The Windows NT ® 5.0 Public Key Infrastructure Charlie Chase Program Manager Windows NT Security...
-
Upload
brianne-nelson -
Category
Documents
-
view
218 -
download
0
Transcript of The Windows NT ® 5.0 Public Key Infrastructure Charlie Chase Program Manager Windows NT Security...
The Windows NTThe Windows NT®® 5.0 5.0 Public Key InfrastructurePublic Key Infrastructure
Charlie ChaseCharlie ChaseProgram ManagerProgram ManagerWindows NT SecurityWindows NT SecurityMicrosoft CorporationMicrosoft Corporation
Public Key Enables…Public Key Enables…
Secure IntranetSecure Intranet Certificate enrollmentCertificate enrollment Smart card logonSmart card logon Signed objectsSigned objects
Secure Remote AccessSecure Remote Access Strong authenticationStrong authentication Virtual Private Networks (VPN)Virtual Private Networks (VPN) Data protectionData protection Secure e-mail (S/MIME)Secure e-mail (S/MIME)
Leveraging The Leveraging The Windows NT 5.0 PKIWindows NT 5.0 PKI Deploy Windows NT 5.0 Deploy Windows NT 5.0
Certificate ServicesCertificate Services Certification AuthoritiesCertification Authorities Certificate enrollment and policyCertificate enrollment and policy
Strong authenticationStrong authentication Smart card logon (Kerberos, EAP/TLS)Smart card logon (Kerberos, EAP/TLS)
Data protectionData protection File system, transport layerFile system, transport layer
Code sign using AuthenticodeCode sign using Authenticode Win32Win32®® controls, CABs, catalog files controls, CABs, catalog files
Active Active DirectoryDirectoryCertificate Certificate
ServicesServices
ReaderReader
SCSCCertCert ClientsClientsApplication Application
ServicesServices
Public Key InfrastructurePublic Key Infrastructure
Enterprise Enterprise Root CARoot CA
Enterprise Enterprise Sub CASub CA
Forest of Forest of DomainsDomains
Enterprise Enterprise Root CARoot CA
One Way TrustOne Way Trust
Standalone Standalone CACA
Standalone Standalone DomainDomain
Two-way TrustTwo-way Trust
PKI Trust RelationshipsPKI Trust Relationships
Secure Web Secure Web ServerServer
Active Active DirectoryDirectory
ReaderReader
ClientClientSCSC
CertCert
Certification Certification AuthorityAuthority
HTTP with SSL/TLSHTTP with SSL/TLS
Certificate Certificate EnrollmentEnrollment Certificate Certificate
MappingMapping
Secure Intranet ApplicationSecure Intranet Application
Active Active DirectoryDirectory
ReaderReader
SCSCCertCert ClientClient
Root CARoot CA
Subordinate CASubordinate CA
Certificate RequestCertificate Requestand Installationand Installation
Publish CertificatePublish Certificate
Certificate EnrollmentCertificate Enrollment
Microsoft Certificate Microsoft Certificate Enrollment ControlEnrollment Control Signed ActiveXSigned ActiveX®® control control Scriptable interface using HTML Scriptable interface using HTML
and Visual Basicand Visual Basic®® Script or Java Script or Java™™ script script Certificate Services SDK on MSDNCertificate Services SDK on MSDN
Built on PKCS#7 and PKCS#10 Built on PKCS#7 and PKCS#10 standard messaging formatsstandard messaging formats
Installs certificate into system store Installs certificate into system store for use by all applicationsfor use by all applications Supports smart cardsSupports smart cards
Code Sample: Certificate Code Sample: Certificate Enrollment ControlEnrollment Control Client Client
Set certificate values, extensionsSet certificate values, extensions Call Call createPKCS10createPKCS10() method() method Submit request to serverSubmit request to server Call Call acceptPKCS7acceptPKCS7() method() method
ServerServer Process PKCS#10 messageProcess PKCS#10 message Return PKCS#7 messageReturn PKCS#7 message
MyMy
CryptoAPICryptoAPI
User DSUser DSCACARootRoot
Smart CardSmart CardCSPCSP
DefaultDefaultStore ProviderStore Provider
LDAPLDAP
Physical Store LayerPhysical Store Layer
Logical Store LayerLogical Store Layer
Smart CardSmart CardServicesServices
TrustTrust
Certificate Storage ModelCertificate Storage Model
SSL Protection Using SSPISSL Protection Using SSPI
ServerServer Open server certificate context handleOpen server certificate context handle AcceptSecurityContextAcceptSecurityContext() until () until
handshake completeshandshake completes EncryptMessageEncryptMessage(), (), DecryptMessageDecryptMessage()()
ClientClient Open client certificate context handleOpen client certificate context handle InitializeSecurityContextInitializeSecurityContext() until () until
handshake completeshandshake completes DecryptMessageDecryptMessage(), (), EncryptMessageEncryptMessage()()
End-entityEnd-entityCertCert
Root CARoot CA
CertCertIssuingIssuing
CACACertCert
Certificate VerificationCertificate Verification
Build certificate chainBuild certificate chain CertGetCertificateChainCertGetCertificateChain()()
Apply policy to the chainApply policy to the chain CertVerifyCertificateChainPolicyCertVerifyCertificateChainPolicy()()
Make trust decision based on statusMake trust decision based on status
PCCERT_CONTEXTPCCERT_CONTEXT pCertContext; pCertContext;
......
fresult =fresult = CertGetCertificateChainCertGetCertificateChain((
HCCE_CURRENT_USERHCCE_CURRENT_USER,, // chain engine// chain engine
pCertContext,pCertContext, // certificate context// certificate context
NULL,NULL, // current system time// current system time
NULL,NULL, // additional store// additional store
&ChainPara,&ChainPara, // parameters to use// parameters to use
0,0, // processing flags// processing flags
NULL,NULL, // reserved// reserved
&pChainContext);&pChainContext); // context to built chain// context to built chain
Code SampleCode Sample
Code SampleCode Sample
PCCERT_CONTEXTPCCERT_CONTEXT pCertContext; pCertContext;
......
fresultfresult ==
CertVerifyCertificateChainPolicyCertVerifyCertificateChainPolicy((
CERT_CHAIN_POLICY_BASECERT_CHAIN_POLICY_BASE,, // policy to use // policy to use
pChainContext,pChainContext, // chain context// chain context
&PolicyPara,&PolicyPara, // additional // additional checkschecks
&PolicyStatus);&PolicyStatus); // chain status// chain status
......
Verification and Verification and NT user account NT user account lookuplookup
Logon request Logon request using Public Keyusing Public Key
Kerberos Ticket Kerberos Ticket Granting Ticket (TGT)Granting Ticket (TGT)
Key Distribution Key Distribution Center (KDC)Center (KDC)
Active Active DirectoryDirectory
ReaderReader
ClientClientSCSC
CertCert
Smart Card LogonSmart Card Logon
Code Signing ProcessCode Signing Process
Enroll for Code Signing certificateEnroll for Code Signing certificate VeriSign or internal CAVeriSign or internal CA
Sign your objectsSign your objects Use signcode.exe for executablesUse signcode.exe for executables
Internet Client SDKInternet Client SDK Use makecat.exe for all other typesUse makecat.exe for all other types
Windows NT 5.0 SDKWindows NT 5.0 SDK
PublishPublish
AuthenticodeAuthenticode
Individual objectsIndividual objects Most flexible, highest overheadMost flexible, highest overhead
Archives (CABs, self-extracting exes)Archives (CABs, self-extracting exes) Efficient for multiple, related objectsEfficient for multiple, related objects Signature bound to containerSignature bound to container
Manifests (catalog files)Manifests (catalog files) Efficient for large collectionsEfficient for large collections Useful for signing different file typesUseful for signing different file types New for WindowsNew for Windows®® 98 and Windows NT 5.0 98 and Windows NT 5.0
Secure Remote AccessSecure Remote Access
Strong authenticationStrong authentication Virtual Private Networks (VPN)Virtual Private Networks (VPN) Data protectionData protection Secure email (S/MIME)Secure email (S/MIME)
Reader
ClientSCSC
CertCert
Remote Access Server
InternetInternet
LDAP with LDAP with SSL/TLSSSL/TLS
EAP/TLS EAP/TLS LogonLogon
Active Directory
PPTPPPTPIPSECIPSEC
Remote Access ApplicationRemote Access Application
Strong Authentication For Strong Authentication For Dial-up NetworkingDial-up Networking Public key certificate accepted Public key certificate accepted
by Remote Access Server (RAS)by Remote Access Server (RAS) User certificate storeUser certificate store Smart cardSmart card
Transport Layer Security (TLS)Transport Layer Security (TLS) Authentication protocol for PPTPAuthentication protocol for PPTP
Extensible Authentication Extensible Authentication Protocol (EAP)Protocol (EAP)
Virtual Private NetworksVirtual Private Networks
Client passes user certificate to server Client passes user certificate to server to authenticate connectionto authenticate connection Supports EAP/TLS and smart cardSupports EAP/TLS and smart card
Data encrypted between Data encrypted between connection pointsconnection points Point-to-Point Tunneling Protocol (PPTP)Point-to-Point Tunneling Protocol (PPTP) Layer two Tunneling Protocol (L2TP)Layer two Tunneling Protocol (L2TP) IP Security Protocol (IPSec)IP Security Protocol (IPSec)
InternetInternet
ReaderReader
