The Windows NTThe Windows NT®® 5.0 5.0 Public Key InfrastructurePublic Key Infrastructure

Charlie ChaseCharlie ChaseProgram ManagerProgram ManagerWindows NT SecurityWindows NT SecurityMicrosoft CorporationMicrosoft Corporation

Public Key Enables…Public Key Enables…

Secure IntranetSecure Intranet Certificate enrollmentCertificate enrollment Smart card logonSmart card logon Signed objectsSigned objects

Secure Remote AccessSecure Remote Access Strong authenticationStrong authentication Virtual Private Networks (VPN)Virtual Private Networks (VPN) Data protectionData protection Secure e-mail (S/MIME)Secure e-mail (S/MIME)

Leveraging The Leveraging The Windows NT 5.0 PKIWindows NT 5.0 PKI Deploy Windows NT 5.0 Deploy Windows NT 5.0

Certificate ServicesCertificate Services Certification AuthoritiesCertification Authorities Certificate enrollment and policyCertificate enrollment and policy

Strong authenticationStrong authentication Smart card logon (Kerberos, EAP/TLS)Smart card logon (Kerberos, EAP/TLS)

Data protectionData protection File system, transport layerFile system, transport layer

Code sign using AuthenticodeCode sign using Authenticode Win32Win32®® controls, CABs, catalog files controls, CABs, catalog files

Active Active DirectoryDirectoryCertificate Certificate

ServicesServices

ReaderReader

SCSCCertCert ClientsClientsApplication Application

ServicesServices

Public Key InfrastructurePublic Key Infrastructure

Enterprise Enterprise Root CARoot CA

Enterprise Enterprise Sub CASub CA

Forest of Forest of DomainsDomains

Enterprise Enterprise Root CARoot CA

One Way TrustOne Way Trust

Standalone Standalone CACA

Standalone Standalone DomainDomain

Two-way TrustTwo-way Trust

PKI Trust RelationshipsPKI Trust Relationships

Secure Web Secure Web ServerServer

Active Active DirectoryDirectory

ReaderReader

ClientClientSCSC

CertCert

Certification Certification AuthorityAuthority

HTTP with SSL/TLSHTTP with SSL/TLS

Certificate Certificate EnrollmentEnrollment Certificate Certificate

MappingMapping

Secure Intranet ApplicationSecure Intranet Application

Active Active DirectoryDirectory

ReaderReader

SCSCCertCert ClientClient

Root CARoot CA

Subordinate CASubordinate CA

Certificate RequestCertificate Requestand Installationand Installation

Publish CertificatePublish Certificate

Certificate EnrollmentCertificate Enrollment

Microsoft Certificate Microsoft Certificate Enrollment ControlEnrollment Control Signed ActiveXSigned ActiveX®® control control Scriptable interface using HTML Scriptable interface using HTML

and Visual Basicand Visual Basic®® Script or Java Script or Java™™ script script Certificate Services SDK on MSDNCertificate Services SDK on MSDN

Built on PKCS#7 and PKCS#10 Built on PKCS#7 and PKCS#10 standard messaging formatsstandard messaging formats

Installs certificate into system store Installs certificate into system store for use by all applicationsfor use by all applications Supports smart cardsSupports smart cards

Code Sample: Certificate Code Sample: Certificate Enrollment ControlEnrollment Control Client Client

Set certificate values, extensionsSet certificate values, extensions Call Call createPKCS10createPKCS10() method() method Submit request to serverSubmit request to server Call Call acceptPKCS7acceptPKCS7() method() method

ServerServer Process PKCS#10 messageProcess PKCS#10 message Return PKCS#7 messageReturn PKCS#7 message

MyMy

CryptoAPICryptoAPI

User DSUser DSCACARootRoot

Smart CardSmart CardCSPCSP

DefaultDefaultStore ProviderStore Provider

LDAPLDAP

Physical Store LayerPhysical Store Layer

Logical Store LayerLogical Store Layer

Smart CardSmart CardServicesServices

TrustTrust

Certificate Storage ModelCertificate Storage Model

SSL Protection Using SSPISSL Protection Using SSPI

ServerServer Open server certificate context handleOpen server certificate context handle AcceptSecurityContextAcceptSecurityContext() until () until

handshake completeshandshake completes EncryptMessageEncryptMessage(), (), DecryptMessageDecryptMessage()()

ClientClient Open client certificate context handleOpen client certificate context handle InitializeSecurityContextInitializeSecurityContext() until () until

handshake completeshandshake completes DecryptMessageDecryptMessage(), (), EncryptMessageEncryptMessage()()

