The PKI Guy Blog

PKI Solutions Inc. The PKI Guy Blog

BYOD PKI

BYOD Raises Challenges Around Identity and Access Management
We work in a bring-your-own-devices (BYOD) culture, which raises questions and challenges around identity and access management. Mark was interviewed by Solutions Review about BYOD security issues and what organizations can do. Check out the Q&A.
Read More
  • April 18, 2018

Internet of Things

What Can Organizations Do About IoT Security?
The Internet of Things (IoT) promises innovation and helpfulness, but it also raises cybersecurity challenges for organizations, as IoT devices typically lack any sort of security platform. Mark outlines security risks and offers up recommendations. Check out the Q&A he did with Solutions Review.
 
Read More
  • April 16, 2018

Authentication PKI

Stay Safer Online With Two-Factor Authentication

According to Pew Research Center, 84 percent of adults rely primarily on memorization or pen and paper to store passwords. But we know that storing passwords on paper could lead to exposure. Instead, using a complex password, combined with password management, and two-factor or multi-factor authentication can help greatly reduce risks. Especially with phishing on the rise.

Mark wrote an article on tips to implement two-factor and multi-factor authentication for Cyber Oregon. Cyber Oregon’s mission is to build tangible solutions to protect the digital lives of all Oregonians. The Cyber Oregon Awareness Initiative is powered by an active consortium of industry, educational institutions, organizations, and state/local government agencies. You can Mark’s complete article here.

 

Read More
  • April 12, 2018

PKI

Microsoft ADCS Certificate Transparency Support

Microsoft just released their official statement and support for Certificate Transparency. I will be writing a full article covering this update as there are several key areas that are lacking in the Microsoft documentation. So in the interest of spreading the word on the official announcement, here is the link:

https://support.microsoft.com/en-us/help/4093260/introduction-of-ad-cs-certificate-transparency

 

Issues that need to be addressed in my blog post are questions about:

  1. What update/fix is needed on your server to support this fix
  2. What tools or can be used to execute the portions of this fix that Microsoft has not included
  3. Step by Step process for placing the CT extension in an issued certificate.
  4. Implications for existing CMS products (Venafi, CMS, etc)
  5. Timeline for implementation and enforcement

Check back soon for the full details and implementation guidelines.

Read More
  • March 26, 2018

PKI

PKI Solutions is hiring talented PKI professionals

PKI Solutions offers a complete set of PKI consulting, training, professional services, support and assessments with a particular emphasis on Microsoft Active Directory Certificate Services. As the demand for cybersecurity and the increased protection offered by PKI technologies continues to grow in the enterprise and the Internet of Things, so too is PKI Solutions Inc. Do you have deep knowledge and hands-on expertise in ADCS and PKI technologies? Do you enjoy working with other like-minded professionals to design, configure and support PKIs? Here’s an opportunity to showcase your expert-level knowledge and focus on what you do best. If this sounds interesting and you can hit the ground running, send us an email at talent@pkisolutions.com with your resume and tell us a little about yourself.

 

Read More
  • March 13, 2018

Certificate Templates Crypto Providers Enrollment PKI Trusted Platform Modules (TPM)

Understanding Microsoft Cryptographic Service Providers

A common question I often get from customers and students is about Microsoft’s Cryptographic Service Providers (CSP). The CSPs are responsible for creating, storing and accessing cryptographic keys – the underpinnings of any certificate and PKI. These keys can be symmetric or asymmetric, RSA, Elliptical Key or a host of others such as DES, 3DES, and so forth. Selecting a cryptographic provider determines what type, size and storage of key will be used – in our case, for a certificate. There are also 3rd party providers for devices such as smart cards and hardware security modules. For the purposes of this article, I will be addressing the standard Microsoft CSPs and the newer Crypto-Next Generation KSPs, their capabilities and the primary purposes you may use them.

Let me start by saying there are many more CSPs than you will typically ever need to use. To that end, in the comparison tables below, I have broken the providers into three tables. Modern Crypto-Next Generation (CNG) providers that are recommended, followed by legacy CAPI (RSA only) providers and the last table is deprecated providers seldom used anymore. In reviewing this list, the primary things we are evaluating are what types of keys can be used, their size, protections, and compatibility.

For the short answer, refer to ThePKIGuy Recommendations for each provider to see where and why you may use a specific provider.

