Summary of Exam Objectives

Previous page
Table of content
Next page

There are three types of cryptographic functions:

  • The hash function uses a mathematical algorithm on the data to scramble it.

  • The secret key method of encryption uses a single key to encrypt and decrypt information. Secret key encryption quickly encrypts a large amount of data and is sometimes referred to as symmetric key cryptography. The disadvantage of secret key encryption is that a secure method must be in place for the parties to exchange the one secret key.

  • The disadvantage of secret key encryption was removed in the 1970s with public key encryption, which is based on the use of key pairs. The public key is made available to everyone, but the private key of the key pair is available only to the owner. Public key encryption is also referred to as asymmetric cryptography. The public key is usually used to encrypt the sensitive data, which means that only the matching private key can decrypt the ciphertext. If a user wants to make information available to everyone with the guarantee that readers are getting information that has not been tampered with, the owner can use the private key to encrypt the data. Under these circumstances the matching public key is needed for the decryption process, and it is available for everyone's use. The disadvantage of public key encryption is that it is slow and therefore cannot protect a large amount of data.

Windows 2000 uses cryptography extensively. A digital signature is a hash value encrypted with a private key. By using the corresponding public key, receivers can be guaranteed that the document contains no modifications and that senders are really who they claim to be. With a digital signature, the document itself is not encrypted. Digital signatures involve the creation of a message digest, which is signed by the sender's private key. A message digest is a 128-bit number generated by hashing the original message.

Public key cryptography can provide authentication instead of privacy. Authentication involves the use of a challenge initiated by the receiver of the data. The challenge can be sent encrypted or in plaintext. Either way, the result is proof for the receiver that the sender is authentic. This type of authentication is referred to as proof of possession. Windows 2000 also uses public key cryptography for bulk data encryption and exchanging a secret key through a nonsecure communication channel.

Certificates are used to provide assurance that the public key used belongs to the entity that owns the corresponding private key. The issuer of a public key certificate is known as a CA. The job of the CA is to validate the identity of a person or organization to the public key. The certificate hierarchy consists of multiple CAs that have trust relationships established between them. The CA at the very top of the certificate hierarchy is referred to as a root. Nothing is above the Root CA, so it simply signs its own certificate. A subordinate is a child to a parent and can take on the role of an intermediate CA or an issuer CA.

A subordinate's certificate is generated by its parent CA. The intermediate CA's purpose is to create certificates for other CAs. The issuer CA is responsible for issuing end entity certificates.

Four types of CAs are available with the Microsoft Certificate Services, which can be broken down into two major categories: Enterprise and Standalone. Enterprise CAs rely on the Active Directory services of the Windows 2000 operating system. The Standalone CA is implemented when Active Directory or membership in a Windows 2000 domain is not available. The four types of CAs are Enterprise Root, Enterprise Subordinate, Standalone Root, and Standalone Subordinate.

The PKI is not a single item but rather a collection of various components working together to allow public cryptography to occur. The main components of the PKI are the following:

  • Active Directory  Policy distribution and certificate publication.

  • Certificate Service  Certificate creation and revocation.

  • Domain Controller/Kerberos Domain Controller  Domain logon.

  • Client  Where most of the activity is initiated.

The Windows 2000 operating system makes many core application services available to domain clients. To use public key encryption, public keys must be generated and then enrolled with a CA. If for some reason a key pair gets lost or corrupted, there must be a way for a client to have key recovery. Keys have an expiration date, so the operating system must include a mechanism for necessary renewal.

Windows 2000 provides core services for domain clients through the PKI. The generation and use of keys is transparent to the user. The PKI is a mechanism for creating, renewing, and revoking keys on an as-needed basis. Generated keys can be automatically enrolled with a CA, and in the event of key corruption, the Windows 2000 PKI makes it possible to recover keys. Because it is possible to log on to Windows 2000 with any computer, the PKI enables clients to use their keys from any network location.

Public key security relies on Trusted Root CA, certificate enrollment and renewal, and smart card logon. The responsibility of the CA is to attest to the public key being used. The top of the hierarchical structure is the Trusted Root CA. Trusted Root CAs are defined through the Certificate snap-in. Administrators must add the appropriate Trusted Root CAs and also remove any Root CAs they do not want to trust.

Certificate templates must be created to define policies that control how to create and then use a certificate. Smart card logon is controlled by the policy that has been established with the user. If the policy is set to enforce smart card logons, the user cannot log on without a smart card and a computer with a smart card reader. If the smart card policy is set to Enabled, password logons are still available.

PKI includes the applications written to support public key encryption. Windows 2000 provides security support for both Transport Layer Security (TLS) and Server Gated Cryptography (SGC). TLS and SGC require both the client and the server to have certificates issued by a CA. Certificate exchanges rely on the use of key pair encryption to end up with a secret session key.

E-mail can be secured by using the Exchange Server and Microsoft Outlook products. The process of digital signatures guarantees both the sender and the message for e-mail. Windows 2000 includes a code-signing technology known as Authenticode, which ensures the integrity and origin of software distribution from vendors over the Internet. The EFS allows any user to encrypt sensitive data by marking the directory or just the individual file for encryption. Windows 2000 also supports smart cards for public key logons.


Previous page
Table of content
Next page
MCSE. MCSA Implementing & Administering Security in a Windows 2000 Network Study Guide Exam 70-214
MCSE/MCSA Implementing and Administering Security in a Windows 2000 Network: Study Guide and DVD Training System (Exam 70-214)
ISBN: 1931836841
EAN: 2147483647
Year: 2003
Pages: 162
Authors: Will Schmied, Thomas W. Shinder
BUY ON AMAZON
The .NET Developers Guide to Directory Services Programming
Software Configuration Management
Excel Scientific and Engineering Cookbook (Cookbooks (OReilly))
Cisco CallManager Fundamentals (2nd Edition)
Mapping Hacks: Tips & Tools for Electronic Cartography
Quartz Job Scheduling Framework: Building Open Source Enterprise Applications
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy