In the details pane right side right-click the certificate that you want to export and choose All Tasks | Export see Figure 9.18.This will start the Certificate Export Wizard shown in Fi
Trang 1message In the restoring of certificates and key pairs onto any system, the istrator uses the import function of the Certificate Manager Exercise 9.2 walksyou through exporting a certificate and its private key.
admin-Exercise 9.2 Exporting a Certificate and a Private Key
You must first create a custom console containing the certificate snap-in:
1 Click Start.
2 Click Run.
3 Type MMC in the Open line.
4 Click OK.This will open a blank MMC.
5 You now need to add the Certificate snap-in Click on Console.
6 Choose Add/Remove Snap-in from the pop-up menu.
7 Click Add.
8 Choose Certificates from the list of available snap-ins.
9 Select My User Account.
10 Click Finish.
11 Click Close on the Add Standalone Snap-in window.
12 Click OK on the Add/Remove Snap-in window.
Now you can use your custom console to complete this exercise:
1 Expand Certificates – Current User.
2 Expand Personal.
3 Select Certificates.
4 In the details pane (right side) right-click the certificate that you want to
export and choose All Tasks | Export (see Figure 9.18).This will start
the Certificate Export Wizard shown in Figure 9.19
5 Click Next to continue the wizard.
6 Figure 9.20 shows the Export Private Key window Use this window tochoose if you want to export the certificate and its private key, or just
the certificate Select the radio button labeled Yes, export the private
key Click Next to continue.This will give you the window shown in
Figure 9.21
Trang 2Figure 9.18The Certificate Snap-In
Figure 9.19Starting the Certificate Export Wizard
Trang 37 Select the file format that you want to use and click Next.
8 You will now be prompted for a password (as shown in Figure 9.22) to
assign to the private key Enter in the password twice and click Next.
9 You will now be asked to specify the name and path of the file youwant to export as shown in Figure 9.23 Enter in the name and click
Next to continue.This will give you the window shown in Figure 9.24
Figure 9.20Exporting the Private Key
Figure 9.21Choosing an Export File Format
Trang 4Figure 9.22Entering a Password
Figure 9.23Selecting an Export File Name
Figure 9.24Completing the Certificate Export Wizard
Trang 510 Verify that the information is correct and click Finish to complete the
Certificate Export Wizard If all is successful, you will be presented withthe window shown in Figure 9.25
11 Click OK.
Before doing an export operation of the certificate and public key pairs, theadministrator should look at the CSP being used.When the Microsoft CSP isused, the exporting of key pairs will occur only if the exportable flag
CRYPT_EXPORTABLE was set at the time the key was created Some party CSPs may not support the backup and the restoration of key pairs and theircertificates.When this is the case, only a complete system image backup is possible
third-Certificate Enrollment
The guarantee that the public key is truly owned by the entity lies in the publickey–based certificates.The Windows 2000 PKI includes certificate enrollment tothe Microsoft Enterprise certificate authority or to other third-party CAs.Youcan use the Certificate Request Wizard or the Certificate Services Web page torequest a certificate.The wizard is only available when requesting a certificatefrom an Enterprise CA Exercise 9.3 walks you through requesting a certificatewith the Certificate Request Wizard via the Certificate Snap-in Exercise 9.4walks you through requesting a certificate with the certificate request Web page
Exercise 9.3 Requesting a User Certificate with the Certificate Request Wizard
You must first create a custom console containing the certificate snap-in:
1 Click Start.
2 Click Run.
3 Type MMC in the Open line.
4 Click OK.This will open a blank MMC.
Figure 9.25The Export Successful Window
Trang 65 You now need to add the Certificate Snap-in Click on Console.
6 Choose Add/Remove Snap-in from the pop-up menu.
7 Click Add.
8 Choose Certificates from the list of available snap-ins.
9 Select My User Account.
10 Click Finish.
11 Click Close on the Add Standalone Snap-in window.
12 Click OK on the Add/Remove Snap-in window.
Now you can use your custom console to complete this exercise:
1 Expand Certificates – Current User.
2 Expand Personal.
3 Right-click on Certificates.
4 Choose All Tasks | Request New Certificate from the pop-up
menu (see Figure 9.26).This will start the Certificate Request Wizardshown in Figure 9.27
Figure 9.26Requesting New Certificates
Trang 75 Click Next to continue the wizard.
6 You will now be prompted for what type of certificate to request asshown in Figure 9.28 Choose the correct certificate type (User for this
example) and click Next.This will give you the window shown in
Figure 9.29
7 Choose a CSP and click Next.
Figure 9.27The Certificate Request Wizard
Figure 9.28Choosing a Certificate Template
Trang 88 You must now select a CA to request from as shown in Figure 9.30.
Select your CA and click Next to proceed.
9 You will now be asked to key in a name and description for your tificate as shown in Figure 9.31 Key in your information and click
Trang 911 You may now view or install the granted certificate (see Figure 9.33).
Click Install Certificate to install the certificate If installation is
suc-cessful, you will be given the successful installation window shown inFigure 9.34
12 Click OK.
Figure 9.31Entering a Name and Description for a New Certificate
Figure 9.32Completing the Certificate Request Wizard
Trang 10Exercise 9.4 Requesting an EFS Recovery
Agent Certificate from the CA Web Page
1 Open your Web browser
2 Type in http://server_name/certsrv (where server_name is the name of
your certificate server).This will give you the page shown in Figure 9.35
Figure 9.33Installing a Certificate
Figure 9.34The Successful Installation Window
Figure 9.35The Certificate Services Request Page
Trang 113 Select Request a certificate and click Next.This is also where you
can check on a previous certificate request or request a CRL.This willtake you to the page shown in Figure 9.36
4 Select Advanced request and click Next.This will take you to the
page shown in Figure 9.37
5 Choose Submit a certificate request to this CA using a form.You
must next choose a certificate template, as shown in Figure 9.38
6 Select EFS Recovery Agent Scroll down to the bottom of the page and click Submit.You will now be issued the certificate, as shown in
Figure 9.39
7 Now that you have been issued the certificate, you must install it Click
on the Install this certificate link.This will install the certificate and
present you the installation successful window shown in Figure 9.40
Figure 9.36Choosing a Request Type
Trang 12Figure 9.37Advanced Certificate Request
Figure 9.38Choosing a Certificate Template and Key Options
Trang 13Figure 9.39Issuing and Installing a Certificate
Figure 9.40Certificate Installation Successful
Trang 14The certificate enrollment used by Microsoft in Windows 2000 is based onthe industry standard PKCS-10 and PKCS-7 PKCS-10 is the standard for a cer-tificate request message, and PKCS-7 contains the issued certificate or certificatechain.The Windows 2000 operating system currently supports certificates based
on RSA key and signatures, Diffie-Hellman keys, and Digital Signature
Algorithm (DSA) keys and signatures
The Microsoft-supplied enrollment control XENROLL.dll provides supportfor both PKCS-10 and PKCS-7.The dynamic link library allows enrollment to
be Web-based by use of scripts or through Interprocess Communication nisms such as RPCs and DCOM Enrollment can be completed through e-mails,
mecha-an enrollment wizard, mecha-and a policy-driven enrollment that occurs as part of thelogon process.The enrollment allows the calling application to supply the neededattributes in the PKCS-10 message request.The certificate enrollment providesfor the creation of an internal binding between the certificate, the key pair con-tainer, and the CSP In the future, the certificate enrollment will be implementedunder Certificate Request Syntax, which is an IAB protocol that is currently inthe draft stage
Renewal
Much like a credit card’s expiration date, a certificate, for security reasons, should
be valid only for a period of time.The certificate renewal is processed more ciently than the certificate enrollment because the renewal certificate will containthe same attributes as the existing certificate, so verification is not needed
effi-Currently in Windows 2000, only automatic enrolled certificates support renewaland may use the existing public key or a new public key All other generated cer-tificates are handled through a complete certificate enrollment process, includingverification
As with the certificate enrollment, the Internet community is working on amechanism for defining the message protocol for a renewal certificate.We shouldexpect to see this standard in Windows 2000 as soon as the protocol gets to theofficial standard stage
Using Keys and Certificates
In the Windows 2000 operating system, the Local Security Authority Subsystem
is in the user mode.This security subsystem in Windows 2000 must take on tional functions to support the new security features.The Microsoft CryptoAPIsubsystem manages both the CSP and the certificate stores.Within the Windows
Trang 15addi-2000 PKI, the keys are managed by the CSPs, whereas the certificates are aged by the certificate stores.