Modern Microsoft cryptography providers

Provider Name & TypeDescriptionPurposesCryptoDefault Microsoft TemplatesThePKIGuy Recommendations
Microsoft Software Key Storage Provider (CNG)Standard windows software based RSA and ECC provider. Key Exchange
Digital Signature
Data Encryption
RSA
ECC SHA1
SHA2
OCSP Response Signing (KSP Required, Provider not specific)Use this for any modern CNG supported key storage and creation
Microsoft Smart Card Key Storage Provider (CNG)Supports smart card key creation and useKey Exchange
Digital Signature
Data Encryption
RSA
ECC SHA1
SHA2
NoneUse only if creating/using keys in a smart card
Microsoft Platform Crypto Provider (CNG)Generates and stores keys in Trusted Platform Modules. Supports Key Attestation to allow CA to ensure key is created in TPM/Virtual smart cardKey Exchange
Digital Signature
Data Encryption
RSA
ECC SHA1
SHA2
NoneUse only if creating/storing keys in a Trusted Platform Module
Comparison of modern Microsoft providers

Legacy Microsoft cryptography providers

Provider Name & TypeDescriptionPurposesCryptoDefault Microsoft TemplatesThePKIGuy Recommendations
Microsoft RSA SChannel Cryptographic Provider (CAPI)Supports hashing, data signing, and signature verification. The algorithm identifier CALG_SSL3_SHAMD5 is used for SSL 3.0 and TLS 1.0 client authentication. This CSP supports key derivation for the SSL2, PCT1, SSL3 and TLS1 protocols.Key ExchangeRSA SHA1CEP Encryption
Computer
Directory Email Replication
Domain Controller
Domain Controller Authentication
IPSec
IPSec (Offline)
Kerberos Authentication
RAS and IAS Server
Router (Offline request)
Web Server
Workstation Authentication
Use this for any network/SSL/TLS when you must use a CSP provider
Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider (CAPI)Supports Diffie-Hellman key exchange (a 40-bit DES derivative), SHA hashing, DSS data signing, and DSS signature verification. Derived from Base DSS and Diffie-Hellman Cryptographic Provider. Adds support for RC2/4, DES and 3DES encryptionDigital SignaturesRSA SHA1Authenticated Session
Basic EFS
CA Exchange
Code Signing
EFS Recovery Agent
Enrollment Agent
Enrollment Agent (Computer)
Exchange Enrollment Agent (Offline request)
Exchange Signature Only
Exchange User
Key Recovery Agent
Trust List Signing
User
User Signature Only
If using legacy CSP and you have no need for encryption this is fine.
Microsoft DSS and Diffie-Hellman/Schannel Cryptographic Provider (CAPI)Supports hashing, data signing with DSS, generating Diffie-Hellman (D-H) keys, exchanging D-H keys, and exporting a D-H key. This CSP supports key derivation for the SSL3 and TLS1 protocols. This CSP supports key derivation for the SSL3 and TLS1 protocols.Key ExchangeRSA SHA1Web ServerLegacy - Don’t use unless you are needing to support the built in Web Server template to enable IIS enrollments via GUI
Microsoft Base Cryptographic Provider (CAPI)A broad set of basic cryptographic functionality that can be exported to other countries or regions. No 3DES support. RC2/4 limited to 40bits. Digital Signatures
Data Encryption
RSA SHA1Administrator
Authenticated Session
Basic EFS
Code Signing
EFS Recovery Agent
Enrollment Agent
Enrollment Agent (Computer)
Exchange Enrollment Agent (Offline request)
Exchange Signature Only
Exchange User
Trust List Signing
User
User Signature Only
Legacy - Don’t Use
Microsoft DSS Cryptographic Provider (CAPI)Provides hashing, data signing, and signature verification capability using the Secure Hash Algorithm (SHA) and Digital Signature Standard (DSS) algorithms.Digital SignaturesRSA SHA1Authenticated Session
Code Signing
Enrollment Agent
Enrollment Agent (Computer)
Exchange Enrollment Agent (Offline request)
Exchange Signature Only
Trust List Signing
User Signature Only
Legacy - Don’t Use
Providers still used out of the box, but are limited in abilities are generally not used

