Public Key Infrastructure Fundamentals 70-642 70-271 70-445 70-237
Computer networks are no longer closed systems in which a user’s mere presence on the network can serve as proof of identity. In this age of information interconnection, an organization’s network might consist of intranets, Internet sites, and extranets-all of which are potentially susceptible to access by unauthorized individuals who intend to maliciously view or alter the organization’s digital information assets.
There are many potential opportunities for unauthorized access to information stored on networks. A person can attempt to monitor or alter information as it crosses the network, including e-mail messages, electronic commerce transactions, and file transfers. A thief who steals a laptop computer can attempt to access confidential documents stored on the computer. An attacker might attempt to impersonate a legitimate user to gain access to information that would not otherwise be authorized.
A well-planned PKI can reduce the likelihood of each of these common attacks. As a security administrator, you must understand the fundamentals of PKI, and be able to deploy a Windows Server 2003 Certificate Services infrastructure.

Cryptography and Encryption
Cryptography is essential for the secure exchange of information across intranets, extranets, and the Internet. From a technical point of view, cryptography is the science of protecting data by mathematically transforming it into an unreadable format, otherwise known as encryption. To a business, cryptography is a means to reduce the likelihood of a costly security compromise by providing authentication, confidentiality, and data integrity.
Network encryption comes in two main varieties: shared key encryption and public key encryption. Shared key encryption requires both the sender and the recipient of an encrypted message to have a shared secret-a password that can be used to encrypt and decrypt the message. Shared key encryption is easy to understand, but it is difficult to implement on a large scale. After all, to allow secure communication between 1,000 employees at a company would require about 1 million passwords to be exchanged, because any two users who wanted to communicate would need to exchange a unique password.
For example, if Sam wants to send an encrypted electronic message to Toby, Sam first walks over to Toby and whispers a password in his ear. Then, when Toby receives the electronic message, Toby decrypts it with the password. As long as nobody else knows the password, Sam can be sure that the contents of the message are private.
The second common network encryption mechanism is public key encryption, also known as asymmetric key encryption. Public key encryption uses one key to encrypt a message, and a second, related key to decrypt the message. These two keys form a key pair. One of these keys is kept private, and the other key can be shared publicly (hence the name, public key encryption).
For example, if Sam wants to send an encrypted message to Toby, Sam uses Toby’s public key to encrypt the message. When Toby receives the message, Toby uses his private key to decrypt it. Only Toby’s private key can be used to decrypt a message encrypted with his public key, so Sam can be sure that nobody else was able to view the contents of the message.
There’s another interesting way to use public key encryption: digital signatures. If Sam wants to prove to Toby that Sam, and not somebody else, sent the message, Sam can use Sam’s own private key to encrypt the message. After Toby receives it, Toby needs to use Sam’s public key to decrypt the message. If it decrypts properly, Toby can be certain that Sam’s private key was used to encrypt it and that the message hadn’t changed since Sam sent it. Of course, encryption takes a great deal of processing power, so Sam would probably choose to encrypt a short hash of the message instead of the entire message, and append the hash onto the end of the message. That would be sufficient to prove that Sam sent the message and that it hadn’t been modified in transit. NS0-201 70-643 70-631