0 Bewertungen0% fanden dieses Dokument nützlich (0 Abstimmungen)
424 Ansichten50 Seiten
Cryptography: encrypting / decrypting data to ensure they are read only by the intended recipient. Digital signatures: Ensuring data integrity with digital signatures. Smart card authentication: Ensuring data integrity with smart card authentication.
Originalbeschreibung:
Originaltitel
70-293 MCSE Guide to Planning a Microsoft Windows Server 2003 [1]...
Cryptography: encrypting / decrypting data to ensure they are read only by the intended recipient. Digital signatures: Ensuring data integrity with digital signatures. Smart card authentication: Ensuring data integrity with smart card authentication.
Copyright:
Attribution Non-Commercial (BY-NC)
Verfügbare Formate
Als PPT, PDF, TXT herunterladen oder online auf Scribd lesen
Cryptography: encrypting / decrypting data to ensure they are read only by the intended recipient. Digital signatures: Ensuring data integrity with digital signatures. Smart card authentication: Ensuring data integrity with smart card authentication.
Copyright:
Attribution Non-Commercial (BY-NC)
Verfügbare Formate
Als PPT, PDF, TXT herunterladen oder online auf Scribd lesen
Server 2003 Network Chapter 9: Planning and Managing Certificate Services Objectives • Describe the types of cryptography • Understand how cryptography is used for encryption and digital signatures • Understand the components of Certificate Services • Install and manage Certificate Services • Manage certificates • Implement smart card authentication
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 2
Cryptography • Cryptography: encrypting/decrypting data to ensure they are read only by the intended recipient • Encrypted messages are unreadable • Decryption • Reverse of encryption • Makes the data readable again
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 3
Cryptography (continued) • Four objectives of cryptography • Confidentiality • Integrity • Nonrepudiation • Authentication
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 4
Cryptography (continued) • Cryptography uses keys: • A large number (a series of numbers, letters, and symbols) • Large and difficult to guess • Used with an algorithm to encrypt and decrypt data • Three types of encryption • Symmetric • Asymmetric • Hash
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 5
Symmetric Encryption • Uses a single key • A computer can symmetrically encrypt large amounts of data quickly • Used when encrypting files and large amounts of data across network transmissions
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 6
Asymmetric Encryption • Uses two keys: public key and private key • Anything encrypted by the public key can be decrypted with the private key and vice versa
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 7
Hash Encryption • Hash encryption is unique because it is one-way • Hash algorithm uses a single key to convert data to a hash value • The hash value is a summary of the data • The purpose of a hash value is to be a unique identifier, not to secure data
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 8
Uses for Cryptography
• Three common tasks that use different types of
encryption are: • Encrypting e-mail • Ensuring data integrity with digital signatures • Securing data communication with Secure Sockets Layer (SSL)
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 9
Encrypting E-mail • Encrypting e-mail ensures that a message in transit cannot be read by unauthorized people • Uses the public and private keys of the recipient: • Sender creates an e-mail message • E-mail software encrypts using the recipient’s public key • Recipient’s public key may be published in a directory or given to the sender via e-mail before encryption • Encrypted message is then sent to the recipient • Recipient’s e-mail software decrypts the message using the recipient’s private key
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 10
Encrypting E-mail (continued)
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 11
Digital Signatures • A digital signature is a hash value that is encrypted and attached to a message • Ensures that a message has not been modified in transit and that it truly came from the named sender • This is important when electronically delivering information such as contracts and agreements • The public and private keys of the sender are used for a digital signature
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 12
Digital Signatures (continued)
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 13
Secure Sockets Layer • Secure Sockets Layer (SSL) is a Transport Layer protocol that can be used with any application protocol that is designed to communicate with it • SSL secures communication between Web servers and Web browsers, e-mail clients and e-mail servers, and other service combinations • Servers are the only participants in SSL that must be configured with a public key and a private key
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 14
Secure Sockets Layer (continued)
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 15
Certificate Services Components • Certificate Services is the Microsoft implementation of PKI (Public Key Infrastructure) • PKI creates and manages public keys, private keys, and certificates • PKI using Certificate Services is composed of: • Certificates • Certification authority (also known as certificate authority) • A Certificate Revocation List (CRL) • Certificate-enabled applications
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 16
