REDMOND, Wash. - June 3, 1996 - Microsoft Corp. today announced the Microsoft® Internet Security Framework, a comprehensive set of security technologies for electronic commerce and online communications that supports Internet security standards. The Internet Security Framework provides developers, content providers and network operators with an open, interoperable and cross-platform set of technologies to help customers exchange information securely, control access to their systems, and conduct secure financial transactions across public networks. The framework will be available on the Windows®, Macintosh® and UNIX® operating systems; in addition, the security framework will integrate with existing Windows-based security systems.

New Technologies Announced

Microsoft announced several new security technologies, including certificate services for management and authentication, a certificate server, support for client authentication, and a "wallet." The Internet Security Framework includes support for single logon for the Internet and also includes support for distributed authentication methods based on passwords. Previously announced security services incorporated in this framework include comprehensive cryptography services, code signing, an implementation of the Secure Electronic Transactions (SET) protocol for credit-card transactions, secure transfer of personal security information, and support for secure sockets layer (SSL) and private communications technology (PCT) protocols.

"Microsoft is committed to implementing a secure framework based on industry standards that will foster the development of secure Internet applications, including electronic commerce," said Brad Silverberg, senior vice president of the Internet platform and tools division at Microsoft. "The Microsoft Internet Security Framework's open approach gives developers and corporations the tools with which to open up their intranets to the Internet, allowing them to work with partners to reduce development cycles, lower costs, improve distribution and increase customer satisfaction."

Comprehensive Framework

The Microsoft Internet Security Framework addresses major user security needs, including secure communication, controlling access to systems and content, and secure financial transactions, by providing a set of APIs and technologies including the following:

• CryptoAPI 1.0 provides extensible, exportable, system-level access to common cryptographic functions such as encryption, hashing and digital signatures. It is now shipping in Microsoft Internet Explorer 3.0 beta and the Windows NT® operating system version 4.0 beta and will also be delivered to OEMs as part of the Windows 95 OEM Service Release this summer. Included in these products is a default Cryptographic Service Provider (CSP), which implements the most popular cryptographic algorithms, including the RSA Cryptosystem.
• CryptoAPI 2.0 provides a complete public key infrastructure, including certificate-based authentication services and extensible certificate management functions, as well as high-level APIs for authentication, signing, and encryption and decryption services. It is scheduled to be available in beta in the third quarter of 1996.
• Code-signing provides "shrink wrap" for the Internet: It identifies the publisher of an application and ensures that the application hasn't been altered before or during downloading. Code signing is supported in the Microsoft Internet Explorer 3.0 beta.
• Certificate server issues, manages and revokes certificates that identify users for subsequent authentication using public key technology. It is scheduled to be available in beta during the fourth quarter of 1996. The certificate server will also support installation and configuration of different certificate issuance policies and multiple certificate signature algorithms.
• Secure channel protocols enable point-to-point communication privacy. They are supported in the Microsoft Internet Explorer 3.0 beta via SSL 2.0, SSL 3.0 and PCT 1.0.
• Client authentication allows servers to verify identity via public-key certificates and to enforce access control. This capability will be supported in an upcoming beta version of Microsoft Internet Explorer 3.0 and an add-in to Microsoft Internet Information Server 2.0.
• Single logon lets users sign on once to gain access to applications and resources across the network using passwords and certificate-based authentication. Single logon to multiple heterogeneous network resources is supported in both Windows 95 and Windows NT today and is planned to be extended to support seamless access to Internet resources in beta products in the fourth quarter of 1996.
• Distributed authentication technology based on passwords, including integration with Internet protocols, allows pass-through authentication, distributed authorization and integration with Windows NT security. It supports interfaces to scalable databases. It is expected to be available in beta in the fourth quarter of 1996.
• Microsoft Wallet provides for secure storage and cross-platform transfer of personal security information. It is planned to be available in beta in the third quarter of 1996. The personal information exchange (PFX) protocol, supported in Microsoft Wallet, is an interoperable, multibrowser, multiplatform technology for securely transferring certificates and other personal security information from one computer to another.
• An implementation of the industry-supported SET secure payment specification enables safe credit-card purchases and payments over the Internet. It is scheduled to be available in beta in the third quarter of 1996.

Open, Cross-Platform and Interoperable

Microsoft Internet Security Framework is open, cross-platform and interoperable.

• Support for existing standards and extension of standards through innovation. The Internet Security Framework supports existing standards, such as X.509, and the PKCS standards. Where additional functionality is necessary, Microsoft is proposing open extensions.
• Active participation in industry standard groups. Microsoft is actively participating in the Internet Engineering Task Force (IETF), World Wide Web Consortium (W3C) and other groups. Recent examples include the PFX protocol submitted to the W3C Digital Signature Initiative; the code-signing proposal submitted to the W3C; and the transport-layer security (TLS) efforts through the IETF, aimed at creating a single secure channel standard.
• Cross-platform support. Microsoft's implementations of the Wallet, client authentication, distributed authentication, secure channel protocols, Crypto API, code signing and SET will all be made available via Microsoft Internet Explorer on Windows NT, Windows 95, Macintosh and UNIX platforms.
• Commitment to interoperability. Technologies in the Internet Security Framework interoperate with other leading Internet technologies, including the SSL protocol.
• Open Design Review. Microsoft plans to hold a design review of the Internet Security Framework on July 29. To register, please send e-mail to inetsdr@microsoft.com. Development kits for the Microsoft Internet Security Framework will be delivered to developers and content providers in the software development kit (SDK) for the ActiveX™ technologies.

Integrates Security Needs for Both Intranets and the Internet

The Internet Security Framework provides solutions to the specific security challenges of integrating existing network security models with the public-key-based security model emerging on the Internet. The framework provides standards-based technology to integrate the two models, supporting authentication methods for both environments, and to work with existing administration and access control tools. This means that companies will be able to make full use of their existing investment in Windows-based security technology and support the new public-key-based Internet security model. In addition, users will continue to receive the convenience of features such as single logon even as they reach out to the Internet.

Founded in 1975, Microsoft (NASDAQ "MSFT") is the worldwide leader in software for personal computers. The company offers a wide range of products and services for business and personal use, each designed with the mission of making it easier and more enjoyable for people to take advantage of the full power of personal computing every day.

Microsoft, Windows, Windows NT and ActiveX are either registered trademarks or trademarks of Microsoft Corp. in the United States and/or other countries.

Macintosh is a registered trademark of Apple Computer Inc.

UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company Ltd.