I remember several years back wondering what a PKI was. PKI was a hot topic in the media; often appearing as a buzz word in many different publications. Claims of what this technology could and would do were often glamorous and exaggerated. However, much of the hype over the technology has now ceased. Lets take a look at what a PKI actually is and what it could do for you.
A PKI is a set of services combined to form an infrastructure for the purpose securing applications. A PKI provides these services to applications:
There are a few terms above that need to be defined. An identity is a name. The name may refer to a person or a printer. A key is essentially a number. This number is associated with the identity to form a certificate. The certificate may be stored within a database or a file. The storage method is not really important. What is important is that it and its contained data are accessible. Signing a certificate refers to the process of the Certificate authority placing its stamp of approval on the certificate which is to say that the certificate is valid according to the CA. This entire process is referred to as Certification.
Not all of these services are required for every PKI installation. In fact a small PKI install can suit most environments just fine.
As important as it is to understand what a PKI is, it is equally important to understand what it is not. A PKI usually does not (and probably should not) handle authorization. Authorization services should be provided by a PMI (Privilege Management Infrastructure). However, a PMI could make use of a PKI for identity verification. A PKI does not automatically make a system secure. Human error… software bugs… malicious code signed by a trusted entity…
The services listed above can be used to support many security services. Typically a PKI is used to sign and or encrypt data. Data Signatures are used to ensure that the data is from who it claims to be from. Encryption scrambles the data so that only then intended recipients are able to view it.
In these definitions it is very important to remember that the term ‘data’ could refer to the information necessary for a user logon to Windows. Or it could be the timestamp on an email. It could also refer to a file that is encrypted on a CDROM.
Windows 2000 was the first Microsoft OS to ship with integrated PKI components. Windows 2003 extends this functionality with many enhancements. Here are the PKI components included within Windows:
Within Windows itself, the only things you can use the Windows PKI implementation for are the following:
Out of the box, the PKI components in Windows can only be used for the purposes listed above. This is not to say that with a bit of ingenuity (and a sufficient test lab) you could not use Windows PKI services with some open standards (LDAP, HTTP) to secure email hosted on a Linux box.
It is also important to note that Windows PKI is not a replacement for (and cannot be used as suck) standard Windows security. For example, you may use it to complement windows security by allowing smart card logins. However, it cannot be used to allow server to server authentication in place of Kerberos.
PKI and PKI in Windows are very large topics. This has just been a taste of what you would need to know before designing, deploying or even deciding on a PKI. For more information, please refer to the references at the end of this article.
“Windows Server 2003 Technical Library.” Microsoft. 2007
Adams, Carlisle and Steve Lloyd. Understanding PKI :Concepts, Standards and Deployment Considerations S’E. Boston: Pearson Education Group, 2003
Got a question? Post it on our Security Forums!