Back to list of questions
June 7, 1996
Microsoft Corporation
Microsoft Internet Security Framework
What is the Microsoft Internet Security Framework?
How will the technologies in the Microsoft Internet Security Framework be delivered?
How does public key-based security fit with my current investment in authentication technology?
Do I have to learn cryptography to use the Microsoft Internet Security Framework?
How does the Microsoft Internet Security Framework support Internet security standards?
CryptoAPI
What is CryptoAPI?
How does CryptoAPI make it easy for me to include cryptographic functionality in my applications?
What is a Cryptographic Service Provider (CSP)?
How do I get CryptoAPI and include it in my products?
Which operating systems support CryptoAPI?
Is Microsoft providing its own cryptography through CryptoAPI?
How do I incorporate certificates into my application?
What certificate formats will CryptoAPI 2.0 support?
Will the CryptoAPI certificate extensions support third party certificate servers?
What is Microsoft's position on export controls?
Is CryptoAPI exportable?
Is the CSP Developer's Kit exportable?
Is the CryptoAPI Application Programmer's Guide and sample code exportable?
Client Authentication
What is client authentication?
Certificate Server
What is a certificate server?
Why would an organization need a certificate server?
How can my applications take advantage of Microsoft's certificate server technology?
Will UNIX and Macintosh clients be able to access services from the Microsoft certificate server? If so, when?
When can we expect to the see the beta for the certificate server?
Wallet
What is the Microsoft Wallet?
When will it be available?
How can my applications use this wallet technology?
Code Signing
What is signed code?
Is signed code really secure?
Is signed code a cross-platform solution?
What exactly is my liability when I sign code?
Where do I get the tools for this effort?
How do I get my public and private keys?
How do I get a certificate?
How much does certification cost?
How long does it take to sign code?
When can I get a certificate?
When can I get a certificate?
When can I start testing signed code?
Secure Payment & SET
What is Secure Electronic Transactions? Why do I need it?
Will Microsoft's payment software follow the SET standard?
Does this solution also include STT technology?
Will Microsoft be getting any transaction fees as part of its licensing agreements with Visa, American Express or any other companies?
What exactly does the SET spec do?
How does the June 1996 SET specification differ from the original version published in late February 1996?
Is the June 1996 SET specification the final SET release?
Will there be a reference implementation of the SET specification and will there be a cost associated with it?
Have any software companies agreed to follow SET?
How about other credit card companies such as American Express and Discover being able to use this system for secure transactions?
Will any association or vendor involved in SET charge licensing or per-transaction fees for its use?
What about other Internet payment services?
When will consumers and merchants be able to obtain the benefits of SET?
Will SET software be able to gain export and import approval?
PCT
What is PCT 1.0? How is it different from SSL 2.0?
When will it appear in Microsoft products? In 3rd party products?
TLS
What is TLS?
What is the TLS document that Microsoft has published?
What is the Microsoft® Internet Security Framework?
The Microsoft Internet Security Framework is a comprehensive set of cross-platform, interoperable security technologies for electronic commerce and online communications that supports Internet security standards.
New security technologies announced include certificate services for management and authentication, a certificate server, support for client authentication, and a wallet. Previously announced technologies are CryptoAPI 1.0, code signing, an implementation of the SET protocol, secure transfer of personal security information and support for secure sockets layer (SSL) and Private Communication Technology (PCT) protocols.
How will the technologies in the Microsoft Internet Security Framework be delivered?
Microsoft plans to deliver Internet Security Framework client technologies through Microsoft® Internet Explorer, and then through the next updates of Windows® and Windows NT® Workstation. Microsoft plans to deliver Internet Security Framework server technologies through Internet Information Server quarterly service packs, and then through the next update of Windows NT Server.
Additionally, development kits for Internet Security Framework technologies will be included in the Win32® SDK, the ActiveX™ SDK, and upcoming releases of Microsoft development tools (Visual Basic®, Visual C++®, and Java, code-named "Jakarta").
How does public-key-based security fit with my current investment in authentication technology?
The Microsoft Internet Security Framework was designed to specifically address one of the greatest areas of concern we have heard from customers--leveraging their significant investment in existing security models. The Internet Security Framework technologies in conjunction with the Windows NT security model will allow customers to integrate public key, certificate-based security with their current authentication models such as NTLM and NetWare® authentication. Organizations can use the same Windows NT tools today for administration, setting of permissions, and development. With the Internet Security Framework, customers get the best of both security worlds.
Do I have to learn cryptography to use the Microsoft Internet Security Framework?
No. The Internet Security Framework was designed to abstract the details of cryptography away from developers and Webmasters. CryptoAPI 1.0 provides one set of APIs to access base-level cryptographic functions. The Cryptographic Service Provider interface provided by CryptoAPI makes accessing cryptography even easier by allowing developers to change the strength and type of their cryptography without modifying application code. Additionally, with CryptoAPI 2.0, developers and Webmasters will be able to make a single call to accomplish cryptographic tasks, such as signing a file using a certificate.
How does the Microsoft Internet Security Framework support Internet security standards?
Microsoft is committed to supporting Internet security standards. The Internet Security Framework supports standards such as X.509 and PKCS#7 certificate formats. In addition, Microsoft actively participates in the Internet Engineering Task Force (IETF), World Wide Web Consortium (W3C), and other groups to develop Internet security standards. Recent Microsoft security initiatives include the code signing proposal submitted to the W3C and the Transport Layer Security (TLS) efforts through the IETF, aimed at creating a single secure channel standard.
CryptoAPI 1.0 provides services that enable application developers to easily add cryptography to their applications. CryptoAPI 1.0 consists of a set of functions that allow applications several algorithms to encrypt and decrypt data, and digitally sign data in a flexible manner, while providing protection for the user's sensitive private-key data.
Microsoft will provide an extensive set of certificate services as part of CryptoAPI (CryptoAPI 2.0) to enable applications to obtain, store, view, parse, and validate certificates for authentication and other purposes. CryptoAPI 2.0 is scheduled to be available in beta during Q3 '96. This will allow developers to integrate identity and authentication into their applications, thereby securing private communications and data transfers over intranets and the Internet.
How does CryptoAPI make it easy for me to include cryptographic functionality in my applications?
CryptoAPI provides system-level access to common cryptographic functions, including key generation, key exchange and management, data encryption and decryption, hashing, and digital signatures. This means that applications don't need their own cryptographic code and developers don't need to deal with the details of cryptographic functions.
CryptoAPI also allows for renewable, replaceable security. It isolates the application from the CSP modules, allowing use of different CSPs as required. For example, as cryptographic requirements increase, different CSPs can be used without changing the application. CryptoAPI allows vendors to develop and efficiently deliver strong encryption to customers to the maximum extent allowed by existing law.
What is a Cryptographic Service Provider (CSP)?
A CSP is a module that interfaces with CryptoAPI and performs cryptographic functions such as digital signatures or encryption. CSPs are replaceable, allowing the use of different CSPs as required without code modification. Microsoft plans to ship a default CSP, the Microsoft RSA Base Provider, with the operating systems.
How do I get CryptoAPI and include it in my products?
CryptoAPI 1.0 will be delivered as part of Windows NT 4.0, Microsoft Internet Explorer 3.0 and the Windows 95 OEM Service Release.
Which operating systems support CryptoAPI?
for information on how to subscribe to the beta.
Back to list of questions
Is Microsoft providing its own cryptography through CryptoAPI?
No. CryptoAPI is not a cryptographic engine created by Microsoft. Rather, it is a set of APIs providing developers access to an extensible set of third party cryptographic services. Microsoft is delivering a default CSP, the Microsoft RSA Base Provider, to ensure that all applications have access to cryptography.
How do I incorporate certificates into my application?
Any application written to the CryptoAPI 2.0 will be able to use certificates and certificate-elated services. The beta version of CryptoAPI 2.0 will be available in Q3 '96.
What certificate formats will CryptoAPI 2.0 support?
CryptoAPI 2.0 will support existing PKCS and X.509 certificate standards. In addition, using the CryptoAPI 2.0 certificate service provider interface, the Microsoft Internet Security Framework can be extended to use new certificate formats to meet an organization's business needs.