Certificates • A certificate contains information about a user or computer and a public key • A certificate defined by the X.509 standard has fields: • Subject (or user name) • Serial number • Validity period • Public key • Issuer name • Issuer signature
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 17
Certification Authority • A certification authority (CA) is a server that issues certificates to client computers, applications, or users • The CA is responsible for taking certificate-signing requests from clients and approving them • As part of the approval process, the identity of the requester is verified
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 18
Activity 9-1: Viewing Trusted Root Certification Authorities • The purpose of this activity is to view the trusted root certification authorities installed by default on Windows Server 2003
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 19
Certificate Revocation List • The certification authority maintains a Certificate Revocation List (CRL), which is a list of certificates issued by the CA that are no longer valid • The administrator adds certificates to this list • It is not created automatically • Each certificate issued by the CA has an expiration date
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 20
Certificate-enabled Applications • Windows client computers can store certificates in a place that can be used by multiple applications • Many certificate-enabled applications running on Windows use this central windows store, but other applications store certificates in a private database • Common applications for certificates include: • e-mail clients • Web browsers • smart cards
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 21
Installing and Managing Certificate Services • Two classes of CAs • Enterprise • Stand-alone • An enterprise CA • Integrates with Active Directory • Has an expanded feature set • Can use certificate templates • Certificate creation process is entirely automated
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 22
Installing and Managing Certificate Services (continued) • A stand-alone certification: • Does not integrate with Active Directory • Unable to issue certificates automatically based on a user object in Active Directory • All certificate requests must be manually approved by an administrator • Certificate templates cannot be used by a stand-alone certification authority • Cannot issue certificates used for smart card authentication
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 23
Certificate Hierarchy • Chain of trust where client computers and applications are assured that a certificate is valid • The hierarchy is either a root certification authority or a subordinate certification authority • A subordinate certification authority is certified by another certification authority • After certification, subordinate can issue certificates based on the trusted status of the certification authority that certified it
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 24
Certificate Hierarchy (continued)
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 25
Installing Certificate Services • When installing a CA you must choose which type: • Enterprise root CA • Standalone root CA • Enterprise subordinate CA • Stand-alone subordinate CA. • Can configure custom settings for the key pair and CA certificate
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 26
Activity 9-2: Installing Certificate Services • The purpose of this activity is to install Certificate Services and configure your server as an enterprise root certification authority
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 27
Back Up and Restore Certificate Services • Certificate Services is normally backed up as part of the daily backup process on Windows Server 2003 • Certificate Services is included with the backup of system state data • Can back up and restore manually just Certificate Services using the CA snap-in
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 28
Activity 9-3: Backing Up Certificate Services • The purpose of this activity is to perform a manual backup of Certificate Services
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 29
Activity 9-4: Restoring the Certificate Services Database • The purpose of this activity is to perform a manual restore of Certificate Services
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 30
Managing Certificates • Tasks related to issuing and managing certificates are: • Issuing certificates • Renewing certificates • Revoking certificates • Publishing a Certificate Revocation List • Importing and exporting certificates • Mapping accounts to certificates • A command-line utility, CERTUTIL, can be used to manage both certificates and Certificate Services
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 31
Issuing Certificates • Certificates can be requested using • Certificate Request Wizard • Certificate Services Web pages • Autoenrollment • The Certificate Request Wizard and autoenrollment are available only for enterprise certification authorities • Certificate Services Web pages can be used by both stand-alone and enterprise certificate authorities
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 32
The Certificate Request Wizard • The Certificate Request Wizard is run by users to create certificates • The types of certificates that can be created are controlled by certificate templates • The administrator can create, configure, and control access to these templates • Users can create certificates based on the templates to which they have either read or enroll permissions
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 33
