SSL and Digital Certificate Services (1)
With the increasing distribution of the Internet, security issues are also increasingly prominent, and the demand for protecting data is increasingly strong. On today's Internet, the most common security is achieved by using a digital certificate. Digital certificates can identify a customer and server on an untrustful network, and can encrypt data. It will be discussed here that the techniques used as well as Microsoft's authentication INTERNET security will be discussed. The specific contents include: Secure Sockets Layer (SSL) and why it is a secure base encryption and its introduction to the role of the client and server, and the certificate and certificate authorization on the Internet, the Microsoft Certification Authority server. Introduction Secure Sockets Layer (SSL) Introduction By using X.509 Certificate, RSA Public Key Ciphe, communication and authentication, Internet Information Services 5 provides a high performance for Secure Sockets Layer (SSL) 3.0 achieve. SSL allows a customer and server to communicate with a negotiated security and authentication level. When a connection is initialized, SSL needs to negotiate a symmetric session key and authentication level. This symmetrical key is used to encrypt and decrypt data. When the connection is being established, it is necessary to perform a certification of the client / server. When the negotiation is completed, the client and server can transmit data in a secure manner by encrypting data. Encryption communication encryption is to become irregular by making data to ensure that it is not easily read. Internet Information Services 5 is available in Internet Information Server 4, except for two exceptions: Server Certificate is now bound together, now there is a new wizard to make the server certificate settings easier. Setting SSL encryption in Internet Information Services 5, which is the same, except for one exception: You can now use Server-Gated Cryptography (SGC) certificates and encryption. SGC is used in the banking industry, and it can be encrypted using 128 bits from the Internet Information Services exit. Customer and server encrypted communication needs to be set at both ends. Customer or web browser, you can support 40-bit or 128-bit encryption, or both support, and the server can only encrypt communication after installing the server certificate. 128-bit and 40 customers are similar to Microsoft Internet Explorer 5.0, the Internet browser supports two encrypted levels: 40-bit and 128-bit encryption. The 40-bit encryption should be weak; this is the largest encryption level for the export version (ie, Canada and the United States), because the US government believes that strong encryption level is a threat to national security, and North America version of Internet Information Services, Internet Explorer and Netscape Navigator support 128-bit encryption. To know which level of encryption is installed by Internet Explorer, just need help in the menu, then select the option of About Internet Explorer. Encryption and certification Although encryption and certification are usually discussed together, they are two different topics. Authentication is a method of confirming individual or process identity in communication. The certification can be unidirectional, which is the identity of the other party in one party, or two-way, and both parties need to confirm the identity of the other party.
SSL and Digital Certificate Services (2)
Using a server certificate A server certificate is an electronic ID of your server, which allows your server to perform two important features to ensure communication security: Identify yourself and encrypted to these users. SSL encryption requires a server certificate being bound to your website. This certificate contains "Keys", which requires these keys when you build a secure connection between your website and the user who requests security information. In Internet Information Server 4, server certificates are bound to web services, not individual sites unless a website has a separate IP address. In Internet Information Services 5, you can bind server certificates to any website, but each site can only set a certificate. Also, in Internet Information Server 4, you need to use the key manager to bind the certificate. In Internet Information Services 5, you can use the Web Site Certificate wizard to make the entire process easier. The wizard can guide you to set up the entire process of requesting and installing a certificate. The customer certificate mapped the client's certificate and the server is equivalent. Customer certificate is a digital ID, which is used to identify a customer to your web server, and allow your server to use the customer certificate map. Customer Certificate Mapping maps a customer's certificate into a Windows user account and can automatically authenticate and allow users with these certificates and the correct account. For example, a user known as Vicky has a customer certificate, she clicks on a connection to the employee information section of the company's website, her browser will put their certificate information in the head of its server, the server will Retrieve a mapping of the certificate. If the user's certificate is correct and maps to a valid Windows user account, and the account allows access to these contents, Vicky will be automatically authenticated, and the requested data will appear in her browser. The type of certificate mapping is in Internet Information Services 5, there are two types of certificates: one-to-one and multi-objective one. A pair of maps link a special certificate and a Windows user account. A copy of the customer certificate must be placed on the server for authentication. If the user uses another customer certificate as the same request, you will need to re-establish the mapping. Multi-to-one mapping only uses some of the certificates and compares user account mappings with a certain standard. As long as the certificate is in line with these standards, the certification will succeed. Such a number of certificates can be mapped to a user account, and the copy of the certificate does not need to be stored in the server. The difference between the two can be illustrated by the following cases. When a request with a certificate comes, the server has two ways to map it. The server can say "I need to find a certificate established in March 2002. Its serial number is ZXV345T4689AS234. If I can't find the certificate, I will send a 403-prohibited error message, and it is handled." Or, the server can also "" I am looking for any certificate established by XYZ CERTIFICATE, which is built for ABC, between March 1, 2002 to June 1, 2002. If I find a similar certificate Yes. The first case is one-to-one mapping, the latter is a multi-to-one mapping. It is easy to see that a one-on-one mapping is safer, but it requires more settings and maintenance, and more security is a little more, but it can be more flexible and requires less management and maintenance. Fortezza Card and Certificate Map A copy with a certificate on your smart card and can be used as mapping. After copying the certificate of the certificate to the card, the process of the certificate is like other customer certificates.
Usually one-to-one mapping is used on the Fortezza card because it is designed for higher security. Basic authentication SSL encryption can be used by SSL to enhance security. SSL is usually used to encrypt data transfer between the Web service - for example, encrypt a credit card password for a user in an online purchase. When SSL and basic authentication are mixed, the user's account and password are also encrypted, so it is safer. For customers who use non-Microsoft browsers, basic authentication with SSL is more favorable. These non-Microsoft browser customers can be authenticated by Internet Information Services, and their usernames and passwords will not be transmitted on the Internet in a clear manner. Digital Certificate Internet Information Services also supports X.509 digital certificates for access control. These digital certificates must be established via a trust certificate and must be maintained on the customer's computer. Their operation and one ID card are like - this is when the customer attempts to access the web server, it will send the information of the digital certificate. However, it is more security compared to a simple ID card certificate. When a digital certificate is generated, the user must provide a password. When using the certificate in the future, the customer must also enter the password again to ensure that the customer is the true owner of the digital certificate. Using a digital certificate requires an appropriate protocol, such as SSL, which typically needs to exist on the customer and server. Usually servers provide a certificate to the customer to indicate the server or domain name. Select which mapping method to choose your mapping method and several aspects, but the main two points are the needs of the security level and the available management resources. If you need high security, then a one-on-one mapping is ideal, as long as you can pay resources to manage it. If your management resources are limited, there are a lot of customers that need to map, so many pairs are very suitable, as long as the security you need is not particularly high. Which way to choose, the following is some suggestions:. Small networks, the safety requirements are not high; no certificate is required. Even if the network is small, it is also a way to choose from, because the security requirements for information are not high. You can create a simple certificate and use a floppy disk to share it. . Small networks, the safety requirements are not high; the certificate is required. If you need to know what is accessing, you can use multi-to-one mapping, one of which is using the username and maps to a single user account. This requires more work, but it is still better than one-to-one because users can replace certificates without resetting. Small network, with confidential information, requires certificates. In this case, it is best to use one-to-one mapping, and the mapping verifies the individual account. This means that if the user uses an additional certificate, you must reset a new mapping. However, it is assumed that the number of users is relatively small. You can also use the Windows 2000 Active Directory authentication feature, learn more about the Windows 2000 documentation. . Large networks, the requirements for security are not high; no certificates are required. Solution schemes and small networks, but you can choose a different verification for each department or group. . Large network, with confidential information; required certificates. From a secure perspective, you need to choose one-on-one. However, in order to simplify management, you can choose to choose more. Mainly in your needs, if you use one-on-one, consider using Active Directory to simplify management. . High security requirements: If so, you can choose one-to-one mapping using the Fortezza smart card. You only need to put your smart card into the reader. However, if you have a lot of customers, this will be a management nightmare.
