Security Properties Authentication is the process of reliably determining the genuine identity of the communicating computer or user Integrity is the correctness of data as it was originally sent Confidentiality ensures that data is disclosed only to intended recipients Anti replay ensures that datagrams are not retransmitted Cryptography Cryptography is a set of mathematical techniques for encrypting and decrypting data Cryptography uses keys in conjunction with algorithms to secure data The algorithm provides the infrastructure in which the key is applied A number of well known cryptographic algorithms support security operations Microsoft Windows 2000 supports public key cryptography A secret key is used in much the same way as a public key Public Key Cryptography Overview of public key cryptography Public Key Owner sends Public key to recipient Recipient retrives the key from a directory service Secret Key May be used in conjunction with Public key due to overhead Data encryptions Encrypted with recipients public key Secret key Digital message signing Message digest created Hash algorithm Encrypted with Senders Private key Secret Keys Certificates Public key encryption assumes that the identity of the key pair owner is established beyond doubt Role of the CA Certificate Authority A digital certificate is a set of data that completely identifies an entity The recipient of the message can use the sender s public key to verify that the sender is legitimate X 509 The term X 509 refers to the ITU T standard for certificate syntax and format The Windows 2000 certificate based processes use the X 509 standard At a minimum certifications should contain certain specific attributes Version Serial Number Signature Algorithm Issuer Validity Period Name Public Key etc Certificate Revocation Lists CRLs Certificates can expire and become invalid The Certificate Authority CA can revoke a certificate for any reason The CA maintains a CRL CA Hierarchy CAs can certify other CAs The chaining of CAs provides several benefits Microsoft Certificate Services Enables an organization to manage the issuance renewal and revocation of digital certificates Allows an organization to control the policies associated with issuing managing and revoking certificates Logs all transactions Features of Certificate Services Policy independence Requestor must meet certain criteria Transport independence Mechanism to request and distribute certificates Adherence to standards PKCS 10 requests PKCS 7 signed data X 509 version 1 0 and 3 0 certificates Key management Securely storing certificates Certificate Services Architecture Processing a Certificate Request Enrolling Certificates CA Certificates The CA validates the identity of the individual requesting the certificate and then signs the certificate with its own private key A client application checks the CA signature before accepting a certificate The CA certificate is a signature certificate that contains a public key used to verify digital signatures A self signed CA certificate is also called a root certificate CA certificates can be distributed and installed Installing Certificate Services You can install Certificate Services by using Add Remove Programs in Control Panel Certificate Services supports four Certificate Authority types Enterprise Root Enterprise Subordinate Stand Alone Root Stand Alone Subordinate You must supply information about the initial CA that is created when you install Certificate Services Name etc Can t be changed after set up The advanced configuration contains options for the type of cryptography algorithms to be used for the CA that you are creating Administering Certificate Services Start Stop Set permissions delegate View a CA Certificate Backup Restore Renew a subordinate Manage revocations Manage requests Manage templates Change policy settings Map certificate to user account Certutil exe Secure Channel SChannel Authentication Package Lies below the Secure Support Provider SSL TLS Smart Cards Authenticode EFS Smart Cards Smart cards can be used to store a user s public key private key and certificate To use a smart card a computer must have a smart card reader A smart card contains an embedded microprocessor a cryptography coprocessor and local storage Windows 2000 supports PK based smart card logon as an alternative to passwords for domain authentication Authenticode Ensures accountability and authenticity for software components on the Internet Verifies that the software hasn t been tampered with and identifies the publisher of the software Allows software publishers to digitally sign any form of active content Encrypting File System EFS EFS is an extension of NTFS that provides strong data protection and encryption for files and folders The encryption technology is based on use of public keys and runs as an integrated system service The encrypting user s public key is used in the encryption process Encryption and decryption are done transparently during the I O process EFS supports encryption and decryption of files stored on remote NTFS volumes Data Protection EFS uses a combination of the user s public key and private keys as well as a file encryption key Windows 2000 uses the Data Encryption Standard X algorithm to encrypt files Data Recovery The Encrypted Data Recovery Policy is used to specify who can recover data in case a user s private key is lost For security recovery is limited to the encrypted data it is not possible to recover users keys Encrypted Backup and Restoration Members of the Backup Operators group do not have the keys necessary for decryption Encrypted data is read and stored in the backup as an opaque stream of data Fault Tolerance The processes of encryption and decryption are automatic and transparent to users and applications You can encrypt a file or folder in Windows Explorer and from the command prompt EFS Encryption EFS Decryption EFS Recovery Cipher Command Line Utility The cipher command line utility allows you to encrypt and decrypt files from a command prompt The cipher command includes a number of parameters IP Security IPSec IPSec protects sensitive data on a TCP IP network The computer initiating communication transparently encrypts the data by using IPSec The destination computer transparently decrypts the data before passing it to the destination process IPSec ensures that any TCP IP based communication is secure from network eavesdropping IPSec Policies Negotiation policies IP filters