The Windows NT ® 5.0 Public Key Infrastructure Charlie Chase Program Manager Windows NT Security Microsoft Corporation

Public Key Enables…  Secure Intranet Certificate enrollment Certificate enrollment Smart card logon Smart card logon Signed objects Signed objects  Secure Remote Access Strong authentication Strong authentication Virtual Private Networks (VPN) Virtual Private Networks (VPN) Data protection Data protection Secure (S/MIME) Secure (S/MIME)

Leveraging The Windows NT 5.0 PKI  Deploy Windows NT 5.0 Certificate Services Certification Authorities Certification Authorities Certificate enrollment and policy Certificate enrollment and policy  Strong authentication Smart card logon (Kerberos, EAP/TLS) Smart card logon (Kerberos, EAP/TLS)  Data protection File system, transport layer File system, transport layer  Code sign using Authenticode Win32 ® controls, CABs, catalog files Win32 ® controls, CABs, catalog files

Active Directory Certificate Services Reader SC Cert Clients Application Services Public Key Infrastructure

Enterprise Root CA Enterprise Sub CA Forest of Domains Enterprise Root CA One Way Trust Standalone CA Standalone Domain Two-way Trust PKI Trust Relationships

Secure Web Server Active Directory Reader Client SC Cert Certification Authority HTTP with SSL/TLS CertificateEnrollment CertificateMapping Secure Intranet Application

Active Directory Reader SC Cert Client Root CA Subordinate CA Certificate Request and Installation Publish Certificate Certificate Enrollment

Microsoft Certificate Enrollment Control  Signed ActiveX ® control  Scriptable interface using HTML and Visual Basic ® Script or Java ™ script Certificate Services SDK on MSDN Certificate Services SDK on MSDN  Built on PKCS#7 and PKCS#10 standard messaging formats  Installs certificate into system store for use by all applications Supports smart cards Supports smart cards

Code Sample: Certificate Enrollment Control  Client Set certificate values, extensions Set certificate values, extensions Call createPKCS10() method Call createPKCS10() method Submit request to server Submit request to server Call acceptPKCS7() method Call acceptPKCS7() method  Server Process PKCS#10 message Process PKCS#10 message Return PKCS#7 message Return PKCS#7 message

My CryptoAPI User DS CA Root Smart Card CSPDefault Store Provider LDAP Physical Store Layer Logical Store Layer Smart Card Services Trust Certificate Storage Model

SSL Protection Using SSPI  Server Open server certificate context handle Open server certificate context handle AcceptSecurityContext() until handshake completes AcceptSecurityContext() until handshake completes EncryptMessage(), DecryptMessage() EncryptMessage(), DecryptMessage()  Client Open client certificate context handle Open client certificate context handle InitializeSecurityContext() until handshake completes InitializeSecurityContext() until handshake completes DecryptMessage(), EncryptMessage() DecryptMessage(), EncryptMessage()

End-entity Cert Root CA Cert Issuing CA Cert Certificate Verification  Build certificate chain CertGetCertificateChain() CertGetCertificateChain()  Apply policy to the chain CertVerifyCertificateChainPolicy() CertVerifyCertificateChainPolicy()  Make trust decision based on status

PCCERT_CONTEXT pCertContext;... fresult = CertGetCertificateChain( HCCE_CURRENT_USER,// chain engine pCertContext,// certificate context NULL,// current system time NULL,// additional store &ChainPara,// parameters to use 0,// processing flags NULL,// reserved &pChainContext);// context to built chain Code Sample

PCCERT_CONTEXT pCertContext;... fresult = CertVerifyCertificateChainPolicy( CERT_CHAIN_POLICY_BASE,// policy to use pChainContext,// chain context &PolicyPara,// additional checks &PolicyStatus);// chain status...

