windows vista and longhorn server pki enhancements avi ben-menahem lead program manager windows...
Post on 19-Dec-2015
219 views
TRANSCRIPT
Windows Vista And Windows Vista And Longhorn Server PKI Longhorn Server PKI EnhancementsEnhancements
Avi Ben-MenahemAvi Ben-MenahemLead Program ManagerLead Program ManagerWindows SecurityWindows SecurityMicrosoft CorporationMicrosoft Corporation
AgendaAgenda
Microsoft and X.509 PKIMicrosoft and X.509 PKI
Credential Management Credential Management Services DrilldownServices Drilldown
Futures – Advanced Futures – Advanced Cryptography SupportCryptography Support
Microsoft And X.509 PKI Microsoft And X.509 PKI The road aheadThe road ahead
Enabling primary end-to-end PKI Enabling primary end-to-end PKI application scenariosapplication scenarios
S/MIME, secure wireless networks, VPN, S/MIME, secure wireless networks, VPN, IPSEC, EFS, Smartcard logon, SSL/TLS, and IPSEC, EFS, Smartcard logon, SSL/TLS, and digital signaturesdigital signatures
Enhancing credential lifecycle managementEnhancing credential lifecycle management
New certificate enrollment API and UINew certificate enrollment API and UI
Enhancing manageability and deployment of Enhancing manageability and deployment of Certificate ServicesCertificate Services
Enabling revocation across all applicationsEnabling revocation across all applications
Credential ManagementCredential Management
Credential ManagementCredential Management
Credential Management Services ClientCredential Management Services Client
Credential Management Server RoleCredential Management Server Role
Credential Credential RoamingRoaming
Auto Auto EnrollmentEnrollment
Advanced Advanced EnrollmentEnrollment
Certificate Certificate ServicesServices
Online Online Revocation Revocation
ServicesServices
Web Web Enrollment Enrollment ServicesServices
Network Network Device Device
Enrollment Enrollment ServicesServices
Smart Card Smart Card SubsystemSubsystem
Online Online Revocation Revocation
Services Web Services Web ProxyProxy
Advanced EnrollmentAdvanced EnrollmentRetiring xenroll and scrdenrl controlsRetiring xenroll and scrdenrl controls
The last version of Xenroll exposes interfaces The last version of Xenroll exposes interfaces ICEnroll4 and IEnroll4ICEnroll4 and IEnroll4
Difficult to use monolithic interfacesDifficult to use monolithic interfacesHigh cost of maintenance forHigh cost of maintenance for
Microsoft to support XenrollMicrosoft to support Xenroll
Customers and Third Party CAs if and when Xenroll Customers and Third Party CAs if and when Xenroll is updatedis updated
Scrdenrl exposes IScrdenr interface and Scrdenrl exposes IScrdenr interface and leverages Xenrollleverages Xenroll
Primarily used on client for Primarily used on client for ‘Enroll on Behalf of’ functionality‘Enroll on Behalf of’ functionality
Advanced EnrollmentAdvanced EnrollmentCOM Classes for PKI Operations COM Classes for PKI Operations
Well defined class hierarchy that includes interfaces Well defined class hierarchy that includes interfaces to create/manageto create/manage
Enrollments against Microsoft CA (Server interfaces and Enrollments against Microsoft CA (Server interfaces and protocols remain the same)protocols remain the same)
Certificate Requests (PKCS#10, PKCS#7, and CMC)Certificate Requests (PKCS#10, PKCS#7, and CMC)
Public/Private keysPublic/Private keys
Certificate Extensions/Attributes/PropertiesCertificate Extensions/Attributes/Properties
Subset of the functionality can be scripted via a Subset of the functionality can be scripted via a web pageweb page
Integrated UIIntegrated UI
Developer friendly – easy to understand and Developer friendly – easy to understand and code againstcode against
Credential ManagementCredential Management
Credential ManagementCredential Management
Credential Management Services ClientCredential Management Services Client
Credential Management Server RoleCredential Management Server Role
Credential Credential RoamingRoaming
Auto Auto EnrollmentEnrollment
Advanced Advanced EnrollmentEnrollment
Certificate Certificate ServicesServices
Online Online Revocation Revocation
ServicesServices
Online Online Revocation Revocation
Services Web Services Web ProxyProxy
Web Web Enrollment Enrollment ServicesServices
Network Network Device Device
Enrollment Enrollment ServicesServices
Smart Card Smart Card SubsystemSubsystem
Auto EnrollmentAuto Enrollment
Re-architected for attack surface Re-architected for attack surface reduction and overall Operating reduction and overall Operating System performance enhancementSystem performance enhancement
WMI jobs based designWMI jobs based design
Improved usability for offline scenariosImproved usability for offline scenariosExpiry notificationsExpiry notifications
Auto Enrollment Auto Enrollment Expiry notificationExpiry notification
Credential ManagementCredential Management
Credential ManagementCredential Management
Credential Management Services ClientCredential Management Services Client
Credential Management Server RoleCredential Management Server Role
Credential Credential RoamingRoaming
Auto Auto EnrollmentEnrollment
Advanced Advanced EnrollmentEnrollment
Certificate Certificate ServicesServices
Online Online Revocation Revocation
ServicesServices
Online Online Revocation Revocation
Services Web Services Web ProxyProxy
Web Web Enrollment Enrollment ServicesServices
Network Network Device Device
Enrollment Enrollment ServicesServices
Smart Card Smart Card SubsystemSubsystem
Credential RoamingCredential Roaming
Pain Points in deploying Pain Points in deploying PKI-based solutionsPKI-based solutions
Certificates and private keys are bound Certificates and private keys are bound to a machineto a machine
For a given purpose (e.g. S/MIME), users For a given purpose (e.g. S/MIME), users have different sets of certificates and have different sets of certificates and private keys on each machineprivate keys on each machine
CA management overheadCA management overhead
Current optionsCurrent optionsSmartcardsSmartcards
Roaming User ProfilesRoaming User Profiles
Credential RoamingCredential Roaming
SolutionSolutionCredential Roaming Services deliver all Credential Roaming Services deliver all credentials to the user’s machine using credentials to the user’s machine using active directory replicationactive directory replication
This helps applications likeThis helps applications likeSecure e-mailSecure e-mail
Client authenticationClient authentication
Enhanced usability for Smart Enhanced usability for Smart Card deploymentsCard deployments
Credentials Roaming Credentials Roaming AvailabilityAvailability
Server-Side ComponentsServer-Side ComponentsWindows 2000 Server SP3+Windows 2000 Server SP3+
Windows Server 2003Windows Server 2003
Windows Server 2003 SP1 – recommendedWindows Server 2003 SP1 – recommended
Longhorn Server – recommendedLonghorn Server – recommended
Client-Side ComponentsClient-Side ComponentsWindows Server 2003 SP1Windows Server 2003 SP1
Longhorn Client/Server Longhorn Client/Server
Windows XP SP3/OOB (future predictions)Windows XP SP3/OOB (future predictions)
Credential ManagementCredential Management
Credential ManagementCredential Management
Credential Management Services ClientCredential Management Services Client
Credential Management Server RoleCredential Management Server Role
Credential Credential RoamingRoaming
Auto Auto EnrollmentEnrollment
Advanced Advanced EnrollmentEnrollment
Certificate Certificate ServicesServices
Online Online Revocation Revocation
ServicesServices
Online Online Revocation Revocation
Services Web Services Web ProxyProxy
Web Web Enrollment Enrollment ServicesServices
Network Network Device Device
Enrollment Enrollment ServicesServices
Smart Card Smart Card SubsystemSubsystem
Smart Card SubsystemSmart Card Subsystem
Simplified Software DevelopmentSimplified Software DevelopmentCommon crypto operations handled in Common crypto operations handled in the platformthe platform
API for card manufacturersAPI for card manufacturers
Enhanced User ExperienceEnhanced User ExperiencePlanned Certification and Testing Program for Planned Certification and Testing Program for Smartcard middleware on Windows UpdateSmartcard middleware on Windows Update
PnP support for Smart CardsPnP support for Smart Cards
