The PKI services in Windows Server 2003 provide the underpinnings for applications that use cryptographic services. A properly designed PKI achieves the following goals:
Confidentiality. The privacy of user transactions is protected by encrypting data streams and messages.
Authentication. No transaction can be truly secure if the parties are completely unknown to each other. PKI provides a means for senders and recipients to validate each other's identities.
Integrity. Transactions can be marked in such a way that any tampering is immediately apparent. This protection extends to preventing replays and detecting de-sequenced messages or datagrams.
Non-Repudiation. It's one thing to authenticate the source of a message; it's quite another to keep the source from denying having sent the message. Digital signatures inextricably link senders to their messages.
A PKI uses standard elements to achieve these goals. Highly impenetrable encryption algorithms have been developed to achieve confidentiality.
Certificates provide a secure transport to exchange the cipher keys used by these encryption algorithms. Authentication and integrity are assured by using
digital signatures consisting of encrypted
hashes . Non-repudiation is assured by applying digital signatures in such a way that senders always leave a mark on their communications.
Here are places to get additional information about the PKI components used in Windows Server 2003:
RSA Labs, www.rsalabs.com
Federal Information Processing Standards (FIPS) - www.itl.nist.gov/fipspubs
PKI working group of the Internet Engineering Task Force (IETF), www.ietf.orgl.charters/pkix-charterl
Microsoft PKI documentation, www.microsoft.com/security
PKI related RFCs, search www.nexor.com
There are quite a few vendors who sell PKI products that you can use in place of, or in conjunction with, a Windows Server 2003 PKI. Here are the major vendors:
Verisign, www.verisign.com
Thawte, www.thawte.com
Schlumberger, www.schlumberger.com
Digital Signature Trust, www.dst.com
SecureNet, www.securenet.com.au
Entrust, www.entrust.com
Baltimore Technologies, www.Baltimore.com