man-Certificates and their properties are stored in the certificate stores.Thesestores are logical stores in that they present a systemwide view of available certifi-cates that may exist on numerous physical stores.The applications can locate anddecode the certificates by these services of the CryptoAPI subsystem
Any PKI defines five standard certificate stores:
■ CA Stores issuing and intermediate certificate authority certificates touse in the certificate hierarchical structure
■ MY Stores a user’s or computer’s certificates for which the related private key is available
■ ROOT Stores only the self-signed certificate authority certificates forTrusted Root CAs
■ TRUST Stores the Certificate Trust Lists (CTLs).This is an alternateway to specify a certificate hierarchy
■ UserDS Stores a logical view of a certificate repository that is located
in the Active Directory and is used to simplify access to the certificatestores
Roaming
The logging-in process of the Windows 2000 operating system allows the user touse any available computer in the domain Microsoft had to make sure that auser’s cryptographic keys and certificates are available wherever login occurs.Theuser must be guaranteed to use the same public key–based application no matterwhat computer is available for their use
The PKI of Windows 2000 supports the roaming user in two ways.TheMicrosoft-provided CSP allows the roaming profiles to support the roaming use
of keys and certificates As with the Windows NT roaming profile, the process istransparent to the end user when roaming profiles are enabled.The second way
to support the use of roaming keys and certificates is through the implementation
of hardware devices such as smart cards, which contain the user’s certificates andprivate keys Because a smart card is the size of a credit card, the user can easilycarry it
Trang 16Certificates tend to be issued with an average lifetime of two or three years Untilthe expiration date, there could be many reasons to cease trusting the credentials.From a security point of view, any of these circumstances would certainly war-rant the revoking of a certificate:
■ An entity’s private key has been compromised
■ A project with another organization is completed
■ The employee has changed status within the company
■ A department is to cease having access to certain information
■ The certificate was obtained through forgery
The Windows 2000 public key functions are based on distributed verification,
so any revocation of certificates also will be handled in a distributed fashion.There is no need to create a central location for revocation information
Microsoft designed Windows 2000 revocation around the industry standardcertificate revocation lists.The Microsoft Enterprise certificate authority publishesthe CRLs to Active Directory From here, the domain clients can obtain theinformation, cache it to the local machine, and then read it from the cache whencertificates are verified.The clients can verify certificates when they use a com-mercial certificate authority or any third-party CA, as long as the published cer-tificate revocation list is available over the network Exercise 9.5 walks you
through revoking a certificate and manually publishing a new CRL
Exercise 9.5 Revoking a
Certificate and Publishing a CRL
1 Click Start.
2 Go to Programs | Administrative Tools.
3 Open Certification Authority, shown in Figure 9.41.
4 Expand the name of your CA (Company Name CA in this example).
5 Select Issued Certificates.
6 In the details pane (right side) right-click the certificate that you want to
revoke and choose All Tasks | Revoke Certificate from the pop-up
menu
Trang 177 You will now be asked (see Figure 9.42) if you are sure that you want torevoke the selected certificate If you are sure, pick a reason code and
click Yes to revoke the certificate.The possible reason codes are the
8 To publish a new CRL (as shown in Figure 9.43), right-click on
Revoked Certificates and choose All Tasks | Publish from the
pop-up menu If your CRL hasn’t expired, this will give you thewindow shown in Figure 9.44
9 Click Yes to publish the new CRL.
Figure 9.41Revoking a Certificate
Trang 19does in fact belong to the entity.Two conditions must be met before any certificateverification is assumed to be valid First, the entity’s certificate must be shown to belinked to a known Trusted Root certificate authority of the client Second, theintended certificate’s use must be in line with the application If either of these twoconditions are not satisfied, the certificate is assumed to be invalid.
