Professional Documents
Culture Documents
What Is a PKI?
The combination of software and encryption technologies that helps to secure communication and business transactions. A PKI relies on the exchange of digital certificates between authenticated users and trusted resources
PKI solutions
Nonrepudiation
Availability
Secure E-mail
Computers
Services
Action
Collects CA certificates from cache, Group Policy, enterprise policy, applications Validates the certificates in a certificate chain until the certificate chain terminates at a trusted, self-signed certificate Ensures that no certificates have been revoked
2
Path validation
3
Revocation checking
Certificates
Certificates
Certificates provide the foundation of a public key infrastructure (PKI). Certificates are electronic representations of users, computers, network devices, or services, issued by a certification authority (CA), that are associated with a public and private key pair. A certificate is a digitally signed collection of information generally 24 kilobytes (KB) in size.
Certificates includes:
Information about the user, computer, or network device that holds the private key corresponding to the issued certificate (the user, computer, or network device is referred to as the subject of the certificate). Information about the issuing CA. The public key of the certificates associated public and private key pair.
Certificates includes:
The names of the encryption and/or digital signing algorithms supported by the certificate. A list of X.509 version 3 extensions included in the issued certificate. Information for determining the revocation status and validity of the certificate.
Certificates
The CA must ensure the identity of the requestor before issuing a certificate. Once identity is confirmed, the CA issues the certificate and digitally signs the certificate with its private key. The signature certifies that the certificate was signed by the issuing CA and helps detect if changes are made to the certificate after issuance.
Certificates
It is nearly impossible for another user, computer, network device, or service to impersonate the subject of a certificate, because impersonation requires access to the certificate holders private key. Impersonation is highly improbable if an attacker has access to the certificate only.
Certificates
Three versions of digital certificates can be used in a PKI:
X.509 version 1 certificates X.509 version 2 certificates X.509 version 3 certificates
X.509 version 1
Defined in 1988
X.509 version 1
Provides basic information about the certificate holder, the format offers little information about the certificate issuer, by including only the issuer, issuer name, CA signature algorithm, and signature value. The version 1 format does not have any provisions for CA renewal.
X.509 version 2
Defined in 1993
X.509 version 2
Issuer Unique ID An optional field that contains a unique identifier, typically a hexadecimal string, for the issuing CA as defined by the issuing CA. When a CA renews its certificate, a new Issuer Unique ID is generated for that certificate version. Subject Unique ID An optional field that contains a unique identifier, typically a hexadecimal string, for the certificates subject as defined by the issuing CA. If the subject is also a CA, this unique identifier is placed in the Issuer Unique ID.
X.509 version 3
Defined in 1996
X.509 version 3
Key Usage: A CA, user, computer, network device, or service can have more than one certificate. The Key Usage extension defines the security services for which a certificate can be used. Digital Signature Non-Repudiation Key Encipherment Data Encipherment Key Agreement Key Cert Sign CRL Sign Encipher Only Decipher Only
Certification Authorities
Certification Authorities
CA is a Windows Server 2008 computer with Certificate Services installed. A CA will sign certificates, revoke certificates, and publish CRL information about revoked certificates to ensure that users, services, and computers are issued certificates that can be validated.
Verifies the identity of a certificate requestor The mode of identification depends on the type of CA
Issues certificates
The certificate template or requested certificate determines the information in the certificate Manages certificate revocation
Root CA
In a PKI, the root CA acts as the trust point for certificates issued by CAs in the hierarchy. The root CA can issue certificates to other CAs tipically When the root CA issues a certificate to another entity, the root CA certificate signs the certificate with its private key.
Root CA
If the root CA is compromised or issues a certificate to an unauthorized entity, any certificate-based security in the organization is suddenly vulnerable. For this reason, a root CA is generally configured as a stand-alone CA and kept offline.
Intermediate CA
Its subordinate to another CA and issues certificates to other CAs in the CA hierarchy. The intermediate CA can exist at any level in the CA hierarchy except at the root CA level.
Policy CA
Its a special category of intermediate CA. Describes the policies and procedures, an organization implements to validate certificateholder identity and secure the CAs in the CA hierarchy.
Policy CA
Issuing CA
Policy CA
Issuing CA
An issuing CA issues certificates to users, computers, network devices, or services on the network. An issuing CA is typically located on the third tier of a CA hierarchy, but it can exist on the second level and typically acts as both a policy CA and issuing CA.
Location
Root Policy
Secure E-mail
EFS
VPN
India
Canada
United States
Departments
Root
Policy
Organizational unit
Root Policy
Employee
Contractor Partner
Types of CRLs
Windows Server 2008 supports the issuance of two types of CRLs: Base CRLs and Delta CRLs.
Base CRL
Contains the serial numbers of all certificates revoked on a CA that are still time valid, as well as the reason for each revocation. A Base CRL contains all time-valid revoked certificates signed by a CAs specific private key
Delta CRL
Contains only the serial numbers and revocation reasons for certificates revoked since the last base CRL was published . The delta CRL is much smaller than a base CRL because only the most recent revocations are included.
Revocation Reasons
Key Compromise CA Compromise Affiliation Changed Superseded Cessation of Oper Certificate Hold Remove From CRL Unspecified
stand-alone CA Policy
Key Length
CA Name