| |
| |
Preface | |
| |
| |
| |
The Kerberos Network Authentication Service | |
| |
| |
| |
The Kerberos Network Authentication Service | |
| |
| |
Basic Concepts of Kerberos | |
| |
| |
Passwords | |
| |
| |
Symmetric Keys | |
| |
| |
Key Distribution and Management | |
| |
| |
Single Sign-On | |
| |
| |
Kerberos Architecture | |
| |
| |
Time Stamps for Nonces | |
| |
| |
Preauthentication | |
| |
| |
Security Services | |
| |
| |
Different Views of Kerberos | |
| |
| |
Cross-Realm Authentication | |
| |
| |
Policy Configuration Options | |
| |
| |
Public Key Extensions | |
| |
| |
Initial Authentication | |
| |
| |
Cross-Realm Authentication | |
| |
| |
Limitations of Kerberos | |
| |
| |
Kerberos Tickets | |
| |
| |
Ticket Contents | |
| |
| |
Ticket Flags | |
| |
| |
Delegation of Authentication | |
| |
| |
Ticket-Granting Tickets | |
| |
| |
The Use of Network Addresses in Tickets | |
| |
| |
Authenticators for Tickets | |
| |
| |
The Kerberos Protocol | |
| |
| |
Authentication Service Exchange | |
| |
| |
Ticket-Granting Service Exchange | |
| |
| |
Client/Server Exchange | |
| |
| |
Summary | |
| |
| |
References | |
| |
| |
| |
Kerberos in Windows 2000 | |
| |
| |
Authentication: Kerberos versus NTLM | |
| |
| |
Scalability | |
| |
| |
Mutual Authentication | |
| |
| |
Support for Multitier Applications | |
| |
| |
Simplified Trust Management | |
| |
| |
Interoperability with Existing Trust Infrastructures | |
| |
| |
Smart Card Support | |
| |
| |
Windows 2000 Implementation of Kerberos | |
| |
| |
Key Distribution Center (KDC) | |
| |
| |
Account Database | |
| |
| |
Kerberos Policy | |
| |
| |
Kerberos Security Support Provider | |
| |
| |
Credentials Cache | |
| |
| |
IP Transport | |
| |
| |
Authorization in Windows 2000 | |
| |
| |
Access-Control Model | |
| |
| |
Preparation of Authorization Data by the KDC | |
| |
| |
Interactive Log-On in Windows 2000 | |
| |
| |
Using a Password | |
| |
| |
Using a Smart Card | |
| |
| |
Summary | |
| |
| |
References | |
| |
| |
| |
Public Key Technology | |
| |
| |
| |
Public Key Technology | |
| |
| |
Overview of Cryptography | |
| |
| |
Symmetric Key Cryptography | |
| |
| |
Public Key Cryptography | |
| |
| |
Public Key Cryptography Schemes | |
| |
| |
Message Digest Algorithms | |
| |
| |
Digital Signatures | |
| |
| |
RSA Digital Signatures | |
| |
| |
DSS Digital Signatures | |
| |
| |
Elliptic Curve Digital Signatures | |
| |
| |
Key Length | |
| |
| |
Considerations for Symmetric Key Cryptosystems | |
| |
| |
Considerations for Public Key Cryptosystems | |
| |
| |
Digital Certificates | |
| |
| |
Cryptographic Authentication | |
| |
| |
Secure, Scalable Key Distribution | |
| |
| |
Client-Centric Processing | |
| |
| |
X.509 Digital Certificates | |
| |
| |
Encoding of Certificates | |
| |
| |
Certificate Revocation Lists (CRLs) | |
| |
| |
Methods for Propagating CRL Information | |
| |
| |
X.509 CRLs | |
| |
| |
Certification Authorities | |
| |
| |
Certificate Enrollment | |
| |
| |
Subject Authentication | |
| |
| |
Certificate Generation, Distribution, and Revocation | |
| |
| |
Data Repositories | |
| |
| |
Public Key Infrastructures (PKIs) | |
| |
| |
Structures among Multiple Certification Authorities | |
| |
| |
Certification Path Discovery and Validation | |
| |
| |
Summary | |
| |
| |
References | |
| |
| |
| |
Public Key Technology in Windows 2000 | |
| |
| |
Public Key Security | |
| |
| |
Secure E-Commerce: TLS/SSL | |
| |
| |
Supporting Distributed Business Partners: TLS/SSL Client-Side Authentication | |
| |
| |
Strong Network Authentication: Smart Cards | |
| |
| |
Distributing Authenticated Code: Authenticode 2.0 | |
| |
| |
Laptop and Desktop File System Security: EFS | |
| |
| |
Secure E-Mail: S/MIME | |
| |
| |
Network-Level Secure Communications: IPsec | |
| |
| |
Public Key Security Architecture | |
| |
| |
CryptoAPI | |
| |
| |
Cryptographic Service Providers | |
| |
| |
Certificate Services | |
| |
| |
Public Key Infrastructure | |
| |
| |
Trust Models | |
| |
| |
Certificate Chain Building | |
| |
| |
Revocation Status Checking | |
| |
| |
Cryptographic Algorithms and Key Lengths | |
| |
| |
Hardware Support | |
| |
| |
Certificate Trust Lists | |
| |
| |
Public Key Infrastructure Standards | |
| |
| |
Interoperability with Third-Party PKIs | |
| |
| |
PKI to PKI | |
| |
| |
PKI to Application | |
| |
| |
Application to Application | |
| |
| |
Summary | |
| |
| |
References | |
| |
| |
| |
Using Public Key Technology in Windows 2000 | |
| |
| |
Designing a Certification Authority Structure | |
| |
| |