Trust relationships that the client has initially available should be cally propagated as part of the Enterprise policy As an exception,Windows 2000will allow users to install or remove the root certificate authority they want totrust.These trusts affect only the users themselves Any trust established with aroot certificate authority can thus be configured with user restrictions Exercise9.6 walks you through trusting a root CA by importing one of their certificates
automati-Exercise 9.6 Importing a Certificate from a Trusted Root CA
You must first create a custom console containing the certificate snap-in:
1 Click Start.
2 Click Run.
3 Type MMC in the Open line.
4 Click OK.This will open a blank MMC.
5 You now need to add the Certificate Snap-in Click on Console.
6 Choose Add/Remove Snap-in from the pop-up menu.
7 Click Add.
8 Choose Certificates from the list of available snap-ins.
9 Select My User Account.
10 Click Finish.
11 Click Close on the Add Standalone Snap-in window.
12 Click OK on the Add/Remove Snap-in window.
Now you can use your custom console to complete this exercise:
1 Expand Certificates – Current User.
2 Expand Trusted Root Certification Authorities.
Trang 203 Right-click Certificate and choose Import from the pop-up menu
(see Figure 9.45).This will start the Certificate Import Wizard shown inFigure 9.46
4 Click Next to continue the wizard.
Figure 9.45Starting the Certificate Import Wizard
Figure 9.46The Certificate Import Wizard
Trang 215 You will now be asked to select a file to import, as shown in Figure 9.47.
Browse to the CA’s certificate and click Next.This will give you the
password screen shown in Figure 9.48
6 Type the password assigned to the file and click Next to continue.
7 Choose where to place the certificate (see Figure 9.49) and click Next.
This will give you the window shown in Figure 9.50
Figure 9.47Selecting a File to Import
Figure 9.48Selecting a Password
Trang 228 Verify that you have made the correct choices and click Finish to
complete the wizard
9 You will now be prompted to add the certificate to the Root Store, as
shown in Figure 9.51 Click Yes If the addition is successful, you will be
given the window shown in Figure 9.52
Figure 9.49Choosing a Certificate Store
Figure 9.50Completing the Certificate Import Wizard
Trang 23Public Key Security Policy in Windows 2000
Windows 2000 fully uses the Kerberos security standard, thus providing singlepoint logons at the enterprise level Any policy, which would therefore includethe security policy, can be globally established for the entire enterprise, a site, adomain, or an organizational unit.The security policy, once set, would then affectthe groups of users or computers defined on the network
The Public Key security policy is just one element of the overall Windows
2000 security policy and is a component of the PKI.The security policy will beenforced globally, but for ease of administration, it can be centrally defined andmanaged
Trusted CA Roots
Any user with the necessary software can generate a key pair, so the organizationneeds some means to guarantee that a key is in fact valid for a particular user orcompany.The certificate authorities are responsible for providing this neededguarantee.The certificate authorities can handle this task easily by storing thepublic key and maintaining a list of issued certificates
The structure for the certificate authorities model has been designed as ahierarchy, which contains multiple certificate authorities with defined parent-child relationships (see Figure 9.53).The certificate authority at the very top of
Figure 9.51Root Certificate Store Verification Window
Figure 9.52The Import Was Successful Window
Trang 24the hierarchy is referred to as a root CA.The children are certified by certificatesissued for them by their parents One advantage of a hierarchical structure over alinear structure is that few trusts are needed with the root certificate authorities.
The Microsoft Management Console Certificate snap-in is the administrativetool used to specify which certificate authority to trust It is through this applica-tion that Trusted Root certificate authorities are defined so that the proper cer-tificate authority is used by the clients in verifying certificates If you create acertificate authority, its certificate should be added so that it is used as a trustedcertificate authority.The trust created by default is for only one computer, butthrough the group policy editor the certificate authority can be set for globalimplementation If you do not want to trust a particular certificate authority,make sure that this certificate authority is removed
The hierarchical model allows trust relationships with other organizations to
be implemented easily For example, if ABC Corporation is a subordinate cate authority of the public root of which XYZ Corporation is also a subordi-nate, the two corporations automatically trust each other Figure 9.53 shows therelationship between the two companies and the root certificate authority
certifi-The certificate authority contains numerous properties that are tied to its use.The administrator can use the Microsoft Management Console Certificate snap-
in to specify the certificate policy that will control the generation and use of tificates by the CA, as shown in Figure 9.54.When they are specified, the
cer-properties will restrict when certificates are valid A user can use the certificate tovalidate secure mail but may not be allowed to use the certificate’s private key fordigital signatures.These objects may be restricted in any combination:
Issuing CA XYZ Corp.
