Microsoft Hosts Open Design Review for Internet Security

REDMOND, Wash., Sept. 10, 1996 —
More than 150 companies are attending a meeting today to understand and review new Internet security technologies being delivered as part of a security foundation called the Microsoft® Internet Security Framework (MISF). Designed to provide an open, technical forum for major Internet security vendors and software developers, the design review is part of Microsoft’s commitment to work with Internet industry leaders and develop open, standards-based technology that will make the Internet safe for electronic commerce and communications. Design review attendees include Citicorp, Hewlett-Packard Co., MCI International, Northern Telecom, RSA Data Security Inc., Schlumberger Ltd., Tandem, VeriFone Inc., VeriSign Inc. and Wells Fargo Bank.

At the design review, Microsoft Corp. is delivering on several MISF milestones, including these:

  • CryptoAPI 2.0, which eases the task of adding security to applications and is now in beta

  • Personal Information Exchange (PFX), which allows users to move their digital certificates and private security information from one computer to another, and is being demonstrated in alpha

  • Certificate server technology that will eliminate problems associated with using current password-based security to access Internet sites, and is being previewed at the meeting

  • Extensive sample code for other MISF technologies, showing developers how to add MISF technologies to their current and future applications

  • Upcoming plans for additional security technologies that will be included in MISF

“Businesses and consumers need to be able to conduct electronic commerce and communications securely over the Internet,”
said Brad Silverberg, senior vice president of the Internet platform and tools division at Microsoft.
“Microsoft is committed to working with customers and Internet industry leaders to develop a standards-based framework that will make it easier to enable secure Internet-based transactions. The interoperable approach of the Microsoft Internet Security Framework gives enterprises and developers the standards-based technology they need to provide high levels of security for their customers so they can take advantage of the huge opportunities produced by the Internet.”

“We are excited that our company can learn more about Microsoft’s Internet security technologies and influence these technologies in such an open and direct way,”
said Dudley M. Nigg, executive vice president at Wells Fargo Bank.
“We applaud Microsoft’s continued commitment to industry involvement with its Internet Security Framework.”

CryptoAPI 2.0

Among the major new technologies Microsoft unveiled today is CryptoAPI 2.0 (see related announcement on CryptoAPI 2.0 beta). CryptoAPI 2.0 provides the foundation for public key-based security by making it easy for developers to add strong security to existing and future software programs. Developers today face many obstacles in adding cryptographic security capabilities to their applications, including obtaining intellectual property rights and complying with export laws and other government regulations. For example, creating a secure application that routes an expense report via the Internet, obtains management authorization and eventually generates an expense check is a formidable development problem today. CryptoAPI 2.0 significantly reduces the development challenge of creating such an application by eliminating the security and authorization issues surrounding it.

Using CryptoAPI 2.0, developers for the first time can do the following:

  • Encrypt and decrypt messages, files, programs, passwords, forms, credit-card numbers or any other data either locally on a PC or transmitted over a network, including the Internet

  • Create and manage public and private keys for public key-based encryption

  • Create and manage digital certificates

  • Digitally sign a message or data to ensure that a recipient knows the identification of its creator and monitors whether the data has been tampered with

  • Use replaceable hardware- or software-based security components

  • Support standards-based certificate formats such as X.509v3 and PKCS#7

With CryptoAPI 2.0, applications will be able to offer users enhanced security for commerce and communications. Beta code and specifications for CryptoAPI 2.0 are available today at the design review and on .

Certificate Server

The design review will also feature a preview of Microsoft’s certificate server technology, scheduled to be available in beta during the fourth quarter of 1996. The certificate server technology enables corporations to issue certificates for use on the Internet by employees and customers. Using these certificates, employees and customers can access data and servers much the same way they use membership cards and ID cards to gain access to services and resources in the physical world. Certificates are more secure, scalable and convenient than the password-based security that is widely used today for accessing corporate resources and Internet sites. The certificate server issues, manages and revokes certificates that identify people using public key technology.

Based on industry standards, Microsoft’s certificate server technology does the following:

  • Gives customers a high degree of interoperability and flexibility

  • Supports the standard certificate formats, ensuring compatibility with major browsers

  • Provides database independence and ensures scalability by allowing customers to integrate ODBC-compliant databases

  • Enables customizable certificate server policies such as issuance and revocation

Microsoft also will provide interfaces allowing developers to access the certificate server technology for custom solutions.

PFX Code Provides Secure Transfer of Personal Information

Microsoft is also demonstrating the alpha code that implements the personal information exchange (PFX) protocol. This technology allows users to securely transfer certificates and other personal security information securely from one platform to another. With PFX, for example, users could easily move encrypted credit-card data, certificates and keys from their home PC to their office-based computer. The PFX protocol has been submitted as a discussion draft to the World Wide Web Consortium (W3C).

Secure Channel Support Made Easier

Two secure channel protocols (SSL 2.0/3.0 and PCT 1.0) that provide completely private communication over the Internet or an intranet are supported in Microsoft Internet Explorer 3.0. At the design review, Microsoft will demonstrate two ways for developers to add these secure channel services to their applications without writing their own protocol:

  • Using WinInet, developers can easily add secure channel support to their Web sites.

  • Using a secure channel layer provider for Windows® Sockets (WinSock) 2.0, set to ship by the end of 1996, developers can implement SSL support in their WinSock applications.

Both these methods allow developers to add secure channel without having to pay licensing fees to third parties.

Microsoft Authenticode Technology Gains Wider Industry Support

Microsoft also announced that more than 50 independent software companies are already supporting Microsoft’s code-signing technology, Authenticode
, since its availability in August 1996. Extensions to Authenticode technology to be delivered in 1997, including the ability to sign additional file types and define global trust policies within an enterprise, will also be discussed at the design review.

Using certificates such as VeriSign’s Software Publisher Digital IDs, Authenticode identifies the publisher of a piece of software and verifies that the software has not been tampered with. This verification process provides end users the information they need when deciding whether to download signed ActiveX
Controls, Java
™Applets, and Win32® executables over the Internet. Available free of charge, Authenticode is supported in Microsoft Internet Explorer 3.0 and in the Windows NT® and Windows 95 operating systems, with subsequent porting to Macintosh and UNIX operating systems. Microsoft’s Authenticode technology is based on Microsoft’s widely supported code-signing proposal submitted to the W3C in April 1996.

“We use Authenticode to enable our customers to dynamically download the FutureTense Texture Viewer onto their desktop,”
said B.C. Krishna, vice president of technology for FutureTense.
“Authenticode is a real boon for our customers since they can be assured that the Texture software that they download from the Internet is identified and certified as authentic FutureTense software.”

PC/SC Workgroup Efforts Announced

In a related security announcement, Microsoft, along with leading personal computer and smart-card companies Bull CP8, Hewlett-Packard Co., Schlumberger Electronic Transactions and Siemens Nixdorf Informationssysteme AG, announced the creation of an international consortium called the PC/SC Workgroup. This workgroup has developed open specifications that will allow smart cards to interoperate with personal computers. The specifications will ensure that smart cards, smart-card readers, and computers made by different manufacturers will interoperate and also facilitate the development of PC-based smart-card applications (see related announcement).

About Microsoft Internet Security Framework

The Microsoft Internet Security Framework is a comprehensive set of cross-platform, interoperable security technologies for electronic commerce and online communications that support Internet security standards. MISF technologies implemented to date include Authenticode technology, CryptoAPI 1.0 and CryptoAPI 2.0 (beta), support for client authentication, support for SSL and PCT secure channel protocols, and a beta implementation of the Secure Electronic Transactions (SET) protocol for credit-card transactions. Upcoming MISF technologies include a certificate server (demonstrated at the design review), PFX 1.0 (alpha version demonstrated at the design review) and a

In addition, MISF technologies allow corporations to leverage their existing investments in network security by integrating with the robust Windows NT security model. Windows NT provides mechanisms to control access to all system and network resources, the auditing of all security-related events, sophisticated password protection and the ability to lock out intruders. Windows NT also provides a single logon for users and central management of user accounts for administrators. For more information on the Microsoft Internet Security Framework, visit .

About Microsoft

Founded in 1975, Microsoft (NASDAQ
) is the worldwide leader in software for personal computers. The company offers a wide range of products and services for business and personal use, each designed with the mission of making it easier and more enjoyable for people to take advantage of the full power of personal computing every day.

Microsoft, Windows, Authenticode, ActiveX, Win32 and Windows NT are either registered trademarks or trademarks of Microsoft Corp. in the United States and/or other countries.

Java is a trademark of Sun Microsystems Inc.

Note to editors: If you are interested in viewing additional information on Microsoft, please visit the Microsoft Web page at on Microsoft’s corporate information pages.

Related Posts