Security Technologies

Microsoft has many security technologies to serve various needs of users. They include:
  • Authenticode
  • CryptoAPI
  • Digital Certificates
  • Kerberos
  • SSL/TLS
  • Server Gated Cryptography
  • Smart Cards
  • Virtual Private Networks
To find out more on any of these technologies, please visit http://www.microsoft.com/security/ .

 

Microsoft® Authenticode™ technology, a security feature in Microsoft Internet Explorer, assures accountability and authenticity for software components on the Internet. Authenticode verifies that the software hasn't been tampered with and identifies the publisher of the software. Users can decide case-by-case basis what code to download, based on their experience with and trust in a software publisher. By signing their code, developers can build an increasingly trusting relationship with their users.

Security features
 
  • Strong 128-bit cryptographic digital signatures
  • Digital signatures provided in industry-standard PKCS #7 and #10 formats
  • Supports X.509 version 3 digital certificates

CryptoAPI is an application programming interface (API) that is provided as part of Microsoft® Windows® 95, 98 and Windows NT®. It provides a standard framework that programs can use to obtain cryptographic and digital certificate services. In addition to the standard services that are provided natively by Windows NT, third-party vendors can develop and market their own Cryptographic Service Providers (CSP)-plug-in modules that provide additional cryptographic services. CryptoAPI is currently undergoing FIPS 140-1 evaluation and certification by the U.S. National Institute of Standards and Technology.

Security Features
 
  • Support for public-key and shared-secret key cryptographic algorithms.
  • Support for certificate handling services.
  • Fully based on industry standards, including cryptographic standards from IETF (PKIX, S/MIME), PKCS, X.509, etc.

Digital Certificates. A digital certificate is a means of binding the details about an individual or organization to a public key. A digital certificate serves two purposes. First, it provides a cryptographic key that allows another party to encrypt information for the certificate's owner. Second, it provides a measure of proof that the holder of the certificate is who they claim to be - because otherwise, they will not be able to decrypt any information that was encrypted using the key in the certificate. Certificates are issued by trusted third parties known as Certification Authorities (CA), using the industry-standard X.509 version 3 format. The CA digitally signs the certificate using its own private key, thereby protecting the certificate against tampering and vouching for the holder's identity.

Microsoft uses industry-standard X.509 version 3 digital certificates in products like Microsoft® Windows NT®, Microsoft Internet Explorer, and Microsoft Internet Information Server, that use public-key cryptography for either encryption or authentication. Microsoft's implementation of security technologies such as Authenticode, CryptoAPI, and SSL/TLS also use X.509 version 3 digital certificates.

Kerberos Authentication Protocol. Kerberos is an industry-standard authentication protocol that provides high security while scaling well. At the heart of the protocol is a trusted server called a Key Distribution Center (KDC). When the user logs onto the network, the KDC verifies the user's identity and provides credentials called "tickets", one for each network service that the user wants to use. Each ticket introduces the user to the appropriate service, and optionally carries information that indicates the user's privileges for the service.

The Kerberos protocol is the primary authentication mechanism in Microsoft® Windows NT® 5.0 operating system. In addition, Microsoft's implementation uses allowable extensions to the protocol to allow smart cards to be used during network logon. This provides the twin advantages of strengthening the authentication process and providing seamless entry into the Windows NT public key infrastructure. Microsoft's implementation of Kerberos is fully compatible with the Version 5 standard and interoperates with any other standard-compliant implementation.

Secure Sockets Layer/Transport Layer Security. Secure Sockets Layer (SSL) is a protocol designed to provide privacy between a web client and a web server. The protocol begins with a handshake phase that negotiates an encryption algorithm and keys and authenticates the server to the client. (There is an option under the protocol to also authenticate the client to the server). Once the handshake is complete and transmission of application data begins, all data is encrypted using the session keys negotiated during the handshake. SSL has been submitted as a draft standard to the Internet Engineering Task Force (IETF), as the Transport Layer Security (TLS) protocol.

SSL/TLS is implemented in Microsoft® Internet Explorer and Microsoft Internet Information Server, and allows customers to establish secure World Wide Web sessions. Microsoft's implementation is fully compliant with the standard protocol, and interoperates with any other compliant implementation. Due to US Government regulations, Microsoft products shipped outside of North America are shipped with a version of SSL/TLS that uses 40-bit keys; products sold within North America are shipped with a 128-bit version.

