DESIGNING A PUBLIC KEY INFRASTRUCTURE - PowerPoint PPT Presentation

1 / 45
About This Presentation
Title:

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Description:

The CA issues a public key and a private key as a matched pair. ... and the CA automatically issues or denies the certificate. ... – PowerPoint PPT presentation

Number of Views:66
Avg rating:3.0/5.0
Slides: 46
Provided by: york5
Category:

less

Transcript and Presenter's Notes

Title: DESIGNING A PUBLIC KEY INFRASTRUCTURE


1
DESIGNING A PUBLIC KEY INFRASTRUCTURE
  • Chapter 9

2
OVERVIEW
  • Describe the elements and functions of a public
    key infrastructure (PKI).
  • Understand the functions of certificates and
    certification authorities (CAs).
  • Describe the structure of a CA hierarchy.
  • List the differences between enterprise and
    stand-alone CAs.
  • Install and configure a CA.
  • Understand the certificate enrollment process.
  • Publish certificate revocation lists.

3
INTRODUCING THE PUBLIC KEY INFRASTRUCTURE
  • A public key infrastructure is a collection of
    software components and operational policies that
    govern the distribution and use of public and
    private keys using digital certificates.

4
UNDERSTANDING SECRET KEY ENCRYPTION
  • Encryption is a system in which one character is
    substituted for another.
  • Encryption on a data network typically uses a
    form of public key encryption.
  • In public key encryption, every user has two
    keys, a public key and a private key.
  • Data encrypted with the public key can be
    decrypted using the private key, and vice versa.

5
ENCRYPTING DATA
6
DIGITALLY SIGNING DATA
  • Digital signing refers to the process of using
    your private key to encrypt all or part of a
    piece of data.
  • Digitally signed data, encrypted with your
    private key, can only be decrypted with your
    public key.
  • Digital signing prevents other users from
    impersonating you by sending data in your name.

7
VERIFYING DATA
  • Hash values, or checksums, are used to guarantee
    the data has not been modified since the checksum
    was created.
  • The receiving system verifies the checksum to
    determine whether or not the data has been
    altered.

8
USING CERTIFICATES
  • Digital certificates are documents that
    verifiably associate a public key with a
    particular person or organization.
  • Certificates are obtained from an administrative
    entity called a certification authority (CA).
  • The CA issues a public key and a private key as a
    matched pair. The private key is stored on the
    users computer, and the public key is issued as
    part of a certificate.

9
UNDERSTANDING CERTIFICATE CONTENTS
  • Digital certificates contain the public key for a
    particular entity plus information about the
    entity.
  • Almost all certificates conform to the ITU-T
    standard X.509 (03/00), The Directory
    Public-Key and Attribute Certificate Frameworks.
  • Standardization of certificate format is
    important, otherwise exchange of certifications
    and keys would be difficult.

10
DOWNLOADING CERTIFICATES FROM THE INTERNET
11
USING INTERNAL AND EXTERNAL CAs
  • For a certificate to be useful, it must be issued
    by an authority that both parties trust to
    verify each others identities.
  • Within an organization, you can use Windows
    Server 2003 Certificate Services, a service that
    enables the computer to function as a CA.
  • When communicating with external entities, a
    trusted third-party certificate issuer can be
    used.

12
UNDERSTANDING PKI FUNCTIONS
  • Having a PKI in place provides additional
    security on a Windows Server 2003 network.
  • Using the management tools provided,
    administrators can publish, use, renew, and
    revoke certificates. They can also enroll clients
    in the PKI.
  • Users can use certificates to provide additional
    security.

13
DESIGNING A PUBLIC KEY INFRASTRUCTURE
  • Planning a PKI typically consists of the
    following basic steps
  • Defining certificate requirements
  • Creating a CA infrastructure
  • Configuring certificates

14
DEFINING CERTIFICATE REQUIREMENTS
  • When designing a PKI, you must determine the
    clients security needs and how certificates can
    help provide that security.
  • You must determine which users, computers,
    services, and applications will use certificates,
    and what kinds of certificates will be needed.
  • Best practice dictates that a small set of
    security definitions are created, and then
    applied to users and computers as needed.

15
CREATING A CA INFRASTRUCTURE
  • Planning the creation of certification
    authorities requires an understanding of CA
    hierarchy.
  • A CA hierarchy refers to a structure in which
    each CA is validated by a CA at a higher level.
  • The root CA is considered the ultimate
    authorityfor the organization.

16
WHEN TO USE INTERNAL AND EXTERNAL CAs
17
HOW MANY CAs?
  • A single CA running on Windows Server 2003 can
    support as many as 35 million certificates and
    can issue two million or more a day depending on
    the system specifications.
  • System performance is a factor in determining
    how many CAs should be implemented. Issuing
    certificates can be disk and processor intensive.
  • Multiple CAs can be implemented for
    fault-tolerant or load-distribution reasons.

