PKI, or Public Key Infrastructure, is used by many organizations for a variety of purposes including issuing of SSL certificates, smart cards, encrypted file system (EFS) certificates, and authentication. With each release of the server OS, Microsoft has made major improvements to the Certificate Authority.
Windows Server 2008 is no different, and has some major new features that should excite security professionals. Enhancements include:
-"Suite-B" support: Elliptic curve algorithms such as AES and SHA-2. Existing algorithms such as 3DES are aging, and need to be replaced by more secure alternatives. AES is the new U.S. Government approved encryption algorithm that will replace DES/3DES. In addition, the older SHA hashing algorithms have their own problems and needed revamping. SHA-2 is the collective name of one-way hash functions developed by the NIST, which include SHA-256/384/512.
-"Suite-B" enabled client/server certificates and SSL/Kerberos. Given that SSL certificates is one of the most common uses of PKI and that Windows makes wide use of Kerberos for authentication, it’s great that MS now supports the stronger and more advanced options. These options may not be enabled by default, so registry or GPO changes might be needed.
-Crypto Next Generation: A replacement for the aging CryptoAPI featuring easier deployment and management. For anyone that had to deal with CAPI, it was extremely difficult and required significant development time. The new API is supposed to cut development effort by ten fold. So we should see more stable and better written crypto applications, such as smart card readers/writers.
-Plug-in architecture for cryptographic modules so enterprises or Government agencies can use custom algorithms. This probably most interests the U.S. Government, since they can now use custom developed crypto within Windows, probably for classified data protection.
-Completely new enrollment GUI: enroll on-behalf-of, expiry notification. Anyone that has used the Windows 2000/2003 enrollment GUI knows it left a lot to be desired. 2008 sports an entirely new GUI which is significantly improved and offers many more choices.
-New smartcard framework: Allows unlocking a smartcard from the Vista logon screen, in addition to other features. If your corporation only allows logons with smart cards and you lock yourself out, Vista now lets you unlock your card from the logon screen.
-Credential roaming (XP SP2 and above): PKI certificates are delivered to a user’s machine using AD. For enterprises already using roaming profiles, this feature won’t be noticed. But for corporations that rely on local profiles, credential roaming allows a user to logon an supported machine and AD will deliver their PKI certificates to them in a secure manner.
-New Certificate Authority performance counters. MOM and other monitoring products can now have more detailed insight into CA performance.
-Completely new CA setup, defaults for all steps, unattended setup, and easier to use. Gone is the old CA setup that required you to input a lot of information. Defaults for all answers now let you quickly setup a CA. Although setting up a CA should take significant planning and thought, MS now lets you setup on with a few clicks.
-Delegated enrollment agent: Enables granular restrictions for enrollment agent for specific users or certificate templates. For example, a secretary could issue one-day smart cards for people on her floor.
-CA will now run on a cluster (active/passive). Previously a CA could not be officially installed on a cluster. With 2008 it is now a supported scenario. While this may not be a popular feature, it does open up new deployment scenarios.
-Supports MSCEP: A Cisco protocol to issue PKI certificates to routers. Enterprises are deploying PKI certificates to more and more devices for strong authentication. Since Cisco gear is used very frequently in corporations, supporting native router enrollment will simplify deployment scenarios.
-Supports RFC 2560 OCSP certificate revocation. Vista supports the OCSP client, and OCSP responder in WS2008. This is huge! The old CRL (certificate revocation list) had many problems, and in very large organizations the CRL could be many megabytes leading to severe performance problems. OCSP takes care of this problem, and provides a streamlined and efficient method to check certificate revocation. I think this is the most important change in the 2008 CA architecture.
-CA can be migrated to x86 to x64, and to a computer with a different name. Previously a CA could not be renamed, so you were suck with the original host name. For companies that wish to rename their CAs and move to 64 bit, this feature is heaven sent.
-Recommend x64 CA deployment due to post-2008 OS being x64 only. Microsoft has stated that the server OSes beyond 2008 will be 64-bit only. By deploying your CA on x64 today, you future proof your CA and make future migrations easier.
-Can migrate to a two-node hardware cluster. Supporting high availability is key for Microsoft, and a migration scenario to a hardware cluster is great news if your existing CA needs increased availability.
All in all, these enhancements are very exciting. Many of the pain points for PKI deployment have been addressed. With ILMv2 (Identity Lifecycle Manager) on the horizon for mid to late 2008, certificate management will be significantly easier than it is today.