Server Gated Cryptography (SGC) is provided as part of the Microsoft® Windows 95, 98 and Windows NT® operating systems, and provides strong 128-bit cryptography for online banking and other approved uses. United States export law normally prohibits the export of strong cryptographic products; however, because the SGC technology allows its use to be restricted to only banking and other approved purposes, SGC can legally be exported and used worldwide.

Security features
 
  • Strong 128-bit encryption to protect your online banking sessions.
  • Interoperates with all leading vendors' implementation of SGC.

Smart Cards. A smart card is a credit card-sized device that has an embedded microprocessor, a small amount of memory, and an interface that allows it to communicate with a workstation or network. Two characteristics make smart cards especially well-suited for applications in which security-sensitive or personal data is involved. First, because a smart card has both the data and the means to process it, the onboard processor can service requests from the network and return the results without divulging the sensitive data. For example, a smart card could be used to digitally sign data without divulging the user's private key. Second, because smart cards are portable, the user can carry the data with him on the smart card rather than entrusting it to network storage. An example of this scenario is using a smart card to carry personal information about the user such as medial records or digital certificates.

Microsoft® Windows NT® 4.0, Windows® 95 and Windows 98 all support smart cards and smart card readers based on specifications establish by the Personal Computer Smart Card (PC/SC) Workgroup, an industry group of leading PC and smart card companies. Smart card solutions that are Windows-compatible can be used with Internet Explorer to authenticate a secure connection and Outlook Express or Outlook 98 for sending and receiving secure email. In Windows NT 5.0, smart cards can be used to logon to a network using an X.509 version 3 certificate stored on the smart card.

Smart Cards for Windows
On October 27th, 1998, Microsoft announced Smart Cards for Windows, an operating system for smart cards with 8K of ROM. It is a low-cost, easy-to-program platform that runs Visual Basic applications, and is designed to extend the PC environment into smart card use. Smart Cards for Windows uses the same development tools--Microsoft Visual C++ and Visual Basic--that millions of independent software vendors (ISVs) and in-house corporate developers use. Additionally, because Smart Cards for Windows is part of the PC/SC program that has already become part of Windows NT logon capabilities, smart cards based on Smart Cards for Windows will be able to be read by any certified NT card reader.

Security features
 
  • Tamper-resistant storage for protecting private keys and other forms of personal information.
  • Isolate security-critical computations involving authentication, digital signatures, and key exchange from other parts of the system that do not have a "need to know."
  • Enable portability of credentials and other private information between computers at work, home, or on the road.

Virtual Private Networks. Until recently, companies that needed to share data with traveling users or outside networks had two choices: they could either let their company secrets travel across an unprotected medium like the Internet and hope that nobody was watching, or they could buy or lease their own dedicated, protected communications lines and create a so-called private network. A better solution is to create a Virtual Private Network (VPN). In a VPN, data travels over public networks, usually the Internet; the information needed to allow the data packets to be routed between the user and the corporate network are made available to the public medium, but all other information is encrypted.

There are three primary protocols for creating VPNs
 
  • Point-to-Point Tunneling Protocol (PPTP), the most popular tunneling protocol today. PPTP is provided as part of the Remote Access Services (RAS) in Microsoft® Windows NT® 4.0 and Windows® 2000 operating systems, and uses the existing Microsoft Windows encryption, user authentication, and configuration infrastructure of the Point to Point Protocol (PPP) to establish the encryption keys.
  • Layer 2 Tunneling Protocol (L2TP), a proposed Internet Engineering Task Force (IETF) standard protocol that uses public-key technology to perform user authentication and which can operate over a wider variety of communications media than PPTP. It is worth noting that L2TP cannot be used to perform encryption. L2TP will be provided in RAS beginning with Windows 2000.
  • IPSec, an IETF standard protocol that provides encryption and computer, but not user, authentication based on public-key technology. The chief advantages of IPSec are that it can be used to establish a VPN automatically in conformance with a corporate security policy, and it can be used to establish a VPN based on the machines, rather than the users, involved. IPSec is provided as part of RAS in Windows NT 4.0 and Windows 2000.
Only two combinations of these protocols can be used to provide a secure VPN:
 
  • PPTP can provide a secure VPN by itself. PPTP meets the security needs of most companies, and can offer a less expensive and less complex management environment.
  • L2TP with IPSec can be used together to provide a secure VPN. L2TP+IPSEC meets the needs of companies that have advanced security requirements, although it can require a more expensive and complex management environment.
To find out more on these technologies, please visit http://www.microsoft.com/security/ .

 

© 1999 Microsoft Corporation. All rights reserved. Terms of Use.