18
CREATING A CA HIERARCHY
19
UNDERSTANDING WINDOWS SERVER 2003 CA TYPES
  • Enterprise CAs
  • Are integrated into Active Directory
  • Can only be used by Active Directory clients
  • Stand-Alone CAs
  • Do not automatically respond to certificate
    enrollment requests
  • Are intended for users outside the enterprise
    that submit requests for certificates

20
CONFIGURING CERTIFICATES
  • Criteria to consider when configuring
    certificates include
  • Certificate type
  • Encryption key length and algorithm
  • Certificate lifetime
  • Renewal policies

21
USING CERTIFICATE TEMPLATES
  • Certificate templates determine what attributes
    are available or required for a given type of
    certificate.
  • Windows Server 2003 includes a large number of
    certificate templates designed to satisfy most
    certificate requirements.

22
INSTALLING CERTIFICATE SERVICES
  • Install through Add/Remove Windows Components in
    Control Panel.
  • Can be installed on either a domain controller or
    a member server running Windows Server 2003.
  • When installing an enterprise CA, a DNS server
    must be available that supports service location
    (SRV) resource records.
  • During installation, the desired CSP can be
    selected.

23
PROTECTING A CA
  • CAs should be considered critical network
    services.
  • Protection measures and plans should include
  • Physical protection
  • Key management
  • Restoration

24
CONFIGURING A CA
25
THE GENERAL TAB
26
THE POLICY MODULE TAB
27
THE EXIT MODULE TAB
28
THE EXTENSIONS TAB
29
THE STORAGE TAB
30
THE CERTIFICATE MANAGERSRESTRICTIONS TAB
31
THE AUDITING TAB
32
THE RECOVERY AGENTS TAB
33
THE SECURITY TAB
34
BACKING UP AND RESTORING A CA
  • The Certificate Services database is always open,
    making it difficult to back up.
  • Special software can be used to back up the
    files, or the Certification Authority console
    can provide a backup feature.
  • The backup CA function of the Certification
    Authority console causes the Certificate Services
    database to be momentarily closed while a copy of
    the database is made.

35
UNDERSTANDING CERTIFICATE ENROLLMENT AND RENEWAL
  • Auto-enrollment The CA determines whether or
    not a certificate request is valid and issues or
    denies a certificate accordingly.
  • Manual enrollment An administrator must monitor
    the CA for incoming requests and determine if a
    certificate should be issued on a
    request-by-request basis.

36
USING AUTO-ENROLLMENT
37
USING MANUAL ENROLLMENT
  • When using stand-alone CAs, the administrator
    must grant or deny requests for certificates.
  • Incoming certificate enrollment requests appear
    in the Pending Requests folder.
  • The administrator must check the folder on a
    regular basis.

38
MANUALLY REQUESTING CERTIFICATES
  • Applications can request certificates and receive
    them in the background.
  • Alternately, users can explicitly request
    certificates.

39
USING THE CERTIFICATES SNAP-IN
40
USING WEB ENROLLMENT
41
REVOKING CERTIFICATES
42
CHAPTER SUMMARY
  • Public key encryption uses two keys, a public key
    and a private key. Data encrypted with the public
    key can only be decrypted using the private key.
    Data encrypted using the private key can only be
    decrypted with the public key.
  • A PKI is a collection of software components and
    operational policies that governs the
    distribution and use of public and private keys.
  • Certificates are issued by a CA. You can run your
    own CA using Windows Server 2003 or obtain your
    certificates from a third-party commercial CA.

43
CHAPTER SUMMARY (continued)
  • The first step in planning a PKI is to review the
    security enhancements the certificates can
    provide and determine which of your
    organizations security requirements you can
    satisfy with the certificates.
  • When running multiple CAs in an enterprise, you
    configure them in a hierarchy.
  • The configuration parameters of certificates
    themselves include the certificate type, the
    encryption algorithm and key length the
    certificates use, the certificates lifetime, and
    the renewal policies.

44
CHAPTER SUMMARY (continued)
  • Only enterprise CAs can use auto-enrollment, in
    which clients send certificate requests to a
    CAand the CA automatically issues or denies the
    certificate.
  • For a client to receive certificates using
    auto-enrollment, it must have permission to use
    the certificate template for the type of
    certificate it is requesting.

45
CHAPTER SUMMARY (continued)
  • Stand-alone CAs do not use certificates or
    auto-enrollment. Certificate requests are stored
    in a queue on the CA until an administrator
    approves or denies them.
  • CAs publish CRLs at regular intervals to inform
    authenticating computers of certificates they
    should no longer honor.
Write a Comment
User Comments (0)
About PowerShow.com