Overview of the Windows AD Certificate Services Family---PKI (1)

PKI (public Key Infrastructure) is a combination of software that uses encryption technology, processes, and services to help companies protect their communications and business transactions. A PKI is a system consisting of digital certificates, CAS, and other registered authorities. When an electronic transaction occurs, the PKI confirms and certifies the validity of each component it involves. PKI standards are still evolving, but they have been widely used as the basic components of e-commerce.

Basic concepts of PKI

Typically a PKI solution relies on a variety of technologies and components, and when you plan to implement a PKI, you need to consider and understand the following points:

1. Infrastructure. This is the same concept as other infrastructures, such as the power system, the transportation system, the infrastructure of the water supply. Each of the elements that make up a PKI has specific work to do, and they need to match your needs to provide effective functionality, all of which combine to make the PKI work effectively and securely, and the elements that make up the PKI include the following:

   A. A certification authority (CA)

   B. A certificate Warehouse

   C. A registered authority

   D. Ability to revoke certificates

   E. Ability to back up, restore, update keys

   F. Ability to manage and track point-in-time

   G. Client-side processing

2. Public/private key. There are two methods that are commonly used to encrypt and decrypt data:

   A. Symmetric encryption: It is a special method of data encryption that uses the exact same secret key for encryption and decryption. To encrypt data in this way, you must have the same secret key, so anyone with this key can encrypt the data, but the secret key that is integrated with encryption must be individually maintained and managed by the individual.

   B. Asymmetric encryption: This method of encryption and decryption of the application of the secret key is different, it is also a special method of data encryption, but he used the secret key encryption and decryption with the secret key is different. This encryption method uses a pair of keys, which consist of a public key and a private key, both of which are unique. They can decrypt each other, that is, the public key encrypted data can be decrypted with the private key, and vice versa. Because the secret key is completely different, you cannot determine another key by one key, so you can publish one of the keys, which does not reduce the security of the data, as long as the other secret key to ensure privacy.

For large amounts of data, algorithms that use symmetric encryption are faster and more efficient, but with symmetric keys, there is a risk in security because you need to send the secret key along with the encrypted file to the receiver. Or we encrypt the file with asymmetric encryption, which can guarantee the security of the data, but it is much slower than symmetric encryption. In view of their advantages and disadvantages, we generally adopt a hybrid encryption method, that is, we use a symmetric key to encrypt the data, and then we use asymmetric keys to encrypt the symmetric key, so that both security, but also meet the needs of fast and efficient.

If you have a PKI deployed in your environment, it is very useful for the security of your environment and it has the following benefits:

1. Confidentiality. PKI solutions enable your data to be encrypted during both the Save and transfer process

2. Integrity. You can use PKI to digitally sign data, and digital signatures can verify that the data has been modified during transmission.

3. Reliability and non-repudiation. The authentication data generates a digest of information through a hashing algorithm, and the sender uses his private key to sign the information digest, proving that the information digest is reliable. Non-repudiation refers to the evidence that a digital signature can provide the integrity of the signature data and the origin of the original.

4. Standardized methods. PKI standardization refers to the mandatory adherence of most technology providers, the security infrastructure provided to enable the PKI, which is based on the industry standard defined in RFC 2527, "Internet of the Public Key Infrastructure certificate policy and Certification practice framework"

Components of a PKI solution

To provide a complete PKI solution that requires multiple components to work together, the PKI has the following components in Windows2012:

2. Ca. The CA issues and manages digital certificates for users, services, computers, and establishes a PKI in the company by deploying a CA.

4. Digital certificates. Digital certificates are similar to electronic visas, where digital certificates are used to prove the identity of the user, and the digital certificate contains the electronic credentials associated with the pairing key, which is used to authenticate users and other devices. Digital certificates also protect software and code from a trusted source, and digital certificates contain multiple areas, such as objects, publishers, and common names. These areas determine the specific purpose of the certificate, For example, a Web server may be in the common name Zone of the certificate value is web01.adatum.com, then this certificate can only be effective for this Web server, if someone tries to use this certificate on a web02.adatum.com Web server, then he will receive a warning message.

6. Certificate templates. This component is used to describe the content and purpose of a digital certificate. When requesting a certificate from an enterprise CA in a domain environment, the applicant for the certificate selects multiple certificate types from the certificate template, such as the user type and the code signing type, based on the permissions that he has. Certificate templates allow users to determine the type of certificate they need from a low-tech perspective, and it also allows the administrator to differentiate what roles can request a certificate.

8. Certificate revocation lists (CRLs) and online transponders:

   A.CRL is a list of digital signatures that are dedicated to revoked certificates. These manifests are periodically published, and the client receives and caches the manifest, and the cache time depends on the life cycle of the CRL, which is used to determine the revocation status of the certificate.

   B. Online transponders are part of the online Certificate Status protocol (OCSP online Certificate status Protocol) role service in Windows2008 and Windows2012, and the online Responder does not require the client to download the entire CRL. is able to receive requests to check certificate revocation status, which increases the speed of certificate revocation status checks, reduces network bandwidth, and enhances scalability and fault tolerance by enabling array configurations for online transponders.

10. Public key-based applications and services. This is related to applications and services that support public key cryptography, in other words, applications and services must be able to support public key deployment in order to benefit from this capability.

12. Certificate and CA management tools. The administration tool provides both command line and UI interface modes that can be used to:

    A. Configuring the CA

    B. Restoring an archived private key

    C. Import and export keys and certificates

    D. Publishing CA certificates and CRLs

    E. Managing issued Certificates

14. Authoritative Information access (AIA Authority information Access) and revocation List Publishing points (CDP CRL distribution point). The AIA is used to determine the area where the CA certificate is discovered and validated, and CDP is used to determine the location of the CRL that the certificate discovers during validation. As the number of revoked certificates increases over time, the CRL becomes larger, but you do not have to publish the entire CRL, you can publish a small, transitional CRL, which is called an incremental CRL. The delta CRL contains only the revocation certificate that was added after the last CRL publication, which allows the client to quickly establish a complete list of revoked certificates by acquiring an incremental CRL, and the use of the delta CRL also makes the revocation of the certificate's data published more frequently, given the size of the delta CRL, So it does not need to spend a lot of time in the delivery process like a full CRL.

16. Hardware Security Module (HSM Hardware security module). An HSM is an optional password-protected hardware device that accelerates the management of cryptographic processing of digital keys. This is the use of high-security-specific storage devices to connect to the CA to manage certificates, usually the HSM is physically connected to the computer, which is an optional plug-in for the PKI and is widely used in environments with high security requirements.

Note: The most important component in any security infrastructure is physical security, and a security infrastructure is not just enough to deploy a PKI, but also a combination of other elements such as physical security and appropriate security policies that play an important role throughout the security architecture.

What is a CA

A CA is a well-designed, highly trusted service in the enterprise that provides certificates, manages and publishes CRLs for users and computers, and responds to OCSP as appropriate. You can deploy the AD CS role on Windows2012 to build a CA, and when you install the first CA server, it will build a PKI in the network, and as the highest point in the entire PKI structure, you can build multiple CAs in the network, However, only one CA can be at the highest point in the CA hierarchy, which is known as the root CA.

The primary purpose of the CA is to issue certificates, revoke certificates, and publish AIA and CRL information. With these actions, the CA can ensure that the object (user, computer, service) that it issued the certificate can be successfully verified. CAS play multiple functions or roles in the PKI, in a large PKI, the role of the CA is common across multiple servers, and the CA can provide the following administrative tasks:

1. Verify the identity of the certificate requester

2. Issue certificates to users, computers, and services that issue certificate requests

3. Manage Revocation of certificates

When you deploy the first CA in the network, it first issues a certificate for itself, and then the other CA receives the certificate from this and the CA, and you can use a public certificate as the certificate of your CA.

This article is from the "Dry Sea Sponge" blog, please be sure to keep this source http://thefallenheaven.blog.51cto.com/450907/1591646

Overview of the Windows AD Certificate Services Family---PKI (1)