Authentication is the process of verifying that the message sender is authentic (in other words, the sender has not been impersonated by another user). MSMQ uses digital signatures to provide message authentication. MSMQ authentication also guarantees message integrity (the message has not been tampered with) and non-repudiation (because no user can sign a message with another users identity, no user can refute that he or she sent a message if it contains his or her signature). Authentication causes reduced throughput of MSMQ messages.
MSMQ authenticates messages using internal or external security certificates. A certificate is used to generate a digital signature that uniquely identifies a user who sends an authenticated message. Both the user's certificate and digital signature are attached to a message when it is sent. The digital signature is encrypted by the MSMQ service on the sending computer and decrypted by the MSMQ service on the destination computer.
Internal certificates, provided by MSMQ, authenticate the Windows NT security identifier (SID) of the sender. When an internal certificate is used, MSMQ guarantees only that the SID attached to the message is valid. Internal certificates are created by MSMQ the first time a user runs the MS Message Queue applet in Control Panel. Users must register their internal certificates in the MQIS before sending authenticated messages.
External certificates use information about a user supplied by a certificate authority (CA), rather than the sender's SID, to verify the sender's identity. The information in the external certificate is guaranteed by the certificate authority that created the certificate. External certificates are required for sending authenticated messages to operating environments other than Windows NT. If external certificates are used for sending authenticated messages to other Windows NT computers, users must register their certificates only if they also want their SID to be used in authenticating the message. Doing so provides an additional, though optional, measure of authentication.
A common way to obtain an external certificate is to request a class 1 certificate from a certificate authority, using Microsoft Internet Explorer (IE) version 3.0 or later. Because external certificates are stored in the IE certificate store, users who rely on external certificates must have IE 3.0 or later installed on their computers.
To obtain external certificates, contact one of the following certificate vendors:
Note Internal certificates and SIDs are stored in the MQIS. If you reinstall Windows 95 or Windows NT on an MSMQ independent client (rather than upgrade an existing installation), you must reinstall MSMQ and rerun the MSMQ Control Panel applet to remove the user's previous obsolete internal certificate from the MQIS. You can then register the user's new internal certificate.
The encryption process necessary for generating digital signatures is not the same as the encryption of messages discussed in the next section. (Encrypted messages need not be authenticated, and authenticated messages need not be encrypted). Both processes, however, require the use of a cryptographic service provider (CSP). A CSP is the actual code that implements cryptographic operations.
A CSP must be installed on any server, independent client, or dependent client computer that sends or receives authenticated messages. The Microsoft Base Cryptographic Provider version 1.0 is a CSP that provides full RSA support; that is, it can be used for both authentication and encryption of messages. The Microsoft Base Cryptographic Provider is included and installed with Windows NT version 4.0 and Internet Explorer version 3.0. The CSP that you use to authenticate MSMQ messages does not require full RSA support, only the ability to generate digital signatures. If you run an application that requires a CSP other than the Microsoft Base Cryptographic Provider, you must install that CSP before enforcing authentication on MSMQ queues. You must also install a CSP on computers that are not running Windows NT 4.0 or IE version 3.0.
Important It is important to note that the same CSP must be installed on both a sending and receiving computer. For example, a computer using the Microsoft Base Cryptographic Provider cannot send an authenticated message to a computer that uses a different CSP, and vice-versa.
The Microsoft Base Cryptographic Provider is available to computers running Windows 95 only if Internet Explorer version 3.0 or later is installed.
For more information on internal and external certificates, and for information on implementing authentication in an MSMQ-based application, see the Microsoft Message Queue Server Software Development Kit (MSMQ SDK) documentation.