Windows has been providing robust, platform-wide support for public Key Infrastructure (PKI) since Windows 2000. This version contains the first native certification authority feature, introduces autoenrollment, and provides support for smart card authentication. In Windows XP and Windows Server 2003, these features have been extended to provide more flexible enrollment options through version 2 certificate templates, and to support autoenrollment of user certificates. In Windows vista® and Windows server®2008 (formerly code-named "Longhorn"), the Windows®pki platform took a step forward, supporting advanced algorithms, real-time validity checks, and better manageability. This column discusses the new PKI features in Windows Vista and Windows Server 2008, and how organizations can leverage these capabilities to reduce costs and increase security.
The PKI in Windows Vista and Windows Server 2008 has been improved around four key core areas: encryption, registration, manageability, and revocation. In addition to these specific enhancements, the Windows PKI platform also benefits from other operating system improvements, such as role managers, which make it easier to create and deploy new certification authorities (CAS). In addition, many other parts of Windows can take advantage of improvements in the PKI platform, such as support for using smart cards to store Encrypting File System (EFS) keys in Windows Vista.
Encryption
The improvement of cryptographic service core is embodied in two aspects. First, by introducing next-generation cryptography (CNG), Windows now provides an pluggable, protocol-agnostic encryption feature that makes it easier to programmatically develop and access independent algorithms. Second, CNG also adds support for the Suite B algorithm, which was introduced in 2005 by National Security Agency (NSA).
CNG is a new core encryption interface for Microsoft and is a recommended API for future windows-based and encryption-enabled applications. CNG provides a number of features that target developers, including more convenient algorithm discovery and substitution, replaceable random number generators, and a kernel-mode cryptographic API. With these new features, CNG is also fully backward compatible with the set of algorithms provided in processor CryptoAPI 1.0. Currently, CNG is receiving the assessment required through the Federal Information Processing Standard (FIPS) 140-2 Level 2 certification and the common guidelines for the selected platform.