Enhanced Smart Card Logon ScenariosEnhanced Smart Card Logon ScenariosRoot certificates propagationRoot certificates propagation
Integrated Smart Card unblockIntegrated Smart Card unblock
Credential ManagementCredential Management
Credential ManagementCredential Management
Credential Management Services ClientCredential Management Services Client
Credential Management Server RoleCredential Management Server Role
Credential Credential RoamingRoaming
Auto Auto EnrollmentEnrollment
Advanced Advanced EnrollmentEnrollment
Certificate Certificate ServicesServices
Online Online Revocation Revocation
ServicesServices
Online Online Revocation Revocation
Services Web Services Web ProxyProxy
Web Web Enrollment Enrollment ServicesServices
Network Network Device Device
Enrollment Enrollment ServicesServices
Smart Card Smart Card SubsystemSubsystem
Certificate ServicesCertificate Services
Enabling delegated enrollment Enabling delegated enrollment agent functionality agent functionality
Integrating Network Device Enrollment Integrating Network Device Enrollment Service (SCEP) into native setupService (SCEP) into native setup
Manageability – Improved Manageability – Improved administrative user experience with administrative user experience with basic functionality enhancementsbasic functionality enhancements
Standards – Updates and Standards – Updates and enhancements to conform to enhancements to conform to critical IETF and government critical IETF and government protocol standardsprotocol standards
Credential ManagementCredential Management
Credential ManagementCredential Management
Credential Management Services ClientCredential Management Services Client
Credential Management Server RoleCredential Management Server Role
Credential Credential RoamingRoaming
Auto Auto EnrollmentEnrollment
Advanced Advanced EnrollmentEnrollment
Certificate Certificate ServicesServices
Online Online Revocation Revocation
ServicesServices
Online Online Revocation Revocation
Services Services Web ProxyWeb Proxy
Web Web Enrollment Enrollment ServicesServices
Network Network Device Device
Enrollment Enrollment ServicesServices
Smart Card Smart Card SubsystemSubsystem
Online Responder ServicesOnline Responder Services
OCSP OCSP Client (CAPI Client (CAPI
2)2)
Web ProxyWeb Proxy Online Online ResponderResponder
ManagementManagement
RFC 2560 compliantRFC 2560 compliant
Focus on performance, scalability,Focus on performance, scalability,and manageabilityand manageability
HTTPHTTP DCOMDCOM
DCOMDCOMCRLCRL
MSFT CAMSFT CA
OtherOther
Advanced Cryptography Support Advanced Cryptography Support CNG - The Open Cryptographic Interface for WindowsCNG - The Open Cryptographic Interface for Windows
CNG provides the ability for the customer CNG provides the ability for the customer to plug in kernel or user mode to plug in kernel or user mode implementations forimplementations for
Proprietary cryptographic algorithmsProprietary cryptographic algorithms
Replacements for standard Replacements for standard cryptographic algorithms cryptographic algorithms
Key Storage Providers (KSP) Key Storage Providers (KSP)
Enables cryptography configuration at Enables cryptography configuration at enterprise and machine levelsenterprise and machine levels
CNG meets Common Criteria and FIPS CNG meets Common Criteria and FIPS requirements for Strong isolation requirements for Strong isolation and auditingand auditing
Advanced Cryptography Support Advanced Cryptography Support Credential Management SupportCredential Management Support
Certificate Server will support CNG forCertificate Server will support CNG forIssuing ECC Certificates (ECDSA, ECDH), Issuing ECC Certificates (ECDSA, ECDH), support P-256, P-384 and P-521 curves. support P-256, P-384 and P-521 curves.
Hashes: SHA-2 (256, 384, 512)Hashes: SHA-2 (256, 384, 512)
Enrollment API will support CNG for Enrollment API will support CNG for using new provider model for using new provider model for requesting ECC based certificatesrequesting ECC based certificates
Smart Card subsystem will support Smart Card subsystem will support dual cardsdual cards
© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.