Factors Influencing the Design of a CA Structure | |
| |
| |
Models for Operating a Certification Authority | |
| |
| |
Models for CA Structures | |
| |
| |
Using Certificate Services | |
| |
| |
Enterprise versus Standalone Certification Authorities | |
| |
| |
Installing Certificate Services | |
| |
| |
Administering the Certificate Services CA | |
| |
| |
Certificate Enrollment for Users and Computers | |
| |
| |
Certificate Stores | |
| |
| |
Enrollment Using the Certificate Request Wizard | |
| |
| |
Web-Based Enrollment | |
| |
| |
Distribution of Root CA Certificates to Computers | |
| |
| |
Summary | |
| |
| |
References | |
| |
| |
| |
IP Security and Virtual Private Networks | |
| |
| |
| |
IP Security (IPsec) | |
| |
| |
IPsec Concepts | |
| |
| |
Security Protocols | |
| |
| |
Security Associations | |
| |
| |
Models for Combining AH and ESP Protocols | |
| |
| |
Points of Implementation | |
| |
| |
Limitations of IPsec and Performance Considerations | |
| |
| |
Key Management in IPsec | |
| |
| |
Internet Security Association and Key-Management Protocol (ISAKMP) | |
| |
| |
Internet Key Exchange | |
| |
| |
Summary | |
| |
| |
References | |
| |
| |
| |
Virtual Private Networks (VPNs) | |
| |
| |
Basic Concepts | |
| |
| |
VPN Scenarios | |
| |
| |
Tunneling | |
| |
| |
Authentication, Authorization, Accounting, Auditing, and Alarming | |
| |
| |
Remote-Access Virtual Interfaces and Routing Considerations | |
| |
| |
Virtual Private Networking with L2TP/IPsec | |
| |
| |
L2TP/IPsec Two-Level Authentication | |
| |
| |
IPsec Confidentiality, Data Origin Authentication, and Integrity Services | |
| |
| |
L2TP/IPsec Packet Encapsulation | |
| |
| |
Remote-Access Authentication Protocols in Windows 2000 | |
| |
| |
VPNs and Firewalls | |
| |
| |
VPN Server behind the Firewall | |
| |
| |
VPN Server in front of the Firewall | |
| |
| |
VPN Interoperability | |
| |
| |
Summary | |
| |
| |
References | |
| |
| |
| |
Using IPsec and VPNs in Windows 2000 | |
| |
| |
Using IPsec | |
| |
| |
IPsec Policies | |
| |
| |
Predefined IPsec Policies | |
| |
| |
Custom IPsec Policies | |
| |
| |
Using VPNs | |
| |
| |
Network Configuration | |
| |
| |
Domain Configuration | |
| |
| |
Security Configuration | |
| |
| |
Remote-Access Policy Configuration | |
| |
| |
Remote-Access Policies | |
| |
| |
Remote-Access Policy Conditions | |
| |
| |
Remote-Access Policy Permission | |
| |
| |
Remote-Access Policy Profile | |
| |
| |
Setting up VPNs | |
| |
| |
Remote-Access VPN Server Setup | |
| |
| |
VPN Client Setup | |
| |
| |
Router-to-Router VPN Connections | |
| |
| |
Summary | |
| |
| |
References | |
| |
| |
| |
Trust beyond the Enterprise | |
| |
| |
| |
Extending Trust beyond the Enterprise | |
| |
| |
Local Registration Authorities | |
| |
| |
The LRA Model | |
| |
| |
LRA Deployment Models | |
| |
| |
VeriSign OnSite Service | |
| |
| |
Certificate Enrollment and Distribution | |
| |
| |
Certificate Management | |
| |
| |
Authentication Models | |
| |
| |
Controlling Access to the LRAA Web Site | |
| |
| |
Public versus Private Certification | |
| |
| |
Local Hosting | |
| |
| |
VerSign OnSite Automated Authentication Service | |
| |
| |
Networking of Local Trust Networks | |
| |
| |
VeriSign Gateway Service | |
| |
| |
VeriSign Go Secure! for Microsoft Exchange | |
| |
| |
Summary | |
| |
| |
References | |
| |
| |
| |
Trust in Business-to-Business Marketplaces | |
| |
| |
B2B Net Marketplaces | |
| |
| |
Trust | |
| |
| |
Distributed Trust Management | |
| |
| |
Verifiable Trust | |
| |
| |
B2B Trust Services | |
| |
| |
Authentication | |
| |
| |
Payment | |
| |
| |
Validation | |
| |
| |
Summary | |
| |
| |
References | |
| |
| |
| |
Secure Network Programming in Windows 2000 | |
| |
| |
| |
Kerberizing Applications Using Security Support Provider Interface | |
| |
| |
SSPI and Windows 2000 Security Architecture | |
| |
| |
SSPI Functions | |
| |
| |
Using SSPI | |
| |
| |
Impersonation and Delegation | |
| |
| |
Sample Project: Using SSPI to Kerberize Applications | |
| |
| |
Summary | |
| |
| |
References | |
| |
| |
| |
Service Publication in Windows 2000 Active Directory | |
| |
| |
Service Publication and Connection Points | |
| |
| |
Service Connection Point (SCP) | |
| |
| |
Host-Based Services | |
| |
| |
Replicable Services | |
| |
| |
Service Publication and Security | |
| |
| |
Service Principal Names | |
| |
| |
Sample Project: Using Connection Points for Service Publication | |
| |
| |
Summary | |
| |
| |
References | |
| |
| |
| |
Glossary | |
| |
| |
| |
Acronyms | |
| |
| |
Index | |
| |
| |
CD-ROM Warranty | |