John Morello: Designing Software Security Infrastructures for Large Systems
- Posted: May 15, 2007 at 1:22 PM
- 11,421 Views
- 8 Comments
Download
How do I download the videos?
- To download, right click the file type you would like and pick “Save target as…” or “Save link as…”
Why should I download videos from Channel9?
- It's an easy way to save the videos you like locally.
- You can save the videos in order to watch them offline.
- If all you want is to hear the audio, you can download the MP3!
Which version should I choose?
- If you want to view the video on your PC, Xbox or Media Center, download the High Quality WMV file (this is the highest quality version we have available).
- If you'd like a lower bitrate version, to reduce the download time or cost, then choose the Medium Quality WMV file.
- If you have a Zune, WP7, iPhone, iPad, or iPod device, choose the low or medium MP4 file.
- If you just want to hear the audio of the video, choose the MP3 file.
Right click “Save as…”
- Mid Quality WMV (Lo-band, Mobile)
- WMV (WMV Video)
John Morello graduated from LSU and has been with Microsoft for over 6 years in a variety of roles. As a Senior Consultant, he designed security solutions for Fortune 100 enterprises and Federal civilian and defense clients. He’s currently a Senior Program
Manager in the Windows Server group working on security and anywhere access technologies. John and team are subject matter experts and trusted advisors to customers and engineering teams for complex deployments using Windows Server workloads. Workloads usually
comprise of one or more roles are aligned to how our customers deploy/use servers in their business. An example of workload is Security which comprises of several roles like PKI, Remote Access, etc. The team is non-Redmond focused so they have more customer
coverage.
Comments Closed
Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation,
please create a new thread in our Forums,
or
Contact Us and let us know.
Follow the Discussion
It touched on some questions I was wondering about in terms of Multi-Core and Cryptography.
The main problem here is that many of the crypto algorithms depend on the impracticality of factoring prime numbers in a meaningful time frame.
With the advent of Multi-Core architecture, this problem has become more manageable from a cracking point of view. Hence this represents a concern to many business owners, because they cannot sleep thinking their data/business/customers' private info are secure, because the computing power is certainly here.
The only solution is to develop newer cryptographic and stenographic algorithms, that does not depend on computing power at all. Rather it should depend on mathematical unknowns. Like the 3 unknown algorithms etc..
I believe there is a need for the development of the One Time Pad over PKIs, so it can be used securely in business platforms. Because only one time pad algorithm (Vernam's algorithm) does not depend on the processing power as a factor in the security of the algorithm.
One of the problems that many devs face is that you have to trust a 3rd party in the Public Key exchange scenario, and I managed to develop a secure way to exchange public keys without the need for 3rd party to be trusted. And I am working on optimizing this.
As a developer I feel that there should be more algorithms that depend on mathematical solvability problems rather than computing power impracticality as a function of time. Because as time goes on, we will get more powerful processors, and we are at a stage where we cannot afford to keep the algorithms that were developed in the 60s and 70s time frame.
On the whole, it was a very good channel9 video. Many thanks to Charles and many thanks to channel9.
PS: It would be good if we get more crypto videos and in general more security videos, because this topic is fascinating. I call cryptography and stenography the 7th wonder of the computing world.[A]
More like this Charles.
PS Are all you guys and gals sent to a speed talking course?
The result is a "fire house" presentation style.
Ever try to drink some water out from a fire hose--do not recommend it if you want to save your face.
Unless the subject being presented is one you are an expert on, the speaker quickly loses a majority of the audience.
I have heard a number of Microsoft speakers at various events use this speaking style--trying to cover a lot of material by talking very fast.
Suggestion: cover less material in more detail and talk at a moderate pace.
Your speaker evaluations will improve immensely and so will your performance evaluations and may be even your salary.
Enjoyed the video, although it is not my area of expertise.
Thanks again--great video!
PSS Listened to the video a second time. The real problem is too much jargon, acronyms and abbreviations.
Clarity of Communication
http://www.ecademy.com/node.php?id=84236
Don Box nailed it:
Don Box - What goes into a great technical presentation?
http://channel9.msdn.com/ShowPost.aspx?PostID=31792
Charles or Rory, when are you going to have Don and Chris on Channel 9 again?
Idea: Suggest to all interviewees they watch the above Don Box video before coming on Channel 9.
I've been asking this question a lot of times but never got an answer:
In Belgium every citizen gets a e-id smart-card with 2 certificates on it: one for signatures (like signing documents and emails) and one for authentication (like ssl).
Could it be possible to configure Active Directory to authenticate users using their e-id card and pincode?
Nice video. I have a question. I’ve rolled out a PKI in our network. I want to implement smartcard authentication but the problem that we encounter is that Exchange Web access authentication is not possible if you set the user profile to use smartcard to authenticate. How can I give the employees to get access to web access of Exchange 2007. I’m using currently FBA for web access.
And another question is I thought that it was possible to extend your internal PKI to outside for using signed/encrypted email. I need to give the URL of the Root CA in the certificate that is running inside of my network. That way it must be possible to authenticate the certificate to my CA from outside. Is this correct?
Guidelines for enabling smart card logon with third-party certification authorities
http://support.microsoft.com/kb/281245/en-us
Description of the new feature in Exchange Server 2003 that supports Smart Card authentication to Outlook Web Access
http://support.microsoft.com/kb/920209/en-us
For #2... If you want external users to be able to interoperate with certificate you issue, they'll need to trust your root CA and be able to perform validity checks against certificates that chain up through it. Trust can be established in a variety of ways. For single users, you could simply post the certificate to a web site and provide users with instructions on how to install it. For business to business scenarios, you can work with an administrator at the other organization and they can publish your root certificate to their Active Directory, making it trusted by all the users in the directory.
I toughed that the client certificate will be verified at the root certificate by a Root CA publish points without having the Root CA certificate installed on the recipients machine. So you mean that my Root certificate must be installed on recipients pc to verify the client certificate, and it’s not possible to point within the client certificate to the Root CA hosted on my company web server.
The reason its important that the recepients of signed mail trust the CA hierarchy of the sender is because, without that trust in place, Outlook will flag the signature as being from an untrusted CA. While cryptographically the signature is the same, the end user experience is poor if you have a self signed root not trusted by the receiver of the message.
If you're just sending mail to a some other IT people this may not be a problem, as you could easily provide instructions about how they can trust your root. However, if you're providing this as a service for your end users and you can't predict in advance who they'll be sending mail to, I'd recommend using implicitly trusted certificates. This will provide a much better end user experience and fewer support calls. You can purchase implicitly trusted SMIME certificates from organizations like Verisign and Cybertrust on an ad-hoc basis. Alternatively, you can contract with those organizations to run your own CA in your own datacenter that's subordinated to their root. This allows you to issue certificates from your own CA that are globally trusted. See the following TechNet article for details:
http://www.microsoft.com/technet/technetmag/issues/2006/12/SecurityWatch/
Remove this comment
Remove this thread
close