Summary

Cryptography is an important technology for building secure Web applications, but you must use it properly. One of the best quotes from the movie Sneakers (Universal Studios, 1992) is the line, "You won't get in—it's encrypted." However, cryptography is only one part of the solution; you also need to consider how two or more parties exchange keys and where to store keys. Indeed, key management is one of the more complex aspects of cryptography.

Luckily, most cryptography is hidden from developers, users, and administrators alike in the form of built-in secure protocols such as SSL/TLS, IPSec, and S/MIME. You have little work to do other than enroll for a certificate.

X.509 certificates are a good, well-understood means of verifying authenticity, and Windows 2000 offers superlative certificate support for users, developers, and administrators.

Technologies included with Windows 2000 include CryptoAPI for building low-level cryptographic applications, usually from C or C++. CryptoAPI also provides an easy-to-use user interface for viewing and manipulating certificates. Windows 2000 also includes Microsoft Certificate Services, which allows you to deploy your own internal certificate infrastructure or perhaps an infrastructure between you and your business partners.

It's crucial that you review some of the online certificate service guidelines at http://www.microsoft.com before you build a public key infrastructure. You should be sure that you have a good understanding of why you're using cryptography and certificates before you deploy a solution.

"And they all lived securely ever after...."
                                                     -Luke's Mom