End-entityEnd-entityCertCert

Root CARoot CA

CertCertIssuingIssuing

CACACertCert

Certificate VerificationCertificate Verification

Build certificate chainBuild certificate chain CertGetCertificateChainCertGetCertificateChain()()

Apply policy to the chainApply policy to the chain CertVerifyCertificateChainPolicyCertVerifyCertificateChainPolicy()()

Make trust decision based on statusMake trust decision based on status

PCCERT_CONTEXTPCCERT_CONTEXT pCertContext; pCertContext;

......

fresult =fresult = CertGetCertificateChainCertGetCertificateChain((

HCCE_CURRENT_USERHCCE_CURRENT_USER,, // chain engine// chain engine

pCertContext,pCertContext, // certificate context// certificate context

NULL,NULL, // current system time// current system time

NULL,NULL, // additional store// additional store

&ChainPara,&ChainPara, // parameters to use// parameters to use

0,0, // processing flags// processing flags

NULL,NULL, // reserved// reserved

&pChainContext);&pChainContext); // context to built chain// context to built chain

Code SampleCode Sample

Code SampleCode Sample

PCCERT_CONTEXTPCCERT_CONTEXT pCertContext; pCertContext;

......

fresultfresult ==

CertVerifyCertificateChainPolicyCertVerifyCertificateChainPolicy((

CERT_CHAIN_POLICY_BASECERT_CHAIN_POLICY_BASE,, // policy to use // policy to use

pChainContext,pChainContext, // chain context// chain context

&PolicyPara,&PolicyPara, // additional // additional checkschecks

&PolicyStatus);&PolicyStatus); // chain status// chain status

......

Verification and Verification and NT user account NT user account lookuplookup

Logon request Logon request using Public Keyusing Public Key

Kerberos Ticket Kerberos Ticket Granting Ticket (TGT)Granting Ticket (TGT)

Key Distribution Key Distribution Center (KDC)Center (KDC)

Active Active DirectoryDirectory

ReaderReader

ClientClientSCSC

CertCert

Smart Card LogonSmart Card Logon

Code Signing ProcessCode Signing Process

Enroll for Code Signing certificateEnroll for Code Signing certificate VeriSign or internal CAVeriSign or internal CA

Sign your objectsSign your objects Use signcode.exe for executablesUse signcode.exe for executables

Internet Client SDKInternet Client SDK Use makecat.exe for all other typesUse makecat.exe for all other types

Windows NT 5.0 SDKWindows NT 5.0 SDK

PublishPublish

AuthenticodeAuthenticode

Individual objectsIndividual objects Most flexible, highest overheadMost flexible, highest overhead

Archives (CABs, self-extracting exes)Archives (CABs, self-extracting exes) Efficient for multiple, related objectsEfficient for multiple, related objects Signature bound to containerSignature bound to container

Manifests (catalog files)Manifests (catalog files) Efficient for large collectionsEfficient for large collections Useful for signing different file typesUseful for signing different file types New for WindowsNew for Windows®® 98 and Windows NT 5.0 98 and Windows NT 5.0

Secure Remote AccessSecure Remote Access

Strong authenticationStrong authentication Virtual Private Networks (VPN)Virtual Private Networks (VPN) Data protectionData protection Secure email (S/MIME)Secure email (S/MIME)

Reader

ClientSCSC

CertCert

Remote Access Server

InternetInternet

LDAP with LDAP with SSL/TLSSSL/TLS

EAP/TLS EAP/TLS LogonLogon

Active Directory

PPTPPPTPIPSECIPSEC

Remote Access ApplicationRemote Access Application

Strong Authentication For Strong Authentication For Dial-up NetworkingDial-up Networking Public key certificate accepted Public key certificate accepted

by Remote Access Server (RAS)by Remote Access Server (RAS) User certificate storeUser certificate store Smart cardSmart card

Transport Layer Security (TLS)Transport Layer Security (TLS) Authentication protocol for PPTPAuthentication protocol for PPTP

Extensible Authentication Extensible Authentication Protocol (EAP)Protocol (EAP)

Virtual Private NetworksVirtual Private Networks

Client passes user certificate to server Client passes user certificate to server to authenticate connectionto authenticate connection Supports EAP/TLS and smart cardSupports EAP/TLS and smart card

Data encrypted between Data encrypted between connection pointsconnection points Point-to-Point Tunneling Protocol (PPTP)Point-to-Point Tunneling Protocol (PPTP) Layer two Tunneling Protocol (L2TP)Layer two Tunneling Protocol (L2TP) IP Security Protocol (IPSec)IP Security Protocol (IPSec)