Activity 9-5: Requesting a Certificate • The purpose of this activity is to request a user certificate using the Certificate Request Wizard
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 34
Certificate Services Web Pages • The Certificate Services Web pages can be used to request certificates from both enterprise certification authorities and stand-alone certification authorities • IIS is required for the Certificate Services Web pages
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 35
Autoenrollment • Autoenrollment issues certificates automatically • To enable autoenrollment: • Duplicate an existing certificate using Certificate Templates snap-in • Select Publish certificate in Active Directory • On the Security tab, add the required users or groups, and assign them the enroll and autoenroll permissions • Enable the new certificate template in the CA snap-in • Configure a group policy to enable Enroll certificates automatically
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 36
Renewing Certificates • All certificates are issued with an expiration date • If a certificate becomes compromised, it is not a security risk for an extended period of time • If an employee unexpectedly leaves, employee won’t have access to company resources after expiration • To avoid an interruption in service, a user must renew a certificate before it expires
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 37
Revoking Certificates • When a certificate has been compromised or a user has left the company, you need to revoke it • This places the certificate on the CRL of the certification authority • Windows 2000 and newer clients automatically download the CRL for Active Directory • A CRL has a default lifetime of seven days
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 38
Activity 9-6: Revoking a Certificate • The purpose of this activity is to revoke a certificate and publish a new CRL
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 39
Importing and Exporting Certificates • If you want to move or copy certificates from one computer to another, you can choose from these standard formats: • DER encoded binary X.509 • Base-64 encoded X.509 • Cryptographic Message Standard • Personal Information Exchange
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 40
Activity 9-7: Moving a Certificate
• The purpose of this activity is to move a user
certificate from one computer to another
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 41
Smart Card Authentication • Smart cards are the strongest form of authentication supported by Windows Server 2003 • Users are required to have the device (the smart card) and enter a personal identification number (PIN) • When smart cards are implemented, users are issued a physical card that contains a certificate • The PIN decrypts the certificate stored on the card
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 42
Preparing the Certification Authority to Issue Smart Card Certificates • Two types of certificates are required to implement smart card authentication: • One type is placed on the smart card for authentication • The second type is an enrollment agent certificate
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 43
Preparing a Smart Card Certificate Enrollment Station • A smart card certificate enrollment station is a computer that is used to configure smart cards • It must have a properly configured smart card reader • A smart card reader is a device that smart cards are inserted into to read their contents
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 44
Configuring a Smart Card for User Logon • An enrollment agent configures smart cards for users through the Certificate Services Web pages on a CA • Select the following: • Template that will be used to create the certificate • CA that will issue the certificate • Cryptographic service provider of the smart card • Enrollment agent certificate that will sign the request • The user the certificate is for
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 45
Configuring a Smart Card for User Logon (continued)
• To create the smart card, click the Enroll button and
place the smart card in the smart card reader • Enter the PIN to be used on the smart card • If a certificate already exists on the smart card, you are prompted to overwrite it
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 46
Mapping the Smart Card Certificate to a User Account • There are three ways to map certificates to user accounts: • One-to-one mapping • Many-to-one mapping (subject) • Many-to-one mapping (CA)
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 47
Attaching a Smart Card Reader to the Client Workstation • Each computer using smart cards must have a smart card reader • Many computers have these available as an option • Also commonly available as USB devices
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 48
Summary • Encryption makes data unreadable • Decryption is the reverse of encryption • Cryptography can ensure or perform confidentiality, integrity, nonrepudiation, and authentication • Types of encryption include: • Symmetric • Asymmetric • Hash
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 49
Summary (continued) • Certificate Services is the Microsoft implementation of a certification authority for PKI • Enterprise certification authorities integrate with Active Directory • A stand-alone CA does not integrate with Active Directory • The Certificate Request Wizard, the Certificate Services Web pages, and autoenrollment can be used to issue certificates • Smart cards are the most secure form of authentication 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 50