SSL to Enhance Security of Network Communication (Windows Embedded CE 6.0)

1/6/2010

For enhanced network communication security, Windows Embedded CE also supports Secure Sockets Layer (SSL) versions 2.0, 3.0, and 3.1 security protocols, which are available through WinInet or directly from WinSock. SSL version 3.1 is also known as Transport Layer Security (TLS). These applications use secure sockets to send and receive encoded data over the communication lines.

Secure socket implementation relies on authentication to determine if a remote host can be trusted. Remote hosts establish their trustworthiness by obtaining a certificate from a certification authority (CA). The CA can, in turn, have certification from a higher authority and so on, creating a chain of trust. To determine whether a certificate is trustworthy, an application must determine the identity of the root CA and then determine if it is trustworthy.

Windows Embedded CE-based SSL uses trusted CAs. When a secure connection is attempted by an application, SSL extracts the root certificate from the certification chain and checks it against the CA database. It delivers the server certificate to the application through a certificate validation callback function, along with the results of the comparison against the CA database. You can modify the default SSL behavior by modifying the registry keys. The base registry key is HKEY_LOCAL_MACHINE\Comm\SecurityProviders\SCHANNEL.

Applications bear the ultimate responsibility for verifying that a certificate is acceptable. Applications can accept or reject any certificate. If a certificate is rejected, the connection is not completed. At a minimum, a certificate should meet the following requirements:

  • The certificate must be current
  • The identity in the certificate must match the destination identity.

A list of root certificate authorities is included in the Schannel CA database. These root certificates expire and may need to be updated periodically. Adding certificates to the cryptoAPI store can also update the database.

The following root certificate authorities are included in the Windows Embedded CE root certificate store:

  • VeriSign/RSA Secure Server
  • VeriSign Class 1 Public Primary CA
  • VeriSign Class 2 Public Primary CA
  • VeriSign Class 3 Public Primary CA
  • GTE Cybertrust ROOT
  • ThawtePremium Server CA
  • Thawte Server CA
  • Entrust.net Secure Server CA
  • Entrust.net Premium Secure Server CA, also known as Entrust.net CA (2048)

See Also

Other Resources

Enhancing the Security of a Device
SSL Support