Will the CryptoAPI certificate extensions support third-party certificate servers?
CryptoAPI 2.0 will support existing PKCS and X.509 certificate standards. These extensions will interoperate with any certificate server that supports these certificate standards.
What is Microsoft's position on export controls?
We believe that key lengths must be lengthened substantially to provide our worldwide customers strong security and privacy. We are working actively with other companies in our industry to encourage the U.S. government to relax its restrictions on export controls.
Yes. The CryptoAPI interface in Windows NT can be exported without restriction to all destinations except countries and entities under U.S. embargo or restriction.
Is the CSP Developer's Kit exportable?
The CSP Developer's Kit (CSPDK) requires a State Department license to be exported from the U.S. or Canada, which will be issued to Microsoft only on a case-by-case basis.
Is the CryptoAPI Application Programmer's Guide and sample code exportable?
Yes. The CryptoAPI 1.0 Application Programmer's Guide is available from MSDN and CryptoAPI home page.
What is client authentication?
Client authentication allows users to identify themselves to Web servers so that they can communicate securely or gain special access to a particular area of a Web site. Users request and receive digital certificates from a Certificate Authority (CA). The user's browser presents the certificate to a Web server, which then verifies the identity of the user. This provides a straightforward means of identification and access control, as compared to current methods, which rely on the use of user ids and passwords.
A certificate server issues, revokes, and renews digital certificates that identify users for subsequent authentication using public key technology. The certificate server will also support installation and configuration of different certificate issuance policies and multiple certificate signature algorithms.
Why would an organization need a certificate server?
A certificate server enables an organization to manage certificates according to its own issuance and revocation policies. By providing and managing the use of public-key certificates, organizations can protect sensitive data and communications. After authenticating a user's identity, a secure application or server then provides the proper level of access to those individuals who have previously been granted privileges when their certificates were issued.
How can my applications take advantage of Microsoft's certificate server technology?
Any application written to CryptoAPI 2.0 will be able to use certificates and interoperate with the Microsoft certificate server. The beta version of CryptoAPI 2.0 is scheduled to be available in Q3 '96.
Will UNIX and Macintosh clients be able to access services from the Microsoft certificate server? If so, when?
Yes. Microsoft will work with third parties to migrate CryptoAPI 2.0 to the Macintosh and UNIX platforms, enabling cross-platform interoperability with the Microsoft certificate server. Microsoft will announce the availability of CryptoAPI for the Macintosh and UNIX platforms at a later date.
When can we expect to the see the beta for the certificate server?
The certificate server is scheduled to be available in beta in Q4 '96.
The Microsoft Wallet will provide secure storage of private information including certificates, keys, passwords, credit-card numbers, and even information like social security numbers. In addition, the Wallet will allow user management of this private information. This information will be available to applications through a set of published APIs; availability will be based on an access control policy. Some information such as keys and passwords are never made available to applications directly but are allowed to be used by them. Moreover, this secure wallet should be available to users through any number of applications in addition to their browser. For example, users should be able to get at their credit-card information from within a shopping application.
Using Microsoft Internet Explorer 3.0, users will be able to enroll and obtain certificates from CAs and store them in the certificate store or the wallet. For future versions of Microsoft Internet Explorer, Microsoft will enhance this wallet to allow a wider variety of private information, as mentioned above, to be securely stored and managed.
The wallet is planned to be available in beta in Q3 '96. The wallet will initially ship in a release of Microsoft Internet Explorer in 1996 (all platforms) and will eventually be integrated into the Windows operating system.
How can my applications use this wallet technology?
Applications written to CryptoAPI 2.0 will be able to take advantage of storage and management services provided by the Wallet. The Personal Information Exchange (PFX) protocol allows applications to transfer certificates and other personal information from one computer to another computer, floppy disk, or smart card. This protocol will help applications improve portability of personal information and recover when disk contents are lost. Microsoft has just submitted this protocol for review to the W3C. It is called Personal Information Exchange (PFX), and the specification is currently available for download from http://www.microsoft.com/intdev/security/pfx012.htm.
Code signing provides accountability similar to that of shrink-wrap around a software box, for code downloaded from the Internet. Unlike retail software, software distributed on the Internet today is largely anonymous. Users cannot know for certain who published the software and whether it was tampered with after it left the software provider. Support for code signing through Microsoft Internet Explorer 3.0 enables users to identify who published the software before it is downloaded and verify that no one tampered with it.
The signed code does not guarantee the correctness of code; this technology is designed to assure users that the code they have downloaded has not been tampered with since it was published. However, the security methods used to support this proposal rely on tried and proven technology. The specifications on which the technology is based have been used successfully in the industry for some time. These include PKCS #7 (encrypted key specification), PKCS #10 (certificate request formats), X.509 (certificate specification), and SHA and MD5 hash algorithms.
Is signed code a cross-platform solution?
Yes. The specifications were designed to be portable to other platforms, and the technology is not specific to Win32 or other Microsoft executables. Microsoft will focus on making this solution available on Windows 95 and Windows NT first. Microsoft is also encouraging and working with partners to help ensure that the technology will be implemented on UNIX, the Macintosh, and Windows 3.1.
What exactly is my liability when I sign code?
The act of signing code does not imply liability--it only provides identification of the author and assurance that the code has not been tampered with since it left the author's hands. However, federal law does prohibit the intentional distribution of malicious code.
Where do I get the tools for this effort?
Microsoft already has some simple tools in the ActiveX Software Development Kit (SDK), available in preliminary form for downloading on this site. Developers can find these tools in the \bin directory after installing the ActiveX SDK.
In addition, developers can use Microsoft Internet Explorer version 3.0 to test downloading signed code. All Microsoft development tools will soon support the ability to sign code. Microsoft is also working with other tools vendors to ensure that they get all of the specifications and assistance they need to implement code signatures.
How do I get my public and private keys?
ISVs can use the software in the ActiveX SDK to generate private and public keys when requesting a certificate from the CA. Both keys are generated by the ISV--no one, not even the CA, will see the private key. The CA only validates and distributes the public key (in a certificate) that has been generated in the request.
ISVs obtain their certificate from a third party called a certificate authority (CA), such as VeriSign, Inc. or GTE. Both of these companies have announced their participation in this effort. CAs ensure that an ISV follows a set of policies, for which the CA provides a set of credentials to the ISV. The set of credentials is a file consisting of certificates: one for the ISV, one for the CA, and (in the case of a sub-CA that offers partial services for a root CA) a certificate for each root CA.
How much does certification cost?
Hardware for the commercial certificate can cost anywhere from $150 (for a PCMCIA card) to $12,000 (for a BBN SafeKeyper device). According to VeriSign, Inc., their service will cost about $400 for an initial commercial publisher's digital ID, and about $300/year for renewal. Digital IDs for individual publishers will cost about $20.
How long does it take to sign code?
Code signing is a very quick process, and needs to be done only once for code, just before distribution. ISVs can step through the code-signing process easily within a few minutes.
How long does it take to get a certificate?
A commercial policy takes about two weeks, because of the paperwork that needs to be exchanged. The individual policy certificate can be obtained online, and should take about an hour.
ISVs can expect to be able to get certificates with the release of Microsoft Internet Explorer 3.0.
When can I start testing signed code?
The beta version of Microsoft Internet Explorer version 3.0 supports downloading signed code.
What is Secure Electronic Transactions? Why do I need it?
The SET protocol was developed by Visa and MasterCard, with contributions from Microsoft, Netscape, GTE, IBM, and others. SET is designed to handle secure payment with bank cards over the Internet.
The specification, found on the Visa and MasterCard Web sites, is available to be applied to any bankcard payment service and may be used by software vendors for application development.
Will Microsoft's payment software follow the SET standard?
Yes.
Does this solution also include Secure Transaction Technology?
Yes. Most of the strong encryption technologies originally developed for Secure Transaction Technology (STT) have been incorporated into the SET protocol.
Will Microsoft be getting any transaction fees as part of its licensing agreements with Visa, American Express or any other companies?
No.
What exactly does the SET spec do?
Each card brand and institution has its own distinct system of handling payments, which requires a unique implementation. What each implementation of SET will have in common is a standard way of securing a payment transaction over the Internet--the SET protocol.
How does the June 1996 SET specification differ from the original version published in late February 1996?
The June version of SET includes changes made as a result of the 30-day initial comment period, during which we received input from over 900 entities. In addition, the June version has been divided into three books rather than the two books from February. The June version includes the Business Description, the Protocol Description, and the Programmer's Guide.
Is the June 1996 SET specification the final SET release?
No, the June SET release will be used for initial trials later this year. Any problems uncovered during the trials will be fixed and an updated specification will be produced by year-end of 1996. The next version of the SET specification will be used for general availability. Microsoft believes that it will likely require changes in the future to meet market demands.
Will there be a reference implementation of the SET specification and will there be a cost associated with it?
Visa and MasterCard will provide free reference code later in 1996.
Have any software companies agreed to follow SET?
Yes, a number of companies including IBM, Microsoft, Netscape, GTE, Terisa Systems, VeriSign, and SAIC have endorsed SET. Since the specification is license-free, interoperable and open to all participants, Microsoft believes that many, if not all, software companies will adopt SET for electronic commerce transactions.
How about other credit-card companies, such as American Express and Discover, being able to use this system for secure transactions?
Absolutely--it is open and available to all payment systems that wish to use it. American Express has already agreed to adopt SET.
Will any association or vendor involved in SET charge licensing or per-transaction fees for its use?
SET does not have licensing fee inherent in it. Companies that follow the SET specification will not pay licensing fees for using it or for referencing the implementation toolkit. Microsoft doesn't know whether some users of SET--such as banks, malls or online networks--will charge consumers or merchants for use of their software or systems. That is a decision left to each individual company.
What about other Internet payment services?
Microsoft believes that all major software and payment service vendors will implement SET into their products.
The major advantage of SET over existing systems is the addition of digital certificates that associate the card holder and merchant with a financial institution and the Visa or MasterCard payment system. The certificates prevent a level of fraud that today's systems do not address, and will also provide card holders and merchants with a higher level of confidence in the transaction processing.
When will consumers and merchants be able to obtain the benefits of SET?
Microsoft anticipates that consumers and merchants will begin using SET-compliant software by early 1997. It will take time for software to become generally available and time for financial institutions to develop the infrastructure to support new technology.
Will SET software be able to gain export and import approval?
SET was designed with requirements for export and import approval in mind. Visa and MasterCard are meeting with government representatives to discuss any concerns they may have regarding SET's use of cryptography. The goal is to have all SET-compliant software be able to easily obtain export and import approval.
What is PCT 1.0? How is it different from SSL 2.0?
Private Communication Technology (PCT) is a security protocol that provides privacy over the Internet and is intended to prevent eavesdropping on connection-based communications in client/server applications. Using PCT, the client or server is always authenticated, and each has the option of requiring authentication of the other.
PCT 1.0 is similar to secure sockets layer (SSL) 2.0; but enhances SSL in the areas of authentication and protocol efficiency. By separating authentication from encryption, PCT allows applications to use authentication that is stronger than the 40-bit key limit for encryption allowed by the U.S. government for export. Microsoft's implementation of PCT is backward-compatible with SSL.
When will it appear in Microsoft products? In third-party products?
PCT will appear in Microsoft Internet Explorer 3.0 and Internet Information Server (IIS) 2.0. Open Market and Spyglass as well as a variety of other third parties have announced that they will incorporate PCT into their products.
TLS is the IETF working group-name for the industry-wide Transport Layer Security that uses the existing protocols (SSL, PCT, and Secure Shell Remote Login [SSH]) as a base.
What is the TLS document that Microsoft has published?
To help move the IETF process as quickly as possible, Microsoft has written a discussion draft. The discussion draft is not a spec suitable for implementation but is a starting point for a converged specification. This draft combines the best features of SSL 3.0 and PCT 2.0. Using SSL 3.0 as a base, it adds features from Microsoft's PCT 2.0 based on feedback from cryptographers and implementers. It is intended to provide a simpler and more robust protocol, additional scalability, improved security, and the additional functionality needed for wider application of the specification.
Back to list of questions