SCSCCertCert Outlook 98Outlook 98
Active Active DirectoryDirectory
OutlookOutlook™™ ExpressExpress
Retrieve user’s Retrieve user’s certificate (LDAP)certificate (LDAP)
Exchange 5.5 Exchange 5.5 SP1SP1
S/MIMES/MIME
Secure EmailSecure Email
Signing MessagesSigning Messages
Get handle to default providerGet handle to default provider Get context to signing certificateGet context to signing certificate Include other certificates (optional)Include other certificates (optional) Set algorithm infoSet algorithm info
CRYPT_ALGORITHM_IDENTIFIERCRYPT_ALGORITHM_IDENTIFIER
Set signature infoSet signature info CRYPT_SIGN_MESSAGE_PARACRYPT_SIGN_MESSAGE_PARA
Call Call CryptSignMessageCryptSignMessage()()
CRYPT_SIGN_MESSAGE_PARACRYPT_SIGN_MESSAGE_PARA SigParams; SigParams;
CryptSignMessageCryptSignMessage((
&SigParams,&SigParams, // signature parameters// signature parameters
FALSE,FALSE, // signature not // signature not detacheddetached
1,1, // number of messages// number of messages
MessageArray,MessageArray, // message(s)// message(s)
MessageSizeArray,MessageSizeArray, // size of message(s)// size of message(s)
NULL,NULL, // *get buffer size// *get buffer size
&cbSignedMessageBlob)&cbSignedMessageBlob) // size of buffer// size of buffer
Code SampleCode Sample
Verifying Signed MessagesVerifying Signed Messages
Get handle to default providerGet handle to default provider Set signature infoSet signature info
CRYPT_VERIFY_MESSAGE_PARACRYPT_VERIFY_MESSAGE_PARA Callback function to get signing certificate Callback function to get signing certificate
from system store from system store
Call Call CryptVerifyMessageSignatureCryptVerifyMessageSignature()()
Code SampleCode Sample
CRYPT_VERIFY_MESSAGE_PARACRYPT_VERIFY_MESSAGE_PARA VerifyParams; VerifyParams;
CryptVerifyMessageSignatureCryptVerifyMessageSignature((
&VerifyParams,&VerifyParams, // verification // verification parametersparameters
0,0, // signer index// signer index
pbSignedMessageBlob,pbSignedMessageBlob, // signed blob// signed blob
cbSignedMessageBlob,cbSignedMessageBlob, // size of signed blob// size of signed blob
NULL,NULL, // decoded msg buffer// decoded msg buffer
NULL,NULL, // buffer size// buffer size
NULL)NULL) // pointer to signer cert// pointer to signer cert
Developer ToolsDeveloper Tools
Windows Platform SDK Base ServicesWindows Platform SDK Base Services Cryptographic Service ProvidersCryptographic Service Providers CryptoAPI 2.0CryptoAPI 2.0 Certificate ServerCertificate Server Smart CardSmart Card SecuritySecurity
Visual StudioVisual Studio™™
SummarySummary
Secure IntranetSecure Intranet Client and server certificatesClient and server certificates Smart card logonSmart card logon Code signingCode signing
Secure Remote AccessSecure Remote Access Certificates for dial-up networkingCertificates for dial-up networking Secure e-mail using S/MIMESecure e-mail using S/MIME Transport level securityTransport level security
Call To ActionCall To Action
Leverage the Windows NT 5.0 Leverage the Windows NT 5.0 Public Key Infrastructure Public Key Infrastructure to secure your applicationsto secure your applications
Use CryptoAPI to add encryption Use CryptoAPI to add encryption and signed messaging and signed messaging to your applicationsto your applications
Use SSPI to add channel data Use SSPI to add channel data protection to your applicationsprotection to your applications
Use Authenticode to sign your codeUse Authenticode to sign your code
ResourcesResources
Windows PlatformWindows Platform http://www.Microsoft.com/windows/http://www.Microsoft.com/windows/
Windows NTWindows NT®® Server Server http://www.Microsoft.com/ntserver/http://www.Microsoft.com/ntserver/
Security AdvisorSecurity Advisor http://www.Microsoft.com/security/http://www.Microsoft.com/security/
Developer Information and ToolsDeveloper Information and Tools http://www.Microsoft.com/msdn/http://www.Microsoft.com/msdn/