session 10 tp 10
DESCRIPTION
TRANSCRIPT
Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 10 / Slide 1 of 25
Session 10
Implementing Certificate Services in a Windows 2003
Network
Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 10 / Slide 2 of 25
Review Computers in a network can be categorized
as: Server Desktop workstation Portable workstation
While selecting the operating systems consider the following: Application compatibility Support issues Security features Cost
Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 10 / Slide 3 of 25
Review Contd… File permissions serve as an
important security tool on a network
Registry of windows gets modified when we install different applications
Group policy Object enables us to configure the security parameters
Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 10 / Slide 4 of 25
Review Contd… Active directory permission enables
us to modify the permissions for accessing and managing objects in the Active Directory database
Domain controller requires more security, as the failure of domain controller may be a disaster to the network
Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 10 / Slide 5 of 25
Objectives Explain the Public Key
Infrastructure concepts Implement Certificate Services Use and manage Certificates Configure Active Directory for
Certificates Troubleshoot Certificate Services
Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 10 / Slide 6 of 25
Private Key Infrastructure Collection of software components and
operational policies These policies govern the distribution and use
of public and private keys, using digital certificates
Public key encryption, every user has two keys, such as: Public Key Private Key
Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 10 / Slide 7 of 25
Private Key Authentication Private key enables us to authenticate the
identity of the private key Every private key has a corresponding public key Any data that has been encrypted using a private
key can only be decrypted using the corresponding public key
Similarly, any data that has been encrypted using a public key can only be decrypted using the corresponding private key
Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 10 / Slide 8 of 25
Private Key Authentication Contd…
Private key includes: Plaintext: Text message to which an algorithm is
applied Encryption Algorithm: Performs mathematical
operations to conduct substitutions and transformations to the plaintext
Secret Key: Dictates the outcome of encrypted message
Cipertext: Encrypted message that the algorithm applies to the plaintext message using the secret key
Decryption Algorithm: Uses cipertext and secret key to derive the plaintext message
Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 10 / Slide 9 of 25
Public Key Authentication Uses the public key technique to
authenticate and verify the authenticity of the sender
Digital Signatures are used for this purpose
Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 10 / Slide 10 of 25
Digital Certificate Verifies the identity of a person or an
organization by associating the public key of that person or organization
Includes: Public key for a particular entity Information about the entity Information about certification authority
that issues the certificate
Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 10 / Slide 11 of 25
Digital Certificate Contd… Certificates are used for the
following purpose Server authentication Client authentication Code Signing Secure e-mail Encrypted File System IPSec
Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 10 / Slide 12 of 25
Digital Certificate Contd…
Attribute Description
Version Identifies the version number of the X.509 standard used to format the certificate
Serial Number Uniquely identifies the certificate assigned by CA
Signature algorithm identifier
Indicates the algorithm that CA uses to calculate the digital signature of the certificate
Attributes of a digital certificates are as listed in the table
Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 10 / Slide 13 of 25
Digital Certificate Contd…
Attribute Description
Issuer Name
Indicates the name of the entity who issues the certificate
Validity period
Indicates the time period during which the certificate is valid
Subject name
Indicates the name of the entity for whom the certificate is issued
Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 10 / Slide 14 of 25
Certificate Authority Signature of CA on a certificate
ensures easy detection of any modifications made to the contents
Each CA decides: kind of information to be included in the
certificates Verification method for the information
Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 10 / Slide 15 of 25
CA Hierarchy Certificate issued to the
subordinate CAs enables them to issue certificates to other users
Subordinate CAs can also issue certificates to other CAs authorizing them issue certificates to other users
Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 10 / Slide 16 of 25
Types of CA Enterprise - Enables CA to issue
certificate only for users within the organization
Stand-alone - Intended for situations in which users outside the enterprise submit requests for certificates
Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 10 / Slide 17 of 25
Request Certificate An entity can request certificate
using: Certificate Request Wizard Auto-Enrollment Manual Enrollment Windows Server 2003 Certificate
Services Web pages
Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 10 / Slide 18 of 25
Revoking Certificate Administrator can revoke a certificate
under certain situation, such as: User leaves an organization User loses a private key Misuse of certificate
Reasons for Revocation include: Unspecified Key Compromise CA Compromise
Affiliation Changed Superseded Certificate Hold
Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 10 / Slide 19 of 25
CRL Administrators can
publish CRL Manually Automating the
process Published in systemroot\system32\CertSrv\CertEnroll
Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 10 / Slide 20 of 25
Backup CA Data Certificate Services data can be
backed up using: Windows 2000 Backup tool Certification Authority console
Frequency of data backup is directly proportional to the number of certificates
Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 10 / Slide 21 of 25
Import/Export Certificate Certificates can be imported or
exported are of the following certificate file formats: Base64 Encoded X.509 Cryptographic Message Syntax Standard
(PKCS # 7) DER Encoded Binary X.509 Personal Information Exchange (PKCS #
12)
Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 10 / Slide 22 of 25
Active Directory for Certificate
Windows-based directory service Enables network users access
resources anywhere on the network using a single logon process
External user needs to be authenticated but do not have an account in Active Directory
Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 10 / Slide 23 of 25
Summary Public Key infrastructure is a
collection of software components and operational policies
Private key is the means by which an identity is authenticated
Public keys provide identification service and private keys provide authentication service
Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 10 / Slide 24 of 25
Summary Contd… Public Key Authentication uses the
public key technique to authenticate and verify the authenticity of the sender
Digital signatures are the electronic equivalent of the hand-written signature
Signature of CA on a certificate ensures easy detection of any modifications made to the contents
Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 10 / Slide 25 of 25
Summary Contd…
Two types of Windows Server 2003 CA: Enterprise Stand-alone
Active Directory is a Windows-based directory service