New features in Windows Server 2003 and Windows XP make transferring sensitive data via PKI easy and secure than ever before.
In the past few years, the IT communications infrastructure has been increasingly expanded as users rely on this platform to communicate and interact with their peers, business partners, and customers. email on public networks. Most sensitive and important business information is stored and exchanged in electronic form. The change in your corporate communications activities means that you must take measures to protect your organization or business from fraud, interference, attacks, sabotage or accidental disclosure. that information. Public Key Infrastructure (PKI) or its Public Key Infrastructure (PKI) and standards and application technologies can be Considered as a general and independent solution that can be used to solve this problem.
PKI is essentially a standard, application-based technology used to create, store, and manage digital certificates as well as public and private keys. human. The PKI was launched in 1995, when industrial and government organizations built generic standards based on encryption to support a secure Internet infrastructure. At that time, the goal was to develop a comprehensive set of security standards and tools and theories that would allow users and organizations (business or nonprofit) to create , store and exchange information safely within the personal and public domain.
To date, efforts to improve PKI are still being invested and promoted. And to realize this great idea, standards need to be researched to varying degrees, including: encryption, communications and linking, authentication, licensing, and management. However, most of the technology formed by this idea has become ripe and some have entered the "aging" phase. Many security standards on the Internet, such as Secure Sockets Layer (SSL / TLS) and Virtual Private Network (VPN), are the result of the PKI initiative. The asymmetric cryptographic algorithm is based on encryption and decryption algorithms using two types of public and private keys. In this case, a user can encrypt his or her document with a secret key and then decrypt it with a public key. If a document contains sensitive data and needs to be securely transmitted to a single individual, the sender typically encrypts the document using a private key and the recipient decrypts using the passcode. publicity of the sender. This public key can be attached to this document or may be sent to the previous recipient.
Because of the existence of asymmetric algorithms, public standards exist and are constantly being refined to fit those algorithms. There is a fairly simple example: If users work in different organizations and can only communicate with each other over a public network, such as the Internet, you will need to develop standards in each. different steps. First, you must determine the method of authentication issued. A recipient of authentication must accept the validity of the authentication and trust the authority that issued the authentication. Second, standards must establish the mode of authentication communicated between different entities (units or divisions). Email and other forms of communication are based on technology standards and normally these standards do not necessarily support PKI. In order to realize the scenario we have outlined above, you need to have rules and standards that support the authentication issued by different authorities that can exchange and trade between different organizations. Third, the standards must clearly define which algorithms can and must include. Finally, standards must show how to maintain the infrastructure of communication. In addition, they must also build a list of authenticated users and a list of revoked certificates. Decide how different authentication authorities will be communicated and how to reproduce an authentication in the event of a loss.
User acceptance increases over time
The process of researching and developing PKI is a long process and with it, the level of acceptance of users has also increased quite slowly. As with many other public standards, the adoption rate will increase only when those standards become complete, demonstrate its true capabilities, and its applicability and realization. It is feasible (both in terms of cost and implementation). Windows XP Professional and Windows Server 2003 all have improved PKI support. You can use either of these operating systems to build a complete PKI solution. Although Windows 2000 server and workstation editions can accept this environment but with limited capabilities (see also References).
Regardless of whether you are aware or not, it is likely that you already have some kind of PKI structure in your IT infrastructure. If you have a website that uses SSL / TLS, if you allow your employees to connect and work in a local area network using the VPN and Point to Point Tunneling Protocol (PPTP), or if you are using code features In IPSec, you are actually using PKI. Likewise, if you use Exchange Server and Outlook, you are using authentication keys and public key codes. If you actually use one or more of these standards, it is easier to consider using a comprehensive PKI solution.
PKI can provide a secure and integrated mechanism for storing and sharing your company's intellectual property, both within and outside the company. However, the cost and / or complexity of it can cause certain barriers to applicability. First, I will address the complex issues. Most of the corporate communications with customers, government and other partners are electronically. If you are aware of all the different channels in those deals, you are one of the few IT professionals. Once you open the door to email, you have to admit that everything that can be sent will be sent, regardless of whether it is between partners, within the company or even across the "boundary" of the company. you. An example of this is an "outside" receiver named in the CC line who can receive a confidential document and send it on other unsafe channels. When you intend to solve this or other similar problems, you need to decide on the level of security "border" expansion, the "assets you have to protect, and the degree of mismatch. You will have to apply to users.
Today, a comprehensive security solution that competes with real PKI has yet to be found. From a technical perspective, this makes the selection simpler. Other companies also offer PKI solutions, but if you've invested in Microsoft technologies in your business, you may be able to capitalize on the advantages that this giant corporation has. With great improvements to PKI in Windows XP Professional (for workstations) and Windows Server (for servers), Microsoft has a solution that can address the major issues related to a PKI security policy. These features, together with the ability to manage and link PKI, have been integrated into the operating system and related applications.
