PKI Enhancements in Windows

Windows has included strong, platform-wide support for public key infrastructure (PKI) since the release of Windows 2000. That release included the first native certificate-authority capability, introduced auto-enrollment, and provided support for smart-card authentication. In Windows XP and Windows Server 2003, those capabilities were expanded to provide more flexible enrollment options with version 2 certificate templates and support for auto-enrollment of user certificates. In Windows Vista® and Windows Server® 2008 (formerly code-named “Longhorn”), the Windows® PKI platform takes the next step with support for advanced algorithms, real-time validity checking, and better manageability. Column in TechNet Magazine discusses the new PKI features in Windows Vista and Windows Server 2008 and how they can be utilized by enterprises to lower costs and increase security.

Interesting reading: Security Watch: PKI Enhancements in Windows — TechNet Magazine, August 2007. It says:

CNG is a new core cryptography interface for Microsoft and is the recommended API for future Windows-based, crypto-aware applications. CNG provides a host of new developer-focused functionality, including easier discoverability and substitution of algorithms, replaceable random number generators, and a kernel mode cryptographic API. While offering these new capabilities, CNG is also fully backwards compatible with the set of algorithms provided in its predecessor, CryptoAPI 1.0. Currently, CNG is being evaluated for Federal Information Processing Standards (FIPS) 140-2 level 2 certification as well as for Common Criteria on selected platforms.

The CNG Suite B support includes all required algorithms: AES (all key sizes), the SHA-2 family (SHA-256, SHA-384 and SHA-512) of hashing algorithms, Elliptic Curve Diffie-Hellman (ECDH), and Elliptic Curve Digital Signature Algorithm (ECDSA) over the National Institute of Standards and Technology (NIST) standard prime curves P-256, P-384, and P-521. The NSA has stated that certified Suite B implementations will be used to protect information classified as Top Secret, Secret, and private information that, in the past, was described as Sensitive-But-Unclassified. All Suite B algorithms were developed openly and some other governments are also exploring adopting them as national standards.

Leave a Reply