Exam Objectives Fast Track

Previous page
Table of content
Next page

Cryptography and You: What is it All About?

  • Encryption is the process of changing a cleartext message into an unreadable form known as ciphertext. Decryption is the process of changing the ciphertext message back to cleartext.

  • Secret key encryption is very efficient at quickly encrypting large quantities of data. Secret key encryption uses a single key for both encryption and decryption.

  • The most popular public key algorithm is the standard RSA, which is named after its three inventors: Rivest, Shamir, and Adleman.

  • Public key algorithms provide better security than secret key encryption, but encrypt and decrypt data more slowly.

  • Digital signatures prevent changes within a document from going unnoticed. They also verify the person to be the original author. Digital signatures do not provide document encryption.

  • Digital certificates provide a way to validate public keys. They assure that public keys belong to the entity that owns the corresponding private key. Certificates provide users with a guarantee between the public key and the entity holding the corresponding private key. The certificate contains the public key and a complete set of attributes.

  • The Microsoft Certificate Service includes four types of CAs: Enterprise Root, Enterprise Subordinate, Standalone Root, and Standalone Subordinate.

  • The Enterprise Root CA is at the top of the PKI. An Enterprise Root CA uses predefined certificate templates for issuing and requesting certificates.

  • PKI is a collection of components that allow public cryptography to occur transparently to clients.

  • The two major services for Window 2000 public key security are the cryptographic service and the certificate management service. The cryptographic service is responsible for key generation, message hashing, digital signatures, and encryption. The certificate management service is responsible for X.509 version 3 digital certificates.

Certificate Authorities

  • Because the Root CA is at the very top of the certificate hierarchy, it signs its own certificate. This is not secure for the Root CA, so a third party is often used to verify a Root CA's certificate.

  • The issuer of a Public Key Certificate is called the CA. Any CA has the responsibility of validating the identity of a person or organization and for associating that entity with the key pair it issued.

  • The Certificate Server Service for Windows 2000 includes the capability to do the following:

    • Issue certificates to users, computers, and services

    • Identify the requesting entity

    • Validate certificate requests, as allowed under the Public Key security policy

    • Support the local enterprises CAs as well as external CAs

Installing and Managing Windows 2000 CAs

  • Active Directory must be properly configured before installing an Enterprise CA. Computers cannot be renamed, joined to, or removed from a domain after installing Certificate Services.

  • For key recovery, a client's private key must be stored where it will always be accessible.

  • A certificate should be valid only for a limited time. Windows 2000 only supports renewal with automatic enrolled certificates. All other certificates must go through a complete certificate enrollment process.

  • Certificates and their properties are stored in certificate stores. Active Directory is the store for an Enterprise CA.

  • Windows 2000 supports roaming users by utilizing roaming profiles and smart cards.

  • The Enterprise CA publishes its CRLs to Active Directory where clients can obtain the information. The CRL is cached to the client's local machine and then read from the cache when certificates are verified.

  • Windows 2000 provides single logons at the enterprise level.

  • CAs are responsible for guaranteeing that a key is valid for a particular user or company. The CAs accomplish this by storing the public key and maintaining a list of issued certificates.

  • The MMC Certificate snap-in is used to specify which CA to trust. Newly created CA's certificates must be added as trusted CAs.

  • Certificate templates define policies that control the generation and use of certificates.

  • Microsoft recommends that you back up your entire CA server by backing up the system state data.

  • Use the CA console to back up and restore Certificate Services without backing up the system state data.

  • Typical tasks involved in managing a CA include requesting certificates, using the Certificate Services Web interface, importing a certificate, and revoking certificates.

  • The CRL lists all revoked certificates and is published to the specified locations on a configured schedule. The CRL can also be manually published by the administrator, if desired.

  • The recommended way to back up a CA is by backing up the entire server, including the system state data.

  • It is possible to back up and restore the CA data only from within the Certification Authority snap-in.

Advanced Certificate Management Issues

  • By default, new certificates are published directly into Active Directory. This can be changed to force certificates to be published into the file system and/or Active Directory, if desired. In 99.999 percent of the cases, it is best to leave the default as is.

  • The public key created by the KMS is kept in Active Directory and used for decrypting and authenticating incoming messages. The private key created by KMS is kept in an encrypted database maintained by the KMS itself and is only available to its authorized user (the user holding the certificate that was used to create the key pair). As such, the need may arise from time to time for a user to recover this private key. This happens most often when a computer fails or is replaced, thus wiping out the settings that the user had previously configured in Outlook for secure e-mail messaging. Fortunately, the KMS provides an extremely easy mechanism to recover these lost KMS keys.

  • Windows XP Certificate auto-enrollment is based on a combination of Group Policy settings and Version 2 Certificate template properties—which requires Windows XP and Windows .NET Server. This combination provides for Windows XP Professional clients to automatically enroll users with new and newly renewed certificates at every Group Policy refresh (computer startup, user login event, or during a configured Group Policy refresh event).


Previous page
Table of content
Next page
MCSE. MCSA Implementing & Administering Security in a Windows 2000 Network Study Guide Exam 70-214
MCSE/MCSA Implementing and Administering Security in a Windows 2000 Network: Study Guide and DVD Training System (Exam 70-214)
ISBN: 1931836841
EAN: 2147483647
Year: 2003
Pages: 162
Authors: Will Schmied, Thomas W. Shinder
BUY ON AMAZON
CISSP Exam Cram 2
The .NET Developers Guide to Directory Services Programming
Image Processing with LabVIEW and IMAQ Vision
101 Microsoft Visual Basic .NET Applications
Quantitative Methods in Project Management
MPLS Configuration on Cisco IOS Software
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy