Summary of Exam Objectives


The purpose of a PKI is to facilitate the sharing of sensitive information such as authentication traffic across an insecure network. This is done with public and private key cryptography. In public key cryptography, keys are generated in pairs so that every public key is matched to a private key and vice versa. If data is encrypted with a particular public key, then only the corresponding private key can decrypt it. A digital signature means that an already encrypted piece of data is further encrypted by someone’s private key. When the recipient wants to decrypt the data, he or she must first “unlock” the digital signature by using the signer’s public key, remembering that only the signer’s public key will work. This might seem secure, but because anyone at all can sign the data, how does the recipient know for certain the identity of the person who actually signed it?

The answer is that digital signatures need to be issued by an authoritative entity, one whom everyone trusts. This entity is known as a certification authority (CA). An administrator can use Windows Server 2003, a third-party company such as VeriSign, or a combination of the two to create a structure of CAs. Certification authorities, as the name implies, issue certificates. In a nutshell, certificates are digitally signed public keys. Certificates work something like this: party A wants to send a private message to party B and wants to use party B’s public key to do it. Party A realizes that if B’s public key is used to encrypt the message, then only B’s private key can be used to decrypt it, and since B and no one else has B’s private key, everything works out well. However, A needs to be sure that he’s really using B’s public key and not an imposter’s, so instead of just asking B for B’s public key, he asks B for a certificate. B has previously asked the CA for a certificate for just such an occasion (B will present the certificate to anyone who wants to verify B’s identity). The CA has independently verified B’s identity and has then taken B’s public key and signed it with its own private key, creating a certificate. Party A trusts the CA and is comfortable using the CA’s well-known public key. When A uses the CA’s public key to unlock the digital signature, he can be sure that the public key inside really belongs to B, and he can take that public key and encrypt the message.

The “I” in PKI refers to the infrastructure, which is a system of public key cryptography, certificates, and certification authorities. CAs are usually set up in a hierarchy, with one system acting as a root and all the others as subordinates at one or more levels deep. By analyzing the certificate requirements for your company, you can design your CA structure to fit your needs. Most organizations use a three-tier model, with a root CA at the top, an intermediate level of subordinates who control CA policy, and a bottom level of subordinates who actually issue certificates to users, computers, and applications. In addition to choosing root and subordinate structure for the CA hierarchy, each CA during installation needs to be designated as either an enterprise or a standalone. Each of these choices has distinct advantages and disadvantages. Most CA configuration after installation is done through the Certification Authority snap-in. In addition to issuing certificates, CAs are responsible for revoking them when necessary. Revoked certificates are published to a CRL that clients can download before accepting a certificate as valid.

Enterprise CAs use templates to know what to do when a certificate request is received and how to issue a certificate if approved. Windows Server 2003 includes several built-in templates , or you can configure new ones. After a CA is ready to issue certificates, clients need to request them. Auto-enrollment, Web enrollment, or manual enrollment through the Certificates snap-in are the three ways by which a client can request a certificate. Auto-enrollment is available for computer certificates, and in Windows Server 2003 for user certificates as well.

Finally, using smart cards for authentication requires the use of a PKI. Using a card reader, a local or a remote user can insert his or her card and enter a PIN in place of typing in a username and password. This method of authentication uses EAP and is extremely secure, especially for remote access users using a corporate VPN. An enrollment agent (a user who holds an Enrollment Agent certificate) uses an enrollment station that has been pre-configured to put information such as a certificate on the cards before they’re issued to users. Also, smart cards may be used for secure e-mail or for logging on to a terminal server.




MCSE Planning and Maintaining a Windows Server 2003 Network Infrastructure. Exam 70-293 Study Guide and DVD Training System
MCSE Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide and DVD Training System
ISBN: 1931836930
EAN: 2147483647
Year: 2003
Pages: 173

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net