InternetInternet

ReaderReader

SCSCCertCert Outlook 98Outlook 98

Active Active DirectoryDirectory

OutlookOutlook™™ ExpressExpress

Retrieve user’s Retrieve user’s certificate (LDAP)certificate (LDAP)

Exchange 5.5 Exchange 5.5 SP1SP1

S/MIMES/MIME

Secure EmailSecure Email

Signing MessagesSigning Messages

Get handle to default providerGet handle to default provider Get context to signing certificateGet context to signing certificate Include other certificates (optional)Include other certificates (optional) Set algorithm infoSet algorithm info

CRYPT_ALGORITHM_IDENTIFIERCRYPT_ALGORITHM_IDENTIFIER

Set signature infoSet signature info CRYPT_SIGN_MESSAGE_PARACRYPT_SIGN_MESSAGE_PARA

Call Call CryptSignMessageCryptSignMessage()()

CRYPT_SIGN_MESSAGE_PARACRYPT_SIGN_MESSAGE_PARA SigParams; SigParams;

CryptSignMessageCryptSignMessage((

&SigParams,&SigParams, // signature parameters// signature parameters

FALSE,FALSE, // signature not // signature not detacheddetached

1,1, // number of messages// number of messages

MessageArray,MessageArray, // message(s)// message(s)

MessageSizeArray,MessageSizeArray, // size of message(s)// size of message(s)

NULL,NULL, // *get buffer size// *get buffer size

&cbSignedMessageBlob)&cbSignedMessageBlob) // size of buffer// size of buffer

Code SampleCode Sample

Verifying Signed MessagesVerifying Signed Messages

Get handle to default providerGet handle to default provider Set signature infoSet signature info

CRYPT_VERIFY_MESSAGE_PARACRYPT_VERIFY_MESSAGE_PARA Callback function to get signing certificate Callback function to get signing certificate

from system store from system store

Call Call CryptVerifyMessageSignatureCryptVerifyMessageSignature()()

Code SampleCode Sample

CRYPT_VERIFY_MESSAGE_PARACRYPT_VERIFY_MESSAGE_PARA VerifyParams; VerifyParams;

CryptVerifyMessageSignatureCryptVerifyMessageSignature((

&VerifyParams,&VerifyParams, // verification // verification parametersparameters

0,0, // signer index// signer index

pbSignedMessageBlob,pbSignedMessageBlob, // signed blob// signed blob

cbSignedMessageBlob,cbSignedMessageBlob, // size of signed blob// size of signed blob

NULL,NULL, // decoded msg buffer// decoded msg buffer

NULL,NULL, // buffer size// buffer size

NULL)NULL) // pointer to signer cert// pointer to signer cert

Developer ToolsDeveloper Tools

Windows Platform SDK Base ServicesWindows Platform SDK Base Services Cryptographic Service ProvidersCryptographic Service Providers CryptoAPI 2.0CryptoAPI 2.0 Certificate ServerCertificate Server Smart CardSmart Card SecuritySecurity

Visual StudioVisual Studio™™

SummarySummary

Secure IntranetSecure Intranet Client and server certificatesClient and server certificates Smart card logonSmart card logon Code signingCode signing

Secure Remote AccessSecure Remote Access Certificates for dial-up networkingCertificates for dial-up networking Secure e-mail using S/MIMESecure e-mail using S/MIME Transport level securityTransport level security

Call To ActionCall To Action

Leverage the Windows NT 5.0 Leverage the Windows NT 5.0 Public Key Infrastructure Public Key Infrastructure to secure your applicationsto secure your applications

Use CryptoAPI to add encryption Use CryptoAPI to add encryption and signed messaging and signed messaging to your applicationsto your applications

Use SSPI to add channel data Use SSPI to add channel data protection to your applicationsprotection to your applications

Use Authenticode to sign your codeUse Authenticode to sign your code

ResourcesResources

Windows PlatformWindows Platform http://www.Microsoft.com/windows/http://www.Microsoft.com/windows/

Windows NTWindows NT®® Server Server http://www.Microsoft.com/ntserver/http://www.Microsoft.com/ntserver/

Security AdvisorSecurity Advisor http://www.Microsoft.com/security/http://www.Microsoft.com/security/

Developer Information and ToolsDeveloper Information and Tools http://www.Microsoft.com/msdn/http://www.Microsoft.com/msdn/