Planning Your Public Key Infrastructure |
Implementing PKI in your enterprise is a multiple-part process requiring planning and experimentation through pilot programs. Some features of Windows 2000, such as the Encrypting File System (EFS) and IP security (IPSec), can provide their own certificates without any special preparation on the part of the network administrator. You can deploy these features immediately. Other security features might require a hierarchy of CAs. A CA hierarchy requires planning.
The first business policy decisions you make will have to do with selecting the CAs, both internal and external, that will be the source of your certificates. A typical CA hierarchy has a three-level architecture. It is recommended that you have one root CA, and that it be offline. You need a second level of CAs to implement certificate policy. This level also needs to be offline. The third level is the issuing CAs. You can have internal or external CAs at this level. Internal network authentication and data integrity can be handled by a local certifying authority, such as your IT department. Internet transactions and software signing might require third-party certificates in order to establish public credibility.
While selecting your CAs, give some thought to your cryptographic service provider (CSP). The CSP is the software or hardware that provides encryption services for your CA. If the CSP is software based, it will generate a public key and a private key, often referred to as a key pair, on your computer. If the CSP is hardware based, such as a smart card CSP, it might instruct a piece of hardware to generate the key pair.
The standard CSP for Windows environments is the Microsoft Base cryptographic service provider, which provides 40-bit key lengths. Windows 2000 supports 40/56-bit encryption and is exportable. For greatest security (and greater speed), consider using a hardware-based CSP, available from third-party vendors.
Greater security usually means greater cost, both in terms of expense for hardware and in CPU cycles devoted to encryption. Greater security is not always cost effective, but it is available when needed. For extreme levels of security, consider a hardware CSP for CAs and smart cards for users.