SSL and Digital Certificate Services (3) Server Certificates and Certificate Authorization To activate the SSL security feature of Internet Information Services, you must get and install a valid server certificate (Server Certificate). The server certificate is a digital certificate containing your web server information, organizations will verify the server's web content and your site's gain (FQDN). Like the traditional certificate, the server certificate can verify your server to check the validity of the web content and create a secure connection. Digital certificates are assigned to a host by using FQDN. Therefore, the certificate is not related to any IP address restriction. You can modify the host's IP address without any impact on the certificate. For example, if
Http://www.company.com This website has a certificate, then whether the domain name is pointing to IP address 192.168.110.123 or IP address 123.110.168.192, or there is no relationship after the website's IP address is modified after the certificate is established and installed. .
The success of a server certificate is whether the user trusts the validity of the information in the certificate. Therefore, the certificate is usually established by a trusted third party organization, which is called Certificate Authority (CA). The main responsibility of CA is to confirm that the organization has registered a certificate. This ensures the validity of identification information in the certificate. To do this, a CA must have a CA certificate. The CA certificate identifies the CA of the establishment server certificate to confirm the server's verification. Of course, in this hierarchical relationship, it is inevitable as a top layer. So who to verify the CA certificate? At the top CA must sign your own certificate, this is because there is no higher level of CA in the definition. A Signed CA is called a root certificate. The root certificate is a text file with a .CRT extension. Alternatively, an organization can establish its own server certificate without a CA to sign them. For example, in a large company's internal network handling employee salary and interest information, the company can maintain a certificate server and assume responsible for verifying the identity of the reporter and establishing a server certificate. The certificate server is to authenticate a server with a certificate (the certificate is established by a particular CA), and the user needs to verify the trusted CA of the CA in a web browser. Most common CA root certificates have been installed in most web browsers. To see the CA trusted by Microsoft Internet Explorer 5, you can do the following steps. 1. Open Microsoft Internet Explorer 5 2. On the Tools menu, click Internet Option 3. Select the content tag 4. The three tabs in the dialog of the Authorities in the certificate bar contain all the certificates known in this Internet Explorer copy. Each certificate contains information about the subject and certificate creation, and its validity and start date, the valid date, and an encrypted fingerprint for other customers or server identification certificates. To view information in a digital certificate, you can select a certificate and press the button to view the certificate. To add a new CA to the trusted authorization list, you must explicitly join the CA certificate to your web server, it is called a root certificate. You can use Microsoft Internet Explorer Version 4.0 or more or a command line tool called ilisca.exe to join a new root certificate for your server. The wildcard mapping of the certificate allows multiple hosts with the same domain name or sub domain name to use the same digital certificate. For example, using a wildcard certificate, a certificate can be built on * .domain.com or domain.com so that it can be used to support such as http://www.domain.com and http://www2.domain.com Site. To remember that in general, a certificate can only be built on a specified host. For example http://www.domain.com.