PKI allows you to create a trust relationship between the authentication of different organizations and the Windows Server 2003 PKI solution also includes this feature. It helps you get started with a small range of trusted relationships and allows you to expand this scope in the future.
Plan your own solution
If you decide to design a PKI solution, you need to map a comprehensive scenario of security risks to identify which "assets need to be protected and appropriate and appropriate protections. Draw up a list of all the valuable assets for criminals and competitors, for example, as I mentioned in the previous section regarding the cipher Well, you can configure Outlook to encrypt all messages and attachments, or you can set up the encoding of individual email content before you send them. Knowing the problems that you are facing and the first solution can cause the ability to encode everything You send a lot of sensitive information such as email attachments on the Internet, while the security of your business members is limited, so it's best to choose an encryption solution at all times. Users send some important documents, you can decode the information in each specific case. Note that cipher algorithms are affected by the power of the CPU. Consider before making a decision. That means, whatever method you use, build a specific policy to apply it internally. Publish a list of assets for each employee and state what "actions" that employee applies to those assets. For each application tool associated with such actions (such as Outlook for email), provide specific instructions to ensure the highest level of security.
The release of e-authentication with Windows Server 2003 is quite straightforward and the auto-loading feature in this new operating system version allows you to initialize and distribute individual certificates automatically when The user logs on without causing any interference to them.
Although in this article we are not discussing the benefit of the PKI, however, you can still calculate the cost for it based on some assumption that your company is trading. electronic and transaction levels are increasing in the future. For example, if your business is focused on Internet transactions and intends to extend its reach to both services on the Web, you need to understand that digital certificates and encryption are An important part of the Web service infrastructure. Even if you can find a different security solution at a lower cost, experts recommend that you rethink by all the most important technologies, including the Internet, wireless communications, Biometric security appliances and Smart Card technology, all of which can be referred to as PKI.
New features in Windows Server 2003 and Windows XP are the first steps in a broad adoption of PKI standards. Windows Server 2003 integrates a brand-new, fully-customizable, Federal Module (Federal Information Processing Standard) module - an advanced encryption algorithm. By using Active Directory (AD), you can adjust the scope of your PKI application for specific businesses. Windows Server 2003 and Windows XP Professional support PKI trust relationships between various enterprises, and recently, Microsoft products have passed the federal trust test. The US government has established this testing program as a method of assessing the relevance of technological cooperation between different organizations. This program provides an integrated feature that is essential for interconnecting different organizations without relying on what operating systems and products they use.
In addition, the integration of PKI into end-user applications, such as Outlook, puts important security tools in the hands of end users. Enhanced PKI integration into Windows XP allows you to take full advantage of advanced security features, including smart cards or even scanning devices. This will also help you set up the Encrypting File System and new features of Windows Update that allow you to distribute original updates. All these new features demonstrate why it is time for us to begin planning and embarking on a PKI deployment.
Put the PKI in
PKI is the first and most complete authentication technology that uses cryptographic key and public key encryption. However, PKI also includes extensive use of other security services, including reliable data services, unified data integrity, and key management. In order to understand the nature of the operation and the nature of the PKI, you need to grasp its key components (see Figure 1).
The likelihood of losing or misdiagnosing a user's private key is very large, so you need to have a redundant backup and recovery mechanism. Imagine a user encrypting the entire text they spent a year creating with a unique key and then losing it. Without a private key, document recovery can not be considered in practice. By using the key recovery feature in Windows Server 2003, you can find and use your key and everything will be great.
The e-certificate revocation list includes expired or revoked certificates. All validations have a deadline. This is a design rule, but in the past, it was difficult to implement this rule because the renewal of a certificate should normally be notified to all users using that authentication. Windows Server 2003 and Windows XP both support auto-update of the authentication period. This feature ensures that expired certificates are automatically renewed upon the due date.
If an employee leaves, the need to do so is to cancel the employee's certification, not just expire. This can be done through the automatic decompression list mechanism. Authentication authorities typically do the job of sending these lists to the user, but they can also delegate to another department.
If you are ready to start a PKI application in your business, we recommend that you start by determining which PKI components you have used. Next, define the areas you want to use in the future. If you are in a large organization with multiple management activities in different physical areas, you may need to set up an infrastructure with a root CA for the whole and secondary CAs for each. unit.
Windows Server 2003 supports a new feature called Qualified Subordination, which allows the root CA to restrict the functionality of secondary CAs. You can use this feature to determine the type of CA that is issued and other services that the CA can create for the customer. Once you have a hierarchy in your organization, identify your key business partners and start putting them into your security structure. Create security policies within your organization that define the assets to be protected and the ways and tools your employees will use to do this. Devise user support processes in issues related to the issuance, renewal and revocation of certificates and passwords, and then assign responsibility for the overall development and maintenance of PKI systems to functional department. A complete and consistent PKI solution will ensure the highest level of security for digital assets in your business.