Verification and NT user account lookup Logon request using Public Key Kerberos Ticket Granting Ticket (TGT) Key Distribution Center (KDC) Active Directory Reader Client SC Cert Smart Card Logon

Code Signing Process  Enroll for Code Signing certificate VeriSign or internal CA VeriSign or internal CA  Sign your objects Use signcode.exe for executables Use signcode.exe for executables Internet Client SDK Internet Client SDK Use makecat.exe for all other types Use makecat.exe for all other types Windows NT 5.0 SDK Windows NT 5.0 SDK  Publish

Authenticode  Individual objects Most flexible, highest overhead Most flexible, highest overhead  Archives (CABs, self-extracting exes) Efficient for multiple, related objects Efficient for multiple, related objects Signature bound to container Signature bound to container  Manifests (catalog files) Efficient for large collections Efficient for large collections Useful for signing different file types Useful for signing different file types New for Windows ® 98 and Windows NT 5.0 New for Windows ® 98 and Windows NT 5.0

Secure Remote Access  Strong authentication  Virtual Private Networks (VPN)  Data protection  Secure (S/MIME)

Reader Client SC Cert Remote Access Server Internet LDAP with SSL/TLS EAP/TLSLogon Active Directory PPTPIPSEC Remote Access Application

Strong Authentication For Dial-up Networking  Public key certificate accepted by Remote Access Server (RAS) User certificate store User certificate store Smart card Smart card  Transport Layer Security (TLS) Authentication protocol for PPTP Authentication protocol for PPTP  Extensible Authentication Protocol (EAP)

Virtual Private Networks  Client passes user certificate to server to authenticate connection Supports EAP/TLS and smart card Supports EAP/TLS and smart card  Data encrypted between connection points Point-to-Point Tunneling Protocol (PPTP) Point-to-Point Tunneling Protocol (PPTP) Layer two Tunneling Protocol (L2TP) Layer two Tunneling Protocol (L2TP) IP Security Protocol (IPSec) IP Security Protocol (IPSec)

Internet Reader SC Cert Outlook 98 Active Directory Outlook ™ Express Retrieve user’s certificate (LDAP) Exchange 5.5 SP1 S/MIME Secure

Signing Messages  Get handle to default provider  Get context to signing certificate  Include other certificates (optional)  Set algorithm info CRYPT_ALGORITHM_IDENTIFIER CRYPT_ALGORITHM_IDENTIFIER  Set signature info CRYPT_SIGN_MESSAGE_PARA CRYPT_SIGN_MESSAGE_PARA  Call CryptSignMessage()

CRYPT_SIGN_MESSAGE_PARA SigParams; CryptSignMessage( &SigParams,// signature parameters FALSE,// signature not detached 1,// number of messages MessageArray,// message(s) MessageSizeArray,// size of message(s) NULL,// *get buffer size &cbSignedMessageBlob)// size of buffer Code Sample

Verifying Signed Messages  Get handle to default provider  Set signature info CRYPT_VERIFY_MESSAGE_PARA CRYPT_VERIFY_MESSAGE_PARA Callback function to get signing certificate from system store Callback function to get signing certificate from system store  Call CryptVerifyMessageSignature()

Code Sample CRYPT_VERIFY_MESSAGE_PARA VerifyParams; CryptVerifyMessageSignature( &VerifyParams,// verification parameters 0,// signer index pbSignedMessageBlob,// signed blob cbSignedMessageBlob,// size of signed blob NULL,// decoded msg buffer NULL,// buffer size NULL)// pointer to signer cert

Developer Tools  Windows Platform SDK Base Services Cryptographic Service Providers Cryptographic Service Providers CryptoAPI 2.0 CryptoAPI 2.0 Certificate Server Certificate Server Smart Card Smart Card Security Security  Visual Studio ™

Summary  Secure Intranet Client and server certificates Client and server certificates Smart card logon Smart card logon Code signing Code signing  Secure Remote Access Certificates for dial-up networking Certificates for dial-up networking Secure using S/MIME Secure using S/MIME Transport level security Transport level security

Call To Action  Leverage the Windows NT 5.0 Public Key Infrastructure to secure your applications  Use CryptoAPI to add encryption and signed messaging to your applications  Use SSPI to add channel data protection to your applications  Use Authenticode to sign your code

Resources  Windows Platform  Windows NT ® Server  Security Advisor  Developer Information and Tools