Root CA
Trang 25■ Microsoft Encrypted File System
To make the PKI transparent to the user,Windows 2000 had to make it sible to support automatic certificate enrollment, which is controlled by certificatetypes and auto-enrollment objects Both of these elements are integrated with thegroup policy object, so they can be defined at the site, the domain, the organiza-tional unit, the computer, or the user level Exercise 9.7 walks you through config-uring automatic certificate enrollment through a group policy object
pos-Exercise 9.7 Configuring Automatic Certificate Enrollment through Group Policy
1 Click Start.
2 Go to Programs | Administrative Tools.
3 Open Active Directory Users and Computers.
Figure 9.54Certificate Authority Properties
Trang 264 Right-click on the domain.
5 Choose Properties from the pop-up box.
6 Click on the Group Policy tab.
7 Select the Default Domain Policy group policy object.
8 Click Edit.This will give you the window shown in Figure 9.55.
9 Expand Computer Configuration.
10 Expand Windows Settings.
11 Expand Security Settings.
12 Expand Public Key Policies.
13 Right-click Automatic Certificate Request Settings as shown in Figure 9.55 and choose New | Automatic Certificate Request.This
will open the Automatic Certificate Request Setup Wizard
14 Click Next on the welcome window to continue the wizard, as shown
in Figure 9.56
15 Choose a certificate template and click Next to continue.You will now
be presented with the window shown in Figure 9.57
Figure 9.55The Group Policy Editor
Trang 2716 Choose the CA that should issue the certificate and click Next.This
will give you the completion window shown in Figure 9.58
17 Click Finish to end the wizard.
Figure 9.56Choosing a Certificate Template
Figure 9.57Selecting a Certification Authority
Trang 28Certificate Enrollment and Renewal
Certificate types are templates used to define policies that control the generationand use of a certificate.The template is identified by having a common name thatusually associates with the group for which the template was designed, such asthe template named Engineers
The template defines components that will be incorporated into the cate, such as the following:
Certification Authority Console, as shown in Exercise 9.8.Table 9.1 list the types
of user templates available by default and Table 9.2 list the types of computertemplates available by default
