CA Name: Lucerne Publishing Root CA CA Validity Period: 20 Years in .NET framework

Drawer QR Code in .NET framework CA Name: Lucerne Publishing Root CA CA Validity Period: 20 Years

Figure 14-5

Lucerne Publishing is planning to deploy encryption certificates that will require key archival at a Windows Server 2003 enterprise CA. Applications that could be considered for key archival include the Encrypting File System (EFS) and Secure Email using Secure/Multipurpose Internet Mail Extensions (S/MIME). The following design requirements have been identified for encryption certificates:

Key recovery must be possible for both a centralized key recovery agent and a regional key recovery agent. The centralized key recovery agent certificate and private key will be located at the corporate office in Chicago, Illinois, USA. The regional key recovery agent certificates will be located at the major network hub site for that specific region. The regional hub sites are:

Common Criteria role separation is enforced at all issuing CAs. All key recovery operations must involve at least two persons.

1. At what CAs in the CA hierarchy must you enable key archival How many key recovery agents must be defined at each CA 2. What operating system must be installed on the issuing CAs to allow key archival 3. Can you combine the key recovery agent role with the roles of CA administrator, certificate manager, auditor or backup operator Why or why not 4. What Common Criteria role is blocked from being a key recovery agent due to the design requirements 5. What certificate template must be available to allow secure transmission of the requestor s private key to the issuing CA 6. What certutil command is used by a certificate manager to extract the encrypted BLOB from the CA database 7. What certutil command is used by a key recovery agent to decrypt the PKCS #12 file within the encrypted BLOB file 8. What risk is there to allowing the key recovery agent to send the PKCS #12 file and password to the user in the same e-mail message 9. What risk is there to archiving a certificate template with the purpose of Signature and Encryption

Microsoft Official Curriculum, Course 2821: Designing and Managing a Windows Public Key Infrastructure (www.microsoft.com/traincert/syllabi/2821afinal.asp) Key Archival and Management in Windows Server 2003 (www.microsoft.com /technet/prodtechnol/windowsserver2003/technologies/security/kyacws03.mspx) Implementing and Administering Certificate Templates in Windows Server 2003 (http://www.microsoft.com/technet/prodtechnol/windowsserver2003 /technologies/security/ws03crtm.mspx)

15

Many organizations are implementing two-factor authentication solutions to increase network security. Two-factor authentication increases security by requiring something you have, a smart card or other device with a smart card chip, such as a USB token, and something you know, such as the personal identification number (PIN) for the smart card or USB token. To use smart card authentication, an organization must deploy the related hardware and software to each desktop.

Hardware. A smart card reader, as well as a smart card that is on the Microsoft Windows hardware compatibility list or includes drivers for Windows 2000, Windows XP, or Windows Server 2003 clients on your network. Alternatively, a USB token, which is a combination USB reader and card, can be used. Software. A smart card cryptographic service provider (CSP) that allows the Microsoft cryptographic application programming interface (CryptoAPI) to interact with the smart card.

Note The Windows operating system ships with default CSPs manufactured by GemPlus, Infineon, and Schlumberger. The default CSPs do not work with all versions of smart cards by these manufacturers, however. You must determine whether updated CSPs are needed for the smart cards selected by your organization.

Both Windows 2000 and Windows 2003 Active Directory environments support smart card authentication, which is an extension to Kerberos authentication. This means that only Windows 2000, Windows XP, and Windows Server 2003 client computers can be used with smart cards in an Active Directory environment.

Smart cards allow Kerberos authentication through Public Key Initialization (PKINIT) extensions to the Kerberos protocol. PKINIT extensions allow a public/private key pair to be used to authenticate users when they log on to the network.