Windows Server 2003 Security the Hard Way
Windows Server 2003 security implemented exclusively in software is often an inefficient approach. Explore the benefits of hardware-based cryptography options, with an emphasis on products from Rainbow-Chrysalis and nCipher.
When it comes to Windows Server 2003 security, most of the attention has been paid to software improvements built into the platform. However, there is also a hardware perspective to the security story that network managers need to know about hardware-based cryptography.
While cryptography can be, and frequently is, implemented exclusively in software, such an approach is often inefficient, especially when dealing with larger amounts of data, asymmetric algorithms, and long encryption keys (i.e., those more than 1024 bits), even on 64-bit servers. In addition, in sensitive environments, the possibility of compromising software-based keys is an issue, since they remain in the server's memory even after they are no longer used (of course, such an exploit would require the attacker have the capability to analyze memory contents).
An increasing need for secure communication, especially in the e-commerce area, raised interest in alternative methods of implementing encryption, which would eliminate the performance and vulnerability issues described above. The new solution comes in the form of hardware security modules (HSMs). In addition to serving as a storage for private keys, HSMs provide a number of standard cryptography-related features, such as secure authentication and communication sessions via Secure Sockets Layer (SSL), by offloading the setup of computational-intensive SSL connections from Web servers to tamper-resistant hardware modules, and protecting access to Web services and custom applications.
Two vendors that currently offer such products for Windows Server 2003 are nCipher and Rainbow-Chrysalis.
Rainbow-Chrysalis, headquartered in Ottawa, Canada, makes the Luna CA3 HSM. Luna CA3 integrates with Windows 2000 and Windows 2003 via the custom Cryptographic Service Provider. It supports every commonly used cryptographic algorithm and key length, and is based on WHQL-compliant hardware. The hardware consists of several components: a token, a token reader, a PED authentication keypad (PIN Entry Device), a set of color-coded PED keys, and a PCI token reader card. The combination of an authentication keypad and keys allows for three-factor authentication (independent of the server to which the device is attached). The first factor involves using a PED key, the second a personal PIN assigned to each administrator, and the third (and optional) invokes the key-splitting feature. Note, however, that three-factor encryption requires the simultaneous presence of several administrators to perform a cryptography-related task.
The advantage of a separate keypad is that keystrokes cannot be captured by the operating system of the server to which the device is attached. The token reader contains two slots to allow secure copying of keys stored on one token to another. To get Luna CA3 operational, install Luna Cryptographic Services on the Windows server. The software setup must be followed: Install the PCI card with appropriate drivers and attach the reader with the PED authentication keypad. Next, initialize and activate the cryptographic token. Finally, configure the server to use Luna Cryptographic Services as the Cryptographic Service Provider.
A more detailed description of Luna CA3 module, its installation procedures, and its integration with Windows Public Key Infrastructure (PKI) can be found in a white paper published on Microsoft's Web site.
nShield HSM from nCipher offers similar capabilities. Based in Cambridge, England, the company has its U.S. headquarters in Woburn, Massachusetts. nShield provides the same degree of integration with Windows 2000 and Windows 2003 PKI as Rainbow-Chrysalis, including support for cryptographic algorithms and hardware compatibility. Its hardware is also similar, with the token reader card available in both PCI and SCSI factors. In addition, nShield has several additional features worth noting.
nShield employs nCipher proprietary Security World key management technology, providing such functionality as key storage, backup, and recovery. It also allows the implementation of security policies across HSM infrastructure and simplifies key transfer, which was one of the critical problems traditionally associated with hardware cryptography modules (and one of the factors hindering their broader acceptance on the market). nCipher's technology offers practically unlimited key storage because keys are stored in the form of encrypted files, external to the HSM (which also makes backup and restore procedures easier to implement).
Among the other features nShield supports are elaborate access control methods, which consist of granular Access Control Lists and management via split responsibility smart cards, where simultaneous permissions from several administrators are required for performing specific secured operations (basically the equivalent of Luna CA3's key-splitting feature described earlier), as well as key policies (linking key usage to factors such as time limits or the presence of token cards in the reader). Multiple modules installed on the same server can operate in a load-balanced or high availability configuration. Additional details about the nShield and its integration with Windows 2003 PKI, are available in a whitepaper published on nCipher's Web site.