Deprecated Microsoft cryptography providers

Provider Name & TypeDescriptionPurposesCryptoDefault Microsoft TemplatesThePKIGuy Recommendations
Microsoft Base Smart Card Crypto Provider (CAPI)Derived from Microsoft Strong Cryptographic Provider. Communicates with Smart Card Modules (minidriver). Digital Signatures
Data Encryption
RSA SHA1NoneUse only if your smart card supports CSP and not CNG. Otherwise this is deprecated and shouldn’t be used.
Microsoft Strong Cryptographic Provider (CAPI)An extension of the Microsoft Base Cryptographic Provider available with Windows XP and later. Default RSA CSP. Derivative of Microsoft Enchanced Cryptographic Provider. Supports all the same key lengths, but lacks configurable Salt length for RC encryption algorithms. Digital Signatures
Data Encryption
RSA SHA1NoneDeprecated - Don’t Use
Microsoft Enhanced Cryptographic Provider (CAPI)Derived from Base Cryptographic Provider. The Enhanced Provider supports stronger security through longer keys and additional algorithms. Can only generate 128bit RC2/4 keys, can import smallerDigital Signatures
Data Encryption
RSA SHA1NoneDeprecated - Don’t Use
Microsoft RSA and AES Cryptographic Provider (CAPI)Microsoft Enhanced Cryptographic Provider with support for AES encryption algorithms.Digital Signatures
Data Encryption
RSA SHA1NoneDeprecated - Don’t Use
Microsoft Base DSS and Diffie-Hellman Cryptographic Provider (CAPI)A superset of the DSS Cryptographic Provider that also supports Diffie-Hellman key exchange, hashing, data signing, and signature verification using the Secure Hash Algorithm (SHA) and Digital Signature Standard (DSS) algorithms.Diffie Hellman (Key Exchange)
Digital Signatures
RSA SHA1NoneDeprecated - Don’t Use
Deprecated providers that are seldom used and should be avoided unless compatibility or business requirements define otherwise

Have a specific scenario where one of these providers was needed for another purpose? Have you been explicitly told to use a provider to support an application? If so, let me know so we can sort through the data and get it added to the list!

Read More
  • February 28, 2018

PKI The PKI CryptoGram

PKI Solutions logo contest!

We’re pleased to announce that we’re unveiling our new company logo on our website today. The PKIGuy and the rest of the team here are excited to welcome you to our first-ever PKI Solutions logo contest!

Since cryptography is the art of writing and solving codes, we decided to have some fun with the roll-out of our new logo and get you guys involved. We want to invite you to participate in our contest to see how many cryptography clues and graphic elements that you can find in our logo.

How it works:
Visit our website and click the link here to enter the contest. The contest begins on Friday, February 23 at 6:00 a.m. PST and ends on 12 a.m.. PST Saturday March 3.

Who wins:
The top three people who find the most clues and design elements that relate to cryptography will each win our contest.

What you win:
Each of the top three winners will win the thrill of victory … AND each winner will receive one (1) of three (3) $31 Starbucks eGift cards.

Good luck cracking the code!

Enter The Contest

Read More
  • February 23, 2018

Backups Database Hardware Security Modules Hotfixes Maintenance Offline CA PKI

Backing up ADCS Certificate Authorities (Part 2 of 2)

In my last blog post (Backing up ADCS Certificate Authorities Part 1) I covered the inner workings of how ADCS and the Jet database works to maintain the CA data. In this post I am going to go over a comprehensive PowerShell script that I wrote to perform a full backup of all necessary ADCS components. In addition, this backup will ensure the CA performs the necessary log maintenance and truncation that I indicated was vital in Part 1. (more…)

Read More
  • January 11, 2018

Backups Database Hardware Security Modules Hotfixes Maintenance Offline CA PKI

Backing up ADCS Certificate Authorities (Part 1 of 2)

One of the areas I have spoken about extensively at conferences and cover in my training classes is the unique issues associated with backing up and managing your ADCS Certificate Authority. There are several items I would like to address in this two-part series:

  • CA Database and log file structure
  • Unique issues with VM Snapshots with ADCS
  • CA Private Key backups (and when they aren’t happening)
  • Using PowerShell to Backup

(more…)

Read More
  • December 14, 2017

PKI

2018 Training Class Schedule

It’s here, the 2018 PKI Training schedule is now live and accepting registrations. There are three In-Depth classes and three Advanced PKI classes split between the US and Europe. Be sure to check out the schedule and register early as classes usually sell-out in advance.

PKI In-Depth Class

  • Portland, Oregon: March 26-30, 2018
  • Washington DC: May 21-25, 2018
  • London, England: June 11-15, 2018

PKI Advanced Class

  • Portland, Oregon: July 16-20, 2018
  • Washington DC: August 13-17, 2018
  • London, England: September 10-14, 2018

As always, contact me if you have any questions. Registrations are available on the website here.

Read More
  • October 25, 2017

  © Copyright 2013-2018 PKI Solutions Inc. // All Rights Reserved // Terms of Service // Privacy Policy // Pricing and Refund Policies