What is a Public Key Infrastructure (PKI & Windows PKI)?
I remember several years back wondering what a PKI was. PKI was a hot topic in the media; often appearing as a buzz word in many different publications. Claims of what this technology could and would do were often glamorous and exaggerated. However, much of the hype over the technology has now ceased. Lets take a look at what a PKI actually is and what it could do for you.
What is a PKI?
A PKI is a set of services combined to form an infrastructure for the purpose securing applications. A PKI provides these services to applications:
- Certificate Authority – Digitally signs a certificate that contains an identity and a key. This process is called certification
- Key Backup and Recovery – A means to restore lost or damaged certificates
- Key History – Certificates may be updated (because of expiration or a name change) Any data secured using the older keys would not be accessible unless the older keys are kept in an archive
- Certificate Repository – A Storage repository for certificates
- Certificate Revocation – A means of breaking the relationship between an identity and a key
- Automatic Key Recertification – Certificates expire after a specified amount of time (determined at certificate creation). Automated key recertification can update the certificate with a new expiration date when necessary without manual intervention
- Cross Certification – Used to establish a trust relationship between separate PKI’s. This allows for a distributed and decentralized infrastructure
- Support for Non-Repudiation – Prevents a certificate owner from denying that data was secured using the owner’s certificate
- Time stamping – Certifies that the time stamp on the secured data is accurate and valid
- Client API – A means for an application to use the services offered by a PKI
There are a few terms above that need to be defined. An identity is a name. The name may refer to a person or a printer. A key is essentially a number. This number is associated with the identity to form a certificate. The certificate may be stored within a database or a file. The storage method is not really important. What is important is that it and its contained data are accessible. Signing a certificate refers to the process of the Certificate authority placing its stamp of approval on the certificate which is to say that the certificate is valid according to the CA. This entire process is referred to as Certification.
Not all of these services are required for every PKI installation. In fact a small PKI install can suit most environments just fine.
What PKI isn’t
As important as it is to understand what a PKI is, it is equally important to understand what it is not. A PKI usually does not (and probably should not) handle authorization. Authorization services should be provided by a PMI (Privilege Management Infrastructure). However, a PMI could make use of a PKI for identity verification. A PKI does not automatically make a system secure. Human error… software bugs… malicious code signed by a trusted entity…
What can PKI be used for?
The services listed above can be used to support many security services. Typically a PKI is used to sign and or encrypt data. Data Signatures are used to ensure that the data is from who it claims to be from. Encryption scrambles the data so that only then intended recipients are able to view it.
In these definitions it is very important to remember that the term ‘data’ could refer to the information necessary for a user logon to Windows. Or it could be the timestamp on an email. It could also refer to a file that is encrypted on a CDROM.
The PKI components in Windows
Windows 2000 was the first Microsoft OS to ship with integrated PKI components. Windows 2003 extends this functionality with many enhancements. Here are the PKI components included within Windows:
- Certificate Authority (CA)
- Certificate Revocation Lists (CRL)
- Active Directory (AD) – A possible store for certificates
- Internet Information Services (IIS) – Used for Web enrollment – a method of requesting and installing certificates. This is a component Windows certificate management
- Multiple API’s for PKI service access
- PKIX – Defines interoperable PKI standards for the Internet
- X.509 -Describes the standard format of a certificate
- PKCS -Provides a standard for public key message exchanges
- TLS – Provides a secure and authenticated channel between hosts on the Internet above the transport layer
- S/MIME – Serves as a standard for secure e-mail across the Internet
- Kerberos authentication protocol – Provides a symmetric key framework for authentication in large networks
- PC/SC – Serves as a standard for integrating smart cards and smart card readers
What can the PKI components in Windows be used for?
Within Windows itself, the only things you can use the Windows PKI implementation for are the following:
- Securing web servers
- Securing email
- Application signatures (i.e. Signed drivers or ActiveX controls)
- Encrypted File Systems (EFS) recovery agents
- Smart Card Logins
- To setup IPSec between two machines from different domains
What can the PKI components in Windows not be used for…yet?
Out of the box, the PKI components in Windows can only be used for the purposes listed above. This is not to say that with a bit of ingenuity (and a sufficient test lab) you could not use Windows PKI services with some open standards (LDAP, HTTP) to secure email hosted on a Linux box.
It is also important to note that Windows PKI is not a replacement for (and cannot be used as suck) standard Windows security. For example, you may use it to complement windows security by allowing smart card logins. However, it cannot be used to allow server to server authentication in place of Kerberos.
PKI and PKI in Windows are very large topics. This has just been a taste of what you would need to know before designing, deploying or even deciding on a PKI. For more information, please refer to the references at the end of this article.
Adams, Carlisle and Steve Lloyd. Understanding PKI :Concepts, Standards and Deployment Considerations S’E. Boston: Pearson Education Group, 2003
Recent Security Forum threads
Got a question? Post it on our Security Forums!