Chapter 12 - Creating a Public Key Infrastructure with Certificate Services

Abstract

Windows 2000 Server provides components to allow an organization to establish its own public key infrastructure based on asymmetric (public/private key) encryption, digital signatures, and digital certificates. Public key cryptography can provide authentication instead of privacy. Authentication involves the use of a challenge initiated by a receiver of data. The challenge is sent encrypted or in plain text. Either way, the result is proof for a receiver that a sender is authentic. This type of authentication is referred to as proof of possession. Windows 2000 also uses public key cryptography for bulk data encryption and exchanging a secret key through a non-secure communication channel. This chapter also explains digital signature, which is a hash value encrypted with a private key. By using a corresponding public key, receivers are guaranteed that a document contains no modifications and that senders are who they claim to be. With a digital signature, document itself is not encrypted. Digital signatures involve the creation of a message digest, which is signed by a sender's private key. A message digest is a 128-bit number generated by hashing the original message. Digital certificates are used to provide assurance that a public key used belongs to the entity that owns the corresponding private key. An issuer of a public key certificate is known as a certification authority. The job of the certification authority is to validate the identity of a person or organization to the public key.