Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation

Windows Vista And Windows Vista And Longhorn Server PKI Longhorn Server PKI EnhancementsEnhancements

Avi Ben-MenahemAvi Ben-MenahemLead Program ManagerLead Program ManagerWindows SecurityWindows SecurityMicrosoft CorporationMicrosoft Corporation

AgendaAgenda

Microsoft and X.509 PKIMicrosoft and X.509 PKI

Credential Management Credential Management Services DrilldownServices Drilldown

Futures – Advanced Futures – Advanced Cryptography SupportCryptography Support

Microsoft And X.509 PKI Microsoft And X.509 PKI The road aheadThe road ahead

Enabling primary end-to-end PKI Enabling primary end-to-end PKI application scenariosapplication scenarios

S/MIME, secure wireless networks, VPN, S/MIME, secure wireless networks, VPN, IPSEC, EFS, Smartcard logon, SSL/TLS, and IPSEC, EFS, Smartcard logon, SSL/TLS, and digital signaturesdigital signatures

Enhancing credential lifecycle managementEnhancing credential lifecycle management

New certificate enrollment API and UINew certificate enrollment API and UI

Enhancing manageability and deployment of Enhancing manageability and deployment of Certificate ServicesCertificate Services

Enabling revocation across all applicationsEnabling revocation across all applications

Credential ManagementCredential Management


Credential Management Services ClientCredential Management Services Client

Credential Management Server RoleCredential Management Server Role

Credential Credential RoamingRoaming

Auto Auto EnrollmentEnrollment

Advanced Advanced EnrollmentEnrollment

Certificate Certificate ServicesServices

Online Online Revocation Revocation

ServicesServices

Web Web Enrollment Enrollment ServicesServices

Network Network Device Device

Enrollment Enrollment ServicesServices

Smart Card Smart Card SubsystemSubsystem


Services Web Services Web ProxyProxy

Advanced EnrollmentAdvanced EnrollmentRetiring xenroll and scrdenrl controlsRetiring xenroll and scrdenrl controls

The last version of Xenroll exposes interfaces The last version of Xenroll exposes interfaces ICEnroll4 and IEnroll4ICEnroll4 and IEnroll4

Difficult to use monolithic interfacesDifficult to use monolithic interfacesHigh cost of maintenance forHigh cost of maintenance for

Microsoft to support XenrollMicrosoft to support Xenroll

Customers and Third Party CAs if and when Xenroll Customers and Third Party CAs if and when Xenroll is updatedis updated

Scrdenrl exposes IScrdenr interface and Scrdenrl exposes IScrdenr interface and leverages Xenrollleverages Xenroll

Primarily used on client for Primarily used on client for ‘Enroll on Behalf of’ functionality‘Enroll on Behalf of’ functionality

Advanced EnrollmentAdvanced EnrollmentCOM Classes for PKI Operations COM Classes for PKI Operations

Well defined class hierarchy that includes interfaces Well defined class hierarchy that includes interfaces to create/manageto create/manage

Enrollments against Microsoft CA (Server interfaces and Enrollments against Microsoft CA (Server interfaces and protocols remain the same)protocols remain the same)

Certificate Requests (PKCS#10, PKCS#7, and CMC)Certificate Requests (PKCS#10, PKCS#7, and CMC)

Public/Private keysPublic/Private keys

Certificate Extensions/Attributes/PropertiesCertificate Extensions/Attributes/Properties

Subset of the functionality can be scripted via a Subset of the functionality can be scripted via a web pageweb page

Integrated UIIntegrated UI

Developer friendly – easy to understand and Developer friendly – easy to understand and code againstcode against










ServicesServices







Auto EnrollmentAuto Enrollment

Re-architected for attack surface Re-architected for attack surface reduction and overall Operating reduction and overall Operating System performance enhancementSystem performance enhancement

WMI jobs based designWMI jobs based design

Improved usability for offline scenariosImproved usability for offline scenariosExpiry notificationsExpiry notifications

Auto Enrollment Auto Enrollment Expiry notificationExpiry notification










ServicesServices







Credential RoamingCredential Roaming

Pain Points in deploying Pain Points in deploying PKI-based solutionsPKI-based solutions

Certificates and private keys are bound Certificates and private keys are bound to a machineto a machine

For a given purpose (e.g. S/MIME), users For a given purpose (e.g. S/MIME), users have different sets of certificates and have different sets of certificates and private keys on each machineprivate keys on each machine

