Windows AD Certificate Services Family---Certificate use range (3)

Use a certificate for content encryption

Although a digital signature can verify the identity of the author and ensure consistency of the document's content, it cannot be used to protect the content itself, and if someone intercepts the digital signature information, the person can read the document information, but if he wants to modify the content, the data signature can be detected that the document is not modified by the original author, This concept has been validated by the previous chapter of the experiment.

If you want to protect the contents of a document from being read by an illegal user, you must encrypt the document and the Windows operating system can support file-based encryption, a technique known as a file encryption system (EFS Encrypting File System). Outlook messages can also be encrypted.

Efs

To use EFS to encrypt a file, you must have an EFS certificate that, like other certificates, will have a pairing key (a public key and a private key), but this pairing key is not directly used for the encryption and decryption of the content, if one key is used for encryption, and the other key is used to decrypt the This efficiency is very low, compared with the same key to the encryption and decryption, the former will be slower than the latter 100 to 1000 times times, so the encryption algorithm is usually used for symmetric encryption, it uses the same secret key to the encryption and decryption. EFS can be said to be an encryption method that combines two encryption methods.

When the user chooses to encrypt a file, the local computer generates a symmetric key, which is the secret key of the encrypted file, and after the file is encrypted, the system uses the user's public key to encrypt the symmetric key, and then saves the symmetric key in the file header. When the user who originally encrypted the file wants to decrypt the file and then read the contents of the file, the local computer decrypts the symmetric key from the file header using the user's private key, and then uses the symmetric key to decrypt the file, and this area of the header is also known as the data decryption area.

The above method is applicable to only individuals need to access encrypted files, there will be no other users need to access encrypted files. However, we encounter more cases, the user needs to access the encrypted files shared by others, this time if you want to decrypt the file and then share it for others to use, it is very inconvenient and difficult to be accepted by the user, and once the original encryption of the file to the user has lost the private key, the file will not be accessible to anyone. To solve this problem, EFS defines a data recovery area for each file, and when you use EFS on a local or domain environment, the data recovery agent role is defined by default and set to cost to the administrator or domain administrator. The data recovery agent is actually a certificate that has a pairing key, which we can use to decrypt the file when the encrypted file cannot be accessed because of a problem with the private key.

When a user encrypts a file through EFS, his public key is used to encrypt the symmetric key, and then the encrypted symmetric key is stored in the data decryption area of the file header, and the data recovery agent's public key encrypts the symmetric key and then saves the encrypted symmetric key to the data recovery area in the header. If more than one data recovery agent is defined, the symmetric key is encrypted once by the public key of each data recovery agent, and then the data recovery agent can use its private key to decrypt the symmetric key from the data recovery area if the original encrypted user cannot decrypt the file using his private key for some reason. The decrypted symmetric key is then used to decrypt the file.

Note: You can use a different method to replace the data recovery agent, the secret key recovery agent (KRA key Recovery agent) is a function that can be obtained from the CA database to the user's private key, if you have enabled the key archiving feature in the CA and EFS certificate templates, You can then use KRA to get the user's private key to decrypt the symmetric secret key.

When users want to share encrypted files to other users, this process is similar to the data recovery agent process, when we choose EFS sharing, the owner of the file must select a certificate from each user who needs to share the file, which is to be able to publish and retrieve in the ad domain, when the certificate is selected, The public key of the target user is collected on the file owner's computer, and the computer uses the public key to encrypt the symmetric key separately and save the encrypted symmetric key to the file header, and when the user wants to access the contents of the encrypted file, they decrypt the symmetric key with their private key and then decrypt the file.

Note: You can also define a data recovery agent for BitLocker Drive Encryption because the certificate template for BitLocker Data Recovery agent is not predefined, you can copy the KRA template, Then select BitLocker encryption and BitLocker Drive recovery agents in the application policy, add them to the template, and when the user has registered the certificate, you can use the GPO to use it as the BitLocker Data Recovery Agent certificate in the domain, set the path for Group Policy: Computer Configuration \ windows Settings \ Security \ Public key policy \bitlocker Drive Encryption

Message encryption:

In addition to encrypting files with EFS and encrypting drives with BitLocker, we can use certificates to encrypt messages, but message encryption is much more complex than digital signatures, and you can send digitally signed messages to any user, but you can't send encrypted messages to any user. When you want to send an encrypted message containing a PKI to someone, you must have the public key in the other's pairing key, and in a domain environment that uses the Exchange messaging system, you can publish the public key of all mailbox users to the Global Address Book (GAL Global Addresses List). Then Outlook can easily extract the recipient's public key from the GAL for sending encrypted messages. When you send an encrypted message to an internal user, your mail application (Outlook) crawls the recipient's public key from the GAL, then encrypts the message with it and sends it to the recipient, and Outlook uses the private key in the certificate to decrypt the message after the user receives the message.

The process of sending an encrypted message to an external user is more complicated because you can publish the internal user's public key to the GAL, but you cannot publish the external user's public key to the GAL, and to send an encrypted message to an external user, you must first obtain his public key, You can let the user pass his public key. The CER file is sent to you, and then you import the. cer file into your local address book, and if an external user sends you a data-signed message, you can use that data signature to get his public key, and then import his public key into your local address book so that you can send encrypted messages to those users The

Note: If you want to provide reliability verification, content consistency, and content protection for your messages, you can use both digital signatures and file encryption.

Use a certificate for validation

Certificates, in addition to digital signatures and encryption, can also be used as authentication for users and devices. Certificates are typically used for network access validation because they provide strong security for user and computer authentication, and address low-security issues based on password authentication.

For example, if you use a certificate to manage a computer that accesses a network over a VPN connection, it can authenticate users and computers, and the user can authenticate with a user name and password, but the device is authenticated by a certificate. If the device does not have a company certificate installed, even if the user has access rights and is unable to connect to the corporate network, this obviously improves the security of the network.

There are two ways to use certificates to manage network access, Extensible Authentication Protocol-Transport Layer Security (EAP-TLS), and protected Extensible Authentication Protocol (PEAP). Both of these methods use certificates for server authentication, which can be used to authenticate users and client devices, depending on the authentication method configured in the authentication type. Certificate-based authentication must be used for L2TP IPsec VPNs.

Certificates can also be used to authenticate clients in a NAP environment where IPSec is deployed, in which case the health Registration authority publishes a certificate to the client that meets the health policy so that the client can establish an IPSec connection.

Windows2012 IIS also supports certificate validation for users, for example, you can configure the OWA for Exchange to use certificate-based authentication.

Finally you can also use certificate validation for mobile devices, some mobile devices can install certificates, and then use certificates to verify that users or devices can access network resources.

This article is from the "Dry Sea Sponge" blog, please be sure to keep this source http://thefallenheaven.blog.51cto.com/450907/1591139

Windows AD Certificate Services Family---Certificate use range (3)