Microsoft Certificate Services

Two levels of public key cryptography from which SQL Server security can benefit are at work inside Windows Server 2003. One level is implicit and expressly built into the operating system. It is at work in Kerberos and IPsec, as described earlier, and does not require attention from you, other than some minor configuration management. (Microsoft Certificate Services also provides certificates to the Windows Server 2003 Encrypting File System [EFS].) The second level is explicit. It requires you to build a public key infrastructure to accommodate a pervasive use of public key cryptography to access highly sensitive data in SQL Server.

Public Key Infrastructure

A public key infrastructure (PKI) is a collection of services and components that work together to a common end, a secure computing environment. Such an environment will allow you to secure all database transactions, both on an intranet and over the Internet, to secure your Web sites and your company’s Web-based online transactions, to deploy smart cards and biometrics for authentication, and more.

A PKI gives you the ability to support the following public key services:

• Key Management   The PKI issues new keys, reviews or revokes existing keys, and manages the trust levels between other vendors’ key issuers.

• Key Publishing   The PKI provides a systematic means of publishing both valid and invalid keys. Keys can also be revoked if their security is compromised. PKI handles the revocation lists so that applications can determine if a key is no longer to be trusted (this is similar in practice to the bad credit card lists published by the banks for the benefit of merchants).

• Key Usage   The PKI provides an easy mechanism for applications and users to use keys. Key usage provides the best possible security for the enterprise.

Digital Certificates

As discussed earlier in this chapter, public keys are encapsulated in digital certificates. I can think of no better example of a digital certificate than your driver’s license. The license number is the key It is what gives you the right to get into a motor vehicle and use a public road. The driver’s license is issued by the Department of Motor Vehicles (DMV). It is laminated so that it cannot be tampered with and is an object of trust that proves that you received the “key” from a trusted authority, which in this case is the DMV.

How do you validate a digital certificate? A certificate authority (CA), which issues the key, is the equivalent of the DMV in the preceding analogy. The CA signs the certificate with its digital signature. You can validate the digital signature with the CA’s public key. But who vouches for the CA? A certificate hierarchy, a system of vouchsafes that extends all the way up to the root CAs that have formed an association of authorities. Microsoft is a CA that can directly issue public keys, which are handled by the Microsoft Certificate Services.

A PKI is a collection of services and components that collectively create the infrastructure. A Microsoft PKI depends on Active Directory for the publishing of key information, and all certificates, revocation lists, and policy information is stored in the directory.

Managing a Microsoft PKI is not difficult and is even less time-consuming than managing logins, roles and users, databases, and database access. If you are managing SQL Server 2005 on a Windows Server 2003 network, many of your day-to-day activities already encompass the facilities of a PKI.