CA management overheadCA management overhead

Current optionsCurrent optionsSmartcardsSmartcards

Roaming User ProfilesRoaming User Profiles

Credential RoamingCredential Roaming

SolutionSolutionCredential Roaming Services deliver all Credential Roaming Services deliver all credentials to the user’s machine using credentials to the user’s machine using active directory replicationactive directory replication

This helps applications likeThis helps applications likeSecure e-mailSecure e-mail

Client authenticationClient authentication

Enhanced usability for Smart Enhanced usability for Smart Card deploymentsCard deployments

Credentials Roaming Credentials Roaming AvailabilityAvailability

Server-Side ComponentsServer-Side ComponentsWindows 2000 Server SP3+Windows 2000 Server SP3+

Windows Server 2003Windows Server 2003

Windows Server 2003 SP1 – recommendedWindows Server 2003 SP1 – recommended

Longhorn Server – recommendedLonghorn Server – recommended

Client-Side ComponentsClient-Side ComponentsWindows Server 2003 SP1Windows Server 2003 SP1

Longhorn Client/Server Longhorn Client/Server

Windows XP SP3/OOB (future predictions)Windows XP SP3/OOB (future predictions)










ServicesServices







Smart Card SubsystemSmart Card Subsystem

Simplified Software DevelopmentSimplified Software DevelopmentCommon crypto operations handled in Common crypto operations handled in the platformthe platform

API for card manufacturersAPI for card manufacturers

Enhanced User ExperienceEnhanced User ExperiencePlanned Certification and Testing Program for Planned Certification and Testing Program for Smartcard middleware on Windows UpdateSmartcard middleware on Windows Update

PnP support for Smart CardsPnP support for Smart Cards

Enhanced Smart Card Logon ScenariosEnhanced Smart Card Logon ScenariosRoot certificates propagationRoot certificates propagation

Integrated Smart Card unblockIntegrated Smart Card unblock










ServicesServices







Certificate ServicesCertificate Services

Enabling delegated enrollment Enabling delegated enrollment agent functionality agent functionality

Integrating Network Device Enrollment Integrating Network Device Enrollment Service (SCEP) into native setupService (SCEP) into native setup

Manageability – Improved Manageability – Improved administrative user experience with administrative user experience with basic functionality enhancementsbasic functionality enhancements

Standards – Updates and Standards – Updates and enhancements to conform to enhancements to conform to critical IETF and government critical IETF and government protocol standardsprotocol standards










ServicesServices


Services Services Web ProxyWeb Proxy





Online Responder ServicesOnline Responder Services

OCSP OCSP Client (CAPI Client (CAPI

2)2)

Web ProxyWeb Proxy Online Online ResponderResponder

ManagementManagement

RFC 2560 compliantRFC 2560 compliant

Focus on performance, scalability,Focus on performance, scalability,and manageabilityand manageability

HTTPHTTP DCOMDCOM

DCOMDCOMCRLCRL

MSFT CAMSFT CA

OtherOther

Advanced Cryptography Support Advanced Cryptography Support CNG - The Open Cryptographic Interface for WindowsCNG - The Open Cryptographic Interface for Windows

CNG provides the ability for the customer CNG provides the ability for the customer to plug in kernel or user mode to plug in kernel or user mode implementations forimplementations for

Proprietary cryptographic algorithmsProprietary cryptographic algorithms

Replacements for standard Replacements for standard cryptographic algorithms cryptographic algorithms

Key Storage Providers (KSP) Key Storage Providers (KSP)

Enables cryptography configuration at Enables cryptography configuration at enterprise and machine levelsenterprise and machine levels

CNG meets Common Criteria and FIPS CNG meets Common Criteria and FIPS requirements for Strong isolation requirements for Strong isolation and auditingand auditing

Advanced Cryptography Support Advanced Cryptography Support Credential Management SupportCredential Management Support

Certificate Server will support CNG forCertificate Server will support CNG forIssuing ECC Certificates (ECDSA, ECDH), Issuing ECC Certificates (ECDSA, ECDH), support P-256, P-384 and P-521 curves. support P-256, P-384 and P-521 curves.

Hashes: SHA-2 (256, 384, 512)Hashes: SHA-2 (256, 384, 512)

Enrollment API will support CNG for Enrollment API will support CNG for using new provider model for using new provider model for requesting ECC based certificatesrequesting ECC based certificates

Smart Card subsystem will support Smart Card subsystem will support dual cardsdual cards

© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Documents

Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation