| |
| |
| Preface | |
| |
| |
| |
| The Kerberos Network Authentication Service | |
| |
| |
| |
| The Kerberos Network Authentication Service | |
| |
| |
| Basic Concepts of Kerberos | |
| |
| |
| Passwords | |
| |
| |
| Symmetric Keys | |
| |
| |
| Key Distribution and Management | |
| |
| |
| Single Sign-On | |
| |
| |
| Kerberos Architecture | |
| |
| |
| Time Stamps for Nonces | |
| |
| |
| Preauthentication | |
| |
| |
| Security Services | |
| |
| |
| Different Views of Kerberos | |
| |
| |
| Cross-Realm Authentication | |
| |
| |
| Policy Configuration Options | |
| |
| |
| Public Key Extensions | |
| |
| |
| Initial Authentication | |
| |
| |
| Cross-Realm Authentication | |
| |
| |
| Limitations of Kerberos | |
| |
| |
| Kerberos Tickets | |
| |
| |
| Ticket Contents | |
| |
| |
| Ticket Flags | |
| |
| |
| Delegation of Authentication | |
| |
| |
| Ticket-Granting Tickets | |
| |
| |
| The Use of Network Addresses in Tickets | |
| |
| |
| Authenticators for Tickets | |
| |
| |
| The Kerberos Protocol | |
| |
| |
| Authentication Service Exchange | |
| |
| |
| Ticket-Granting Service Exchange | |
| |
| |
| Client/Server Exchange | |
| |
| |
| Summary | |
| |
| |
| References | |
| |
| |
| |
| Kerberos in Windows 2000 | |
| |
| |
| Authentication: Kerberos versus NTLM | |
| |
| |
| Scalability | |
| |
| |
| Mutual Authentication | |
| |
| |
| Support for Multitier Applications | |
| |
| |
| Simplified Trust Management | |
| |
| |
| Interoperability with Existing Trust Infrastructures | |
| |
| |
| Smart Card Support | |
| |
| |
| Windows 2000 Implementation of Kerberos | |
| |
| |
| Key Distribution Center (KDC) | |
| |
| |
| Account Database | |
| |
| |
| Kerberos Policy | |
| |
| |
| Kerberos Security Support Provider | |
| |
| |
| Credentials Cache | |
| |
| |
| IP Transport | |
| |
| |
| Authorization in Windows 2000 | |
| |
| |
| Access-Control Model | |
| |
| |
| Preparation of Authorization Data by the KDC | |
| |
| |
| Interactive Log-On in Windows 2000 | |
| |
| |
| Using a Password | |
| |
| |
| Using a Smart Card | |
| |
| |
| Summary | |
| |
| |
| References | |
| |
| |
| |
| Public Key Technology | |
| |
| |
| |
| Public Key Technology | |
| |
| |
| Overview of Cryptography | |
| |
| |
| Symmetric Key Cryptography | |
| |
| |
| Public Key Cryptography | |
| |
| |
| Public Key Cryptography Schemes | |
| |
| |
| Message Digest Algorithms | |
| |
| |
| Digital Signatures | |
| |
| |
| RSA Digital Signatures | |
| |
| |
| DSS Digital Signatures | |
| |
| |
| Elliptic Curve Digital Signatures | |
| |
| |
| Key Length | |
| |
| |
| Considerations for Symmetric Key Cryptosystems | |
| |
| |
| Considerations for Public Key Cryptosystems | |
| |
| |
| Digital Certificates | |
| |
| |
| Cryptographic Authentication | |
| |
| |
| Secure, Scalable Key Distribution | |
| |
| |
| Client-Centric Processing | |
| |
| |
| X.509 Digital Certificates | |
| |
| |
| Encoding of Certificates | |
| |
| |
| Certificate Revocation Lists (CRLs) | |
| |
| |
| Methods for Propagating CRL Information | |
| |
| |
| X.509 CRLs | |
| |
| |
| Certification Authorities | |
| |
| |
| Certificate Enrollment | |
| |
| |
| Subject Authentication | |
| |
| |
| Certificate Generation, Distribution, and Revocation | |
| |
| |
| Data Repositories | |
| |
| |
| Public Key Infrastructures (PKIs) | |
| |
| |
| Structures among Multiple Certification Authorities | |
| |
| |
| Certification Path Discovery and Validation | |
| |
| |
| Summary | |
| |
| |
| References | |
| |
| |
| |
| Public Key Technology in Windows 2000 | |
| |
| |
| Public Key Security | |
| |
| |
| Secure E-Commerce: TLS/SSL | |
| |
| |
| Supporting Distributed Business Partners: TLS/SSL Client-Side Authentication | |
| |
| |
| Strong Network Authentication: Smart Cards | |
| |
| |
| Distributing Authenticated Code: Authenticode 2.0 | |
| |
| |
| Laptop and Desktop File System Security: EFS | |
| |
| |
| Secure E-Mail: S/MIME | |
| |
| |
| Network-Level Secure Communications: IPsec | |
| |
| |
| Public Key Security Architecture | |
| |
| |
| CryptoAPI | |
| |
| |
| Cryptographic Service Providers | |
| |
| |
| Certificate Services | |
| |
| |
| Public Key Infrastructure | |
| |
| |
| Trust Models | |
| |
| |
| Certificate Chain Building | |
| |
| |
| Revocation Status Checking | |
| |
| |
| Cryptographic Algorithms and Key Lengths | |
| |
| |
| Hardware Support | |
| |
| |
| Certificate Trust Lists | |
| |
| |
| Public Key Infrastructure Standards | |
| |
| |
| Interoperability with Third-Party PKIs | |
| |
| |
| PKI to PKI | |
| |
| |
| PKI to Application | |
| |
| |
| Application to Application | |
| |
| |
| Summary | |
| |
| |
| References | |
| |
| |
| |
| Using Public Key Technology in Windows 2000 | |
| |
| |
| Designing a Certification Authority Structure | |
| |
| |
| Factors Influencing the Design of a CA Structure | |
| |
| |
| Models for Operating a Certification Authority | |
| |
| |
| Models for CA Structures | |
| |
| |
| Using Certificate Services | |
| |
| |
| Enterprise versus Standalone Certification Authorities | |
| |
| |
| Installing Certificate Services | |
| |
| |
| Administering the Certificate Services CA | |
| |
| |
| Certificate Enrollment for Users and Computers | |
| |
| |
| Certificate Stores | |
| |
| |
| Enrollment Using the Certificate Request Wizard | |
| |
| |
| Web-Based Enrollment | |
| |
| |
| Distribution of Root CA Certificates to Computers | |
| |
| |
| Summary | |
| |
| |
| References | |
| |
| |
| |
| IP Security and Virtual Private Networks | |
| |
| |
| |
| IP Security (IPsec) | |
| |
| |
| IPsec Concepts | |
| |
| |
| Security Protocols | |
| |
| |
| Security Associations | |
| |
| |
| Models for Combining AH and ESP Protocols | |
| |
| |
| Points of Implementation | |
| |
| |
| Limitations of IPsec and Performance Considerations | |
| |
| |
| Key Management in IPsec | |
| |
| |
| Internet Security Association and Key-Management Protocol (ISAKMP) | |
| |
| |
| Internet Key Exchange | |
| |
| |
| Summary | |
| |
| |
| References | |
| |
| |
| |
| Virtual Private Networks (VPNs) | |
| |
| |
| Basic Concepts | |
| |
| |
| VPN Scenarios | |
| |
| |
| Tunneling | |
| |
| |
| Authentication, Authorization, Accounting, Auditing, and Alarming | |
| |
| |
| Remote-Access Virtual Interfaces and Routing Considerations | |
| |
| |
| Virtual Private Networking with L2TP/IPsec | |
| |
| |
| L2TP/IPsec Two-Level Authentication | |
| |
| |
| IPsec Confidentiality, Data Origin Authentication, and Integrity Services | |
| |
| |
| L2TP/IPsec Packet Encapsulation | |
| |
| |
| Remote-Access Authentication Protocols in Windows 2000 | |
| |
| |
| VPNs and Firewalls | |
| |
| |
| VPN Server behind the Firewall | |
| |
| |
| VPN Server in front of the Firewall | |
| |
| |
| VPN Interoperability | |
| |
| |
| Summary | |
| |
| |
| References | |
| |
| |
| |
| Using IPsec and VPNs in Windows 2000 | |
| |
| |
| Using IPsec | |
| |
| |
| IPsec Policies | |
| |
| |
| Predefined IPsec Policies | |
| |
| |
| Custom IPsec Policies | |
| |
| |
| Using VPNs | |
| |
| |
| Network Configuration | |
| |
| |
| Domain Configuration | |
| |
| |
| Security Configuration | |
| |
| |
| Remote-Access Policy Configuration | |
| |
| |
| Remote-Access Policies | |
| |
| |
| Remote-Access Policy Conditions | |
| |
| |
| Remote-Access Policy Permission | |
| |
| |
| Remote-Access Policy Profile | |
| |
| |
| Setting up VPNs | |
| |
| |
| Remote-Access VPN Server Setup | |
| |
| |
| VPN Client Setup | |
| |
| |
| Router-to-Router VPN Connections | |
| |
| |
| Summary | |
| |
| |
| References | |
| |
| |
| |
| Trust beyond the Enterprise | |
| |
| |
| |
| Extending Trust beyond the Enterprise | |
| |
| |
| Local Registration Authorities | |
| |
| |
| The LRA Model | |
| |
| |
| LRA Deployment Models | |
| |
| |
| VeriSign OnSite Service | |
| |
| |
| Certificate Enrollment and Distribution | |
| |
| |
| Certificate Management | |
| |
| |
| Authentication Models | |
| |
| |
| Controlling Access to the LRAA Web Site | |
| |
| |
| Public versus Private Certification | |
| |
| |
| Local Hosting | |
| |
| |
| VerSign OnSite Automated Authentication Service | |
| |
| |
| Networking of Local Trust Networks | |
| |
| |
| VeriSign Gateway Service | |
| |
| |
| VeriSign Go Secure! for Microsoft Exchange | |
| |
| |
| Summary | |
| |
| |
| References | |
| |
| |
| |
| Trust in Business-to-Business Marketplaces | |
| |
| |
| B2B Net Marketplaces | |
| |
| |
| Trust | |
| |
| |
| Distributed Trust Management | |
| |
| |
| Verifiable Trust | |
| |
| |
| B2B Trust Services | |
| |
| |
| Authentication | |
| |
| |
| Payment | |
| |
| |
| Validation | |
| |
| |
| Summary | |
| |
| |
| References | |
| |
| |
| |
| Secure Network Programming in Windows 2000 | |
| |
| |
| |
| Kerberizing Applications Using Security Support Provider Interface | |
| |
| |
| SSPI and Windows 2000 Security Architecture | |
| |
| |
| SSPI Functions | |
| |
| |
| Using SSPI | |
| |
| |
| Impersonation and Delegation | |
| |
| |
| Sample Project: Using SSPI to Kerberize Applications | |
| |
| |
| Summary | |
| |
| |
| References | |
| |
| |
| |
| Service Publication in Windows 2000 Active Directory | |
| |
| |
| Service Publication and Connection Points | |
| |
| |
| Service Connection Point (SCP) | |
| |
| |
| Host-Based Services | |
| |
| |
| Replicable Services | |
| |
| |
| Service Publication and Security | |
| |
| |
| Service Principal Names | |
| |
| |
| Sample Project: Using Connection Points for Service Publication | |
| |
| |
| Summary | |
| |
| |
| References | |
| |
| |
| |
| Glossary | |
| |
| |
| |
| Acronyms | |
| |
| |
| Index | |
| |
| |
| CD-ROM Warranty | |