at the network level according to the security policy of a communicating IP node before forwarding them to the network interface layer for transmission; the intended receiving IP node verifies the packets according to the established security associations and rejects packets that do not have the expected level of security.

Windows 2000 provides a built-in implementation of the IPsec security protocol and its associated key management protocols. Windows 2000 default IPsec policies govern how clients and servers engage in secure communications; network administrators can create custom policies to enforce their local business rules. Windows 2000 supports router-router virtual private networks (VPNs) based on IPsec and remote access virtual private networks based on L2TP/IPsec. We will provide detailed coverage of IPsec and virtual private networks in Part III.


1. VeriSign offers a product called Personal Trust Agent (PTA) that improves the user experience and provides branding for client certificates.

2. Users can configure their browsers to automate such trust decisions.

 

 

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020