by Jack Chen, Taos Senior Technical Consultant
PKI has been increasingly deployed in the cloud and on premises for users to encrypt data transmitted over the wire or/and wireless.
The new Windows Server 2012/R2 ADCS service is fully developed as a building block for cloud solutions, it provides customizable services for issuing and managing public key infrastructure (PKI) certificates used in software security systems that employ public key technologies. The new features are such as Policy Module support for the Network Device Enrollment Service, TPM key attestation, Windows PowerShell for Certificate Services for backup and restore.
It is an increasing demand for technical consultants to gain expertise on implementing PKI with Windows Server 2012 or R2. If you are interested in delving into more details, please go and review -What’s New in Certificate Services in Windows Server 2012 R2 http://technet.microsoft.com/en-us/library/dn473011.aspx, it will give you a sufficient “what is going on”.
The following is a simple way to introduce PKI. PKI, which is an abbreviation of Public key cryptography contains a group of policies and technologies to support message encryption and digital signatures; just like other encryption algorithms (such as AES) is designed to allow two parties to communicate securely without intercepting and Eavesdropping by hackers.
You might ask that what practices would be used by PKI to secure communications? I would say it is Public Key cryptography, Certificates (certificate authority) and digital signature.
- what is public key cryptography?
It uses for enabling data encryption.
It is an encryption algorithm by using a public key to encrypt data, and a private key to decrypt it. However, data encrypted with a specific public key can only be decrypted by a private key which must be the other part of the same key pair.
For example, John wants to access his banking account via web securely and confidentially, in order for doing this, he logs on to his online banking account via HTTPS:taos.wpengine.com; then his IE browser encrypts his logon session (include his ID and password) by using the public key (a digital certificate assigned to his online banking bank) and send to his online banking’s web server ; this logon session is then decrypted by the online banking bank with the Private key (the other part of key pair) to validate and authenticate his identity and status, he is then able to have access to his online banking account and make transactions securely if successful.
Note: You can always open security report (which is locker on the very top or bottom of IE Browser) to view the digital certificate which assigned to your bank or your company (for OWA, OA).
- What is certificate:
It is used for authentication.
It is electronic files containing public key and specific identifying information about the user, issued by a Certification Authority (CA) to confirm the identity of the possessor (i.e. bank, company).
A Certification Authority (CA) is a main component of a PKI. It is a trusted third party (like Verisign, Thawte, Godaddy,..) responsible for issuing digital certificates and CRL (revoked certificates which are no longer valid).
- What is A digital signature?
It is used to establish data integrity.
It is an electronic identifier similar to a traditional paper signature. It is unique and provable, and must be only initiated by the signer. It can be used with either encrypted or unencrypted messages, to ensure document is not altered during transmission.
For example, John and Mary want to communicate securely via the network, they decide to use PKI to ensure their secret and privacy. John and Mary both have their own digital certificate (either bought from VeirSign, or issued by corporation internal Microsoft Certificate Authority), each of these digital certificates contains a copy of public key, the expiration date and the CA’s digital signature. John and Mary also receive the private key related to their own public key.
Application (i.e. Acrobat, from edit – preference – security – digital signature) on John’s workstation creates a digital signature and encrypts his message. The application uses John’s private key to create his digital signature, and *specifically use Mary’s public key to encrypt the message. When Mary receives this digital-signed encrypted message, her application then uses her private key (the other part of her key pair) to decrypt the message and allow Mary to read it. Since Mary is the only person who owns her private key can decrypt a message (which is encrypted by her public key), so the privacy of the document is confirmed. The application then uses John’s public key to authenticate his digital signature, therefore proving that the message was sent by John, and never changed during transmission over the network.
Overall, the Internet is so well on its way to attractively suitable the major platform for worldwide business and communications. No matter who you are and what you are, we all demand methods which will not only assure the integrity of the information transmitted over the network (internet and intranet), but also provide the privacy and confidentiality transactions exchanged over network.
The viable practice is to use the Public Key Infrastructure. With the use of public key cryptography, digital certificates and digital signatures, a PKI can provide the guarantees we need before we can confidently communicate sensitive data over the Internet and intranet.