Figure 9.58Completing the Automatic Certificate Request Setup Wizard
Trang 29Exercise 9.8 Changing the Templates Available
on the Enterprise Certification Authority
1 Click Start.
2 Go to Programs | Administrative Tools.
3 Open Certification Authority.
4 Expand the name of your CA (Company Name CA for this example).
5 Right-click Policy Settings, as shown in Figure 9.59.
6 Choose New | Certificate to Issue from the pop-up menu.This will
give you the window shown in Figure 9.60
7 Select the certificate template to be available on your CA and click OK.
Figure 9.59Selecting the Certificates to Issue
Trang 30Table 9.1Templates Available for Users
Template Name Purposes
Administrator Code signing, Microsoft trust list signing, EFS, secure
e-mail, client authentication Certification All
authority
ClientAuth Client authentication
CodeSigning Code signing
CTLSigning Microsoft trust list signing
EFS Encrypting File System
EFSRecovery File recovery
EnrollmentAgent Certificate request agent
SmartcardLogon Client authentication
SmartcardUser Client authentication, secure e-mail
User Encrypting File System, secure e-mail, client authentication UserSignature Secure e-mail, client authentication
Exchange Certificate request agent
enrollment agent
(offline request)
Exchange user Secure e-mail, client authentication
Exchange user Secure e-mail, client authentication
signature
Figure 9.60Adding New Templates
Trang 31Table 9.2Templates Available for Machines
Certificate Template Name Certificate Purposes
Certification authority All Domain controller Client authentication, server authentication IPSECIntermediateOffline IP Security
IPSECIntermediateOnline IP Security MachineEnrollmentAgent Certificate request agent Machine Client authentication, server authentication OfflineRouter Client authentication
WebServer Server authentication Exchange user signature Secure e-mail, client authentication
Smart Card Logon
Smart card logon is controlled by the policy established with the user object.Thepolicy can be set one of two ways.The smart card logon policy can be set toenforce smart card logon, so password-based logon is not available.The disadvan-tage of setting the policy in this fashion is that users must have their smart cardand a computer available with a smart card reader in order to log on.The secondway to set the policy for smart card logons is to enable smart card logon, whichwill still allow password-based logons to occur on the network Both smart cardpolicies will add security to prevent unauthorized access
Applications Overview
The PKI gives the Windows 2000 operating system a way to integrate servicesand tools to manage the public key–based applications As application program-mers implement the secret key– or public key–based security model into theircode, organizations gain new security functionality Some applications alreadyhave the public key mechanisms available, because the programmers have madeuse of the PKI.When the PKI has been configured, an application can use thepublic key cryptography If it is correctly written, this will keep all the encryptionprocess transparent to the user
Trang 32Web Security
Windows 2000 provides support for both Secure Sockets Layer/Transport LayerSecurity (SSL/TLS) and Server Gated Cryptography (SGC) to ensure secure Webcommunications SGC is an extension to SSL3.0, which was defined to secureonline banking sessions
The TLS can be used to access any kind of Web site Due to export tions, the TLS comes in a 128-bit and 40-bit encryption version.The securechannel is established by the use of certificates and public keys.The client willfirst send a hello message to the server and will then receive the server’s certifi-cate.The server is authenticated by the client, using the certificate authority’spublic key After the server is guaranteed, the client generates a session key of theappropriate size.The client then secures the session key by encrypting it with theserver’s public key.When the server receives the encrypted session key, it uses itsprivate key to decrypt this session key Now both the client and the server willsecurely use the session key to exchange sensitive data
restric-The SGC process is similar to the TLS process.restric-The first major difference isthat the server’s certificate must come from an authorized certificate authority.SGC will reset and then restart the handshake after the SGC certificate is
detected.The final major difference between TLS and SGC is that a 128-bit sion key is always generated, even if one party is outside the United States
ses-To take advantage of TLS and SGC, both the client and the server must havecertificates issued by the same trusted certificate authority Only when the twoparties are using a common certificate authority can the parties authenticate eachother.The certificates exchanged rely on the use of key pair encryption in order
to end up with a secret session key
Web security involves the authentication of both the client and the server Italso involves the encryption of data between the two parties to prevent publicreadability.The client guarantees the server by comparing the certificate
authority’s public key to the certificate authority’s signature on the server’s tificate.The server guarantees the client by using its private key to get to the ses-sion key.The session key has been encrypted with the public key, so the only way
cer-to decrypt the session key is through the private key out of the key pair
Secure E-Mail
Secure e-mail has always been part of the Exchange Server product ExchangeServer’s advanced security enables users to keep data private during messagetransfer through encryption and digital signatures.The Key Management server
Trang 33component stores and manages the security database, and it creates and maintainsbackups of public and private encryption keys and the Certification RevocationList Exchange Server supports S/MIME mail, which is part of a PKI.
