Deploying a Public Key Infrastructure with Windows Server 2008 R2

2/27/2011 10:08:19 AM
The term Public Key Infrastructure (PKI) is often loosely thrown around, but is not often thoroughly explained. PKI, in a nutshell, is the collection of digital certificates, registration authorities, and certificate authorities that verify the validity of each participant in an encrypted network. Effectively, a PKI itself is simply a concept that defines the mechanisms that ensure that the user who is communicating with another user or computer on a network is who he says he is. PKI implementations are widespread and are becoming a critical component of modern network implementations. Windows Server 2008 R2 fully supports the deployment of multiple PKI configurations, as defined in the following sections.

PKI deployments can range from simple to complex, with some PKI implementations utilizing an array of smart cards and certificates to verify the identity of all users with a great degree of certainty. Understanding the capabilities of PKI and choosing the proper deployment for an organization are subsequently a must.

Defining Private Key versus Public Key Encryption

Encryption techniques can primarily be classified as either symmetrical or asymmetrical. Symmetrical encryption requires that each party in an encryption scheme hold a copy of a private key, which is used to encrypt and decrypt information sent between the two parties. The problem with private key encryption is that the private key must somehow be transmitted to the other party without it being intercepted and used to decrypt the information.

Public key, or asymmetrical, encryption uses a combination of two keys, which are mathematically related to each other. The first key, the private key, is kept closely guarded and is used to encrypt the information. The second key, the public key, can be used to decrypt the information. The integrity of the public key is ensured through certificates, which will be explained in depth in the following sections of this article. The asymmetric approach to encryption ensures that the private key does not fall into the wrong hands and only the intended recipient will be able to decrypt the data.

Exploring Digital Certificates

A certificate is essentially a digital document that is issued by a trusted central authority and is used by the authority to validate a user’s identity. Central, trusted authorities such as VeriSign are widely used on the Internet to ensure that software from Microsoft, for example, is really from Microsoft, and not a virus in disguise.

Certificates are used for multiple functions, such as the following:

  • Secure email

  • Web-based authentication

  • IP Security (IPSec)

  • Code signing

  • Certification hierarchies

Certificates are signed using information from the subject’s public key, along with identifying information, such as name, email address, and so on, and a digital signature of the certificate issuer, known as the Certificate Authority (CA).

  •  Introduction to Transport-Level Security in Windows Server 2008 R2
  •  Windows Server 2008 : Using Windows Server Update Services
  •  Programming .NET Security : Programming XML Signatures (part 3) - Verifying an XML Signature
  •  Programming .NET Security : Programming XML Signatures (part 2) - Embedding Objects in the Signature
  •  Programming .NET Security : Programming XML Signatures (part 1) - XMLDSIG Explained & Signing an XML Document
  •  Windows Server 2008 : Examining File-Level Security
  •  Server 2008 : Hardening Server Security
  •  Server 2008 : Using the Integrated Windows Firewall with Advanced Security
  •  Server 2008 : Deploying Physical Security
  •  Programming .NET Security : Programming Digital Signatures (part 3) - Using the Signature Formatter Classes
  •  Programming .NET Security : Programming Digital Signatures (part 2) - Using the Implementation Class
  •  Programming .NET Security : Programming Digital Signatures (part 1) - Using the Abstract Class
  •  Programming .NET Security : Digital Signatures Explained
  •  Programming .NET Security : Programming Asymmetrical Encryption
  •  Programming .NET Security : Asymmetric Encryption Explained (part 2) - Creating the Encrypted Data
  •  Programming .NET Security : Asymmetric Encryption Explained (part 1) - Creating Asymmetric Keys
  •  Programmatic Security (part 6) - Assembly-Wide Permissions
  •  Programmatic Security (part 5) - Permission Set Attributes
  •  Programmatic Security (part 4) - Permission Set Classes
  •  Programmatic Security (part 3) - Permission Attributes
    Top 10
    Exchange Server 2010 : Active Manager - Automatic database transitions & Best copy selection
    Exchange Server 2010 : Breaking the link between database and server
    iPhone 3D Programming : Drawing an FPS Counter (part 2) - Rendering the FPS Text
    iPhone 3D Programming : Drawing an FPS Counter (part 1) - Generating a Glyphs Texture with Python
    Mobile Application Security : Mobile Geolocation - Geolocation Methods & Geolocation Implementation
    Mobile Application Security : SMS Security - Application Attacks & Walkthroughs
    Transact-SQL in SQL Server 2008 : Table-Valued Parameters
    Transact-SQL in SQL Server 2008 : New date and time Data Types and Functions
    Windows 7 : Working with User Accounts (part 2)
    Windows 7 : Working with User Accounts (part 1)
    Most View
    Improve IIS 7.0 Performance
    iPhone Application Development : Making Multivalue Choices with Pickers - Understanding Pickers
    Implementing Client Access and Hub Transport Servers : Understanding the Client Access Server (part 2)
    Building LOB Applications : Using Visual Studio 2010 WCF Data Services Tooling
    Using Non-Windows Systems to Access Exchange Server 2010 : Outlook Express
    Parallel Programming : Parallel Loops
    Defensive Database Programming with SQL Server : Using TRY...CATCH blocks to Handle Errors
    Windows Phone 7 Development : Handling Data Connection Issues with Rx.NET
    Personalizing Windows 7 (part 5) - Choosing Your Mouse Pointers
    Windows 7 : Exploring and Searching Your Computer - Exploring Your Documents
    Security Center in Windows Vista
    Optimizing an Exchange Server 2010 Environment : Monitoring Exchange Server 2010
    Windows 7 : Using Desktop Gadgets (part 1) - Using the Calendar gadget
    Using SharePoint 2010 Management PowerShell for Backup and Restore
    Building Android Apps : Build KiloGap
    Customizing Windows 7’s Desktop (part 2) - Getting Around the Start Menu
    SQL Server 2008 : Implementing Objects - Viewing and Modifying Data
    Upload a File with FTP
    Programming .NET Security : Programming Cryptographic Keys (part 2) - Using Key Persistence
    Windows Server 2008 : DHCP/WINS/Domain Controllers - Securing DHCP