The advantage of a certificate wildcard map is that you only need to purchase a certificate, you can use it on multiple websites, which is low and worth it. However, not all third-party CAs allow you to apply for a certificate that can be used on multiple hosts. Such a certificate has a common name, such as * .domain.com or domain.com. Not all Web browsers or web servers support them. When a Netscape customer checks when the host name in the certificate, it uses a script extension process to see if it matches. In the example given, any host ending with Domain.com can be accepted. However, Internet Explorer does not implement a wildcard certificate name check, so Internet Explorer's client will receive a warning message, prompting the host name and does not match the certificate. In some cases, wildcards can operate in Internet Explorer 4.0 or above, but Microsoft claims that Internet Explorer does not work at wildcards, so it does not ensure that wildcards can work under any Microsoft products. SSL and Digital Certificate Services (4)
One organization that distributes certificates needs to provide certificates for customers or vendors, and there are three conditions. First, it can create its own internal CA to meet its own security and availability needs. Second, it can output its CA demand to third parties, such as VeriSign or Thawte. Third, it can establish a connected CA with a third party CA, which allows the organization to establish a certificate for the end user, while also guaranteeing the security of third-party CAs. For example, a vendor may decide to establish a certificate for its employee, and the office is in three different states, or an advisor is to establish a certificate for its seller to control the external network of the company. In this example, the organization can select leading vendors, such as BBN (GTE), Chrysalis or Atalla to purchase secure Key management hardware, or choose to purchase certificate authorization software, such as Microsoft, Xcert, or Nortel Entrust. These technologies can allow the organization to establish a certain level of certificates that include customer information according to their needs. Unfortunately, most browsers don't know these certificates at the beginning. Each browser that needs to verify the certificate (which is created by the CA) of the certificate will need to be modified to respond to the root key that responds to the organization when signing the certificate. This means that each Microsoft Internet Explorer, Microsoft Outlook, and Netscape Communicator is required to join the root key of the organization CA, and must be added before the data is signed by these certificates so that they can be trusted. This is no problem in a small or controlled environment. However, in an alice, in a multi-platform environment, such as Internet, this is impossible. A connected certificate program allows a third-party CA to transfer all and third-party CAs related to CA of the organization. All software that trusts the digital certificate provided by third-party CA will immediately trust the certificate established by CA. Installing and Setting the Certificate Service Certificate Authorization Server is an attachment for Windows 2000 Server, which is placed on the installation disk of Windows 2000 Server. It allows you to create a custom service to testify the use of digital certificates for establishing and managing X509 version 3. You can create a server certificate for the Internet or company's internal network, allowing your organization to fully control its own certificate management strategy. It contains a wizard to set the installation. It should be noted that you will need to provide precise information when installing. Check the information you need before installing the certificate service. To install the certificate authorization server attachment using the common setting option, you can use the following steps: 1. Put the Windows 2000 Server CD-ROM into the CD-ROM, then select Install Add-on Components. 2. The Windows Component Wizard will prompt you to choose which components are installed. Select the selection box for the certificate service. You will immediately see a dialog, prompting you to install the certificate service, the computer will not be renamed, or you cannot add or remove it from a domain. You should consider the following points before choosing Yes to continue. Since after installing the certificate service, you will not be able to modify the name of your computer unless you reinstall Windows 2000, so you need to make sure you are satisfied with the current name, or change a name before you continue. . Since after installing the certificate service, you will not be able to add a computer to a domain or remove it from the domain, you will need to make sure you are satisfied with the name of the current domain or subdomain, otherwise you will change a name before you continue. . Before you continue, you must make sure that your computer is added to the appropriate domain 3.
Next, select the certificate authorization type in the Windows Component Wizard, there are four types: Enterprise root CA Enterprise Subordinate Ca Stand-Alone root Ca Stand-Alone Subordinate Cassl and Digital Certificate Services (5)
The first CA on a network must be a root CA. To create an Enterprise CA, Active Directory must be allowed. A Stand-Alone CA does not require Active Directory. You can choose Stand-Alone CA to implement certificate services in your LAN. See Figure 1 Certificate Authorization Service not only defines how the certificate service function works on your server, but also defines how you will need to manage it. 4. Select CA Identifying Information in the Windows Component Wizard. Enter the appropriate data and continue to install. See Figure 2 5. Select Data Storage Location in the Windows Component Wizard. I recommend using the default location. Continue by next. 6. If you have already installed and run Internet Information Services on your computer, press YES to continue. Microsoft's certificate service will prompt you to stop Internet Information Services before proceeding to continuing to install. The Windows Component Wizard will set the component and copy the file to your machine. You can monitor the installation process by installing schedules. 7. When the Windows Component Wizard prompts you to complete the selected component, press Finish. This article discusses in detail the certificate service in Windows 2000. Remember to confirm all the information required before trying to install the certificate service. Finish
