Cryptographic Operations

Windows 2000 performs three primary cryptographic operations.

Symmetric Encryption (top). Any data (referred to as plaintext or cleartext) can be encrypted using a secret symmetric key shared with the recipient through a prior key exchange. The sender sends the encrypted data to the recipient, who in turns uses the same secret key to decrypt the data back to its original form. The symmetric key is used to encrypt data communications or to bulk-encrypt a file or message. Windows 2000 supports the Data Encryption Standard (DES) and RC4 algorithms for symmetric encryption.

Key Exchange (middle). The sender can use public key technologies to securely exchange a symmetric key with a recipient (to be used in data encryption/decryption operations as described above). The sender obtains the recipient’s certificate from Active Directory (AD), extracts the encryption public key, uses it to encrypt a randomly generated symmetric session key, and sends the encrypted session key to the recipient. The recipient then uses his encryption private key to decrypt the session key. Rivest-Shamir-Adleman (RSA) and Diffie-Hellman (DH) algorithms are supported for key exchange.