Docstoc

Chapter 9

Document Sample
Chapter 9 Powered By Docstoc
					                 1




Chapter 9

DESIGNING A
PUBLIC KEY
INFRASTRUCTURE
              Chapter 9: Designing a Public Key Infrastructure   2




PRIVATE KEY ENCRYPTION


 Also known as symmetric encryption
 Uses little processing time
 Requires sender and receiver to know the
 same key
            Chapter 9: Designing a Public Key Infrastructure   3




PRIVATE KEY ENCRYPTION ILLUSTRATED
              Chapter 9: Designing a Public Key Infrastructure   4




PUBLIC KEY ENCRYPTION


 Also known as asymmetric encryption
 Uses significant processing time
 Does not require sender and receiver to
 know the same key
            Chapter 9: Designing a Public Key Infrastructure   5




PUBLIC KEY ENCRYPTION ILLUSTRATED
               Chapter 9: Designing a Public Key Infrastructure   6




WHAT IS A CERTIFICATE?


 A file containing a public key
 Signed by a certification authority (CA)
 Specifies:
   What the certificate can be used for
   When the certificate expires
   To whom the certificate was issued
   …and much more
               Chapter 9: Designing a Public Key Infrastructure   7




WHAT IS A CERTIFICATION AUTHORITY?


 A server that issues certificates
 Can be internal or external, like Verisign
 Some CAs are trusted by Microsoft Windows
  by default
 Trusted CAs have rigorous authentication
  requirements
               Chapter 9: Designing a Public Key Infrastructure   8




WHAT IS A CERTIFICATE REVOCATION LIST
(CRL)?

 Contains a list of certificates that clients
  should reject
 Two types:
   CRLs
   Delta CRLs
 Only useful if clients download the CRL
                 Chapter 9: Designing a Public Key Infrastructure   9




WHAT ARE CERTIFICATE TEMPLATES?


 Rules that define the certificates that can be
 issued:
   Version 1:
      Supported by Microsoft Windows 2000 Server
      and Windows Server 2003
      Certificates cannot be modified
   Version 2:
      Supported by Windows Server 2003
      Certificates can be updated after issuance
               Chapter 9: Designing a Public Key Infrastructure   10




PLANNING A PUBLIC KEY INFRASTRUCTURE
(PKI)

 Why do you need a PKI?
 What are your requirements?
   Types of certificates
   Number of certificates
   Locations of users
              Chapter 9: Designing a Public Key Infrastructure   11




DESIGNING CAs


 You must decide the following:
   Build internally, or outsource?
   Use Active Directory directory service
    integration, or stand-alone CAs?
   How many CAs will you need?
   How will you protect your CAs?
               Chapter 9: Designing a Public Key Infrastructure   12




DESIGNING A CA TRUST MODEL


 Rooted trust model
 Network trust model/cross-certification
 trust model
 Hybrid trust model
           Chapter 9: Designing a Public Key Infrastructure   13




ROOTED TRUST MODEL ILLUSTRATION
           Chapter 9: Designing a Public Key Infrastructure   14




NETWORK TRUST MODEL ILLUSTRATION
              Chapter 9: Designing a Public Key Infrastructure   15




CERTIFICATE TRUST LISTS


 When you trust a CA, you trust all
 certificates issued by the CA
 CTLs:
   Specify trusted certificates instead of CAs
   Restrict how certificates can be used
   Limit the time that trusted certificates can be
    used
              Chapter 9: Designing a Public Key Infrastructure   16




QUALIFIED SUBORDINATION


 Restrict what a subordinate CA can do:
   Basic constraints
   Name constraints
   Issuance policy
   Application policy
                Chapter 9: Designing a Public Key Infrastructure   17




ISSUING CERTIFICATES


 Use automatic enrollment whenever
 possible
 Use manual enrollment when:
   Issuing computer certificates to operating
      systems earlier than Windows 2000
     Issuing user certificates to operating
      systems earlier than Windows XP
     Clients are not members of a domain
     You are using a stand-alone CA
     The client or CA is not connected to your
      network
             Chapter 9: Designing a Public Key Infrastructure   18




MANUAL ENROLLMENT TOOLS


 Certificate Request Wizard
 Web Enrollment
 Certreq.exe command-line utility
              Chapter 9: Designing a Public Key Infrastructure   19




AUTOMATIC ENROLLMENT TECHNIQUES


 Automatic Certificate Request Settings:
   Configured by using Group Policy
   Require version 1 or version 2 certificate
    templates
   Issue computer certificates to Windows
    2000, Windows XP, Windows Server 2003
 Autoenrollment Settings:
   Configured by using Group Policy
   Require version 2 certificate templates
   Issue computer or user certificates to
    Windows XP, Windows Server 2003
                  Chapter 9: Designing a Public Key Infrastructure   20




CHOOSING CERTIFICATE LIFETIMES


 Short lifetimes increase cost through:
   Increased administration time
   Increased user interaction
 Long lifetimes increase security risk
 through:
   Increased opportunity to crack certificates
   Increased opportunity to abuse a stolen
    certificate
 Certificate lifetimes can never extend
 beyond a CA’s lifetime
              Chapter 9: Designing a Public Key Infrastructure   21




PUBLISHING CRLS


 Published by default to:
   Shared folder: \\Server\CertEnroll
   Active Directory
   Web page: http://Server/CertEnroll/
 Can also be published to File Transfer
 Protocol (FTP)
           Chapter 9: Designing a Public Key Infrastructure   22




CONFIGURING CRL PUBLISHING
             Chapter 9: Designing a Public Key Infrastructure   23




DELTA CRLS


 Reduced bandwidth used by clients
 retrieving CRLs is significant
 Only used by Windows XP and newer clients
 Should not be used with an offline CA
               Chapter 9: Designing a Public Key Infrastructure   24




CRL PUBLICATION SCHEDULE


 Determine how long an invalid certificate
  will be considered valid
 Published weekly by default, expires after
  eight days
 Clients reject certificates if:
   The cached CRL has expired
   A new CRL is not available
                 Chapter 9: Designing a Public Key Infrastructure   25




RECOVERING DATA


 Data recovery:
   Enables multiple keys to decrypt data
   Enables Encrypting File System (EFS)
   recovery without a PKI
 Key recovery:
   Enables a key recovery agent (KRA) to
   retrieve private keys
   Does not require issuing new certificates if
   one is lost
   KRA might abuse access to private keys
              Chapter 9: Designing a Public Key Infrastructure   26




ENABLING KEY RECOVERY


 Configure the KRA template
 Configure the CA to allow key archiving
 Enroll users and archive their keys
              Chapter 9: Designing a Public Key Infrastructure   27




SUMMARY


 A PKI is useful for many important security
 capabilities, such as IPSec and EFS
 Use Windows Server 2003 Enterprise CAs
 when possible to do the following:
   Enable version 2 certificates
   Enable autoenrollment
   Enable key archival and recovery
 CRLs identify revoked certificates, and must
 be accessible to clients

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:48
posted:9/3/2011
language:English
pages:27