In order to send an encrypted mail message, first the message that containsthe sensitive data is composed.The sender obtains the public key of the receiver
A bulk encryption key is generated, and then the sensitive data is encrypted withthis key After the document is in ciphertext, the bulk encryption key is
encrypted, using the receiver’s public key.The message is now ready to be ered.The receiver uses the private key in order to gain access to the bulk encryp-tion key.The receiver then uses the bulk encryption key to return the document
Digitally Signed Content
Microsoft PKI includes a code-signing technology, Authenticode, with the release
of Windows 2000 As more people use the Internet to download information, thequestion of security comes to the surface quickly Authenticode ensures theintegrity and origin of software distribution by vendors over the Internet.This is,
in effect, a digital signature; Authenticode is based on digital signature technology
Authenticode adds a digital signature, a code-signing certificate, and a timestamp
in the downloadable software.The software that Authenticode can guaranteeincludes Java applets, Active X controls, cabinet files, dynamic link libraries,executable files, and catalog files
Authenticode does not stop with the download process; it also verifies loaded code before you use it on your local computer Authenticode uses codesigning and code verification to perform its tasks
Trang 34down-Before you can sign code, you need to obtain a code-signing certificate from
a certificate authority.This is sometimes referred to as obtaining a software lishing certificate.With this code-signing certificate, you can then use the
pub-Authenticode signing functions from the Active X Software Developer’s Kit.Thedigital signature will be created by a hashing algorithm used on the code youwant to secure, and the private key is then used to sign the hash.The softwarewill then build a signature block that contains the digital signature and the code-signing certificate.The timestamped signature block is then bound to the originalsoftware code At this point you are ready to publish the signed software on yourWeb site for downloading purposes
Built into the Internet Explorer is the second technique of Authenticode:code verification Before any signed code can run, it calls up the code verificationfunction to check three important items: the signature, the publisher’s certificate,and the timestamp A security warning window will display the name of thecode, the name of the organization, when the publisher authenticated the code,and the name of the certificate authority that issued the code-signing certificate.The user has the ability at this time to decide to accept or reject the publishedsoftware Figure 9.61 shows a security warning window received while the
Internet Explorer application is used
Internet Explorer allows the user to set up a security policy for Authenticodewith four security levels: high, medium, low, and custom.Table 9.3 identifies eachsecurity level
Figure 9.61Windows Security Warning Dialog Box
Trang 35Table 9.3Security Levels
High Does not execute damaged code Medium Warns you before running potentially damaged code Low Always runs the code
Custom Can choose the security level setting for software codes and
security zones
Encrypting File System
Windows 2000 enables users to encrypt files that contain sensitive information aslong as they are stored on a NTFS partition.The Encrypting File System can beset at both the directory and the file level and is transparent to users when theyhave indicated that they want encryption to be implemented Applications willhave access to encrypted objects in the same fashion as non-encrypted objects
Windows 2000 uses both symmetric and asymmetric algorithms to encrypt afile.The file is encrypted using the secret File Encryption Key, along with theDESX algorithm.To protect the File Encryption Key from hackers, it is thenencrypted by the owner’s public key.This means that the owner’s private key isneeded in order to decrypt the file
No additional configuration steps are needed for the user who works withsensitive data.When the file or directory is marked for encryption, all theencrypting and decrypting activity is transparent to the user.The user can identifyfor the operating system what files are to be encrypted through either WindowsExplorer or the Cipher command line utility
The Encrypting File System also supports a recovery policy in the Windows
2000 operating system.The administrator has to designate trusted RecoveryAgents, which generate a recovery key pair and will be issued a certificate by thecertificate authority.The certificates of the Recovery Agents are published todomain clients with the group policy object
Smart-Card Logon
Smart card service can be implemented as a component of the PKI in Windows
2000 A smart card is about the size of a credit card and can store the owner’scertificates and private keys on an erasable programmable ROM, so changes can
be made if necessary.The smart card is protected by a password and runs a card
Trang 36operating system that resides in ROM.The smart card requires that a smart cardreader be attached to the user’s computer.
The portability of the smart card allows the user to store an issued certificateand use the certificate whenever needed.The International Organization forStandards (ISO) developed the ISO 7816 standard for smart card hardware.ThePersonal Computer/Smart Card group specified standards for smart card readers
is built For security purposes, the ticket-granting ticket is encrypted with a sion key by the Windows 2000 domain controller.You can then use your publickey to encrypt the session key After the encrypted ticket-granting ticket is
ses-received by the smart card, you decrypt the session key by using the private key
on your smart card Finally, the Local Security Authority logs you on the
Windows 2000 domain
Smart card logon can be either enabled or enforced.When a smart card use isjust enabled, the password-based logon can still be used by the user If the SmartCard policy is changed to enforced, users will not be able to log on if they forgottheir smart card or if the only available computer does not contain a smart cardreader
IP Security
IP Security (IPSec) is a protocol that implements network encryption at the IPprotocol layers IPSec uses state-of-the-art cryptography techniques and does notrequire a public key algorithm A public key algorithm provides the organizationwith a distributed trust environment that can be scaled to any size.The InternetEngineering Task Force has implemented IPSec devices so that through the use
of public key algorithms they can mutually authenticate each other and agree onencrypting keys