RE: Cached Domain Password on Notebook, secure?

From: Stephane Moulec (smoulec@cuisinesolutions.com)
Date: 02/20/02 

From: "Stephane Moulec" <smoulec@cuisinesolutions.com>
To: "'Varga Daniel (QI/RZS4) *'" <Daniel.Varga@de.bosch.com>, "'Laura A. Robinson'" <larobins@bellatlantic.net>, <focus-ms@securityfocus.com>
Date: Wed, 20 Feb 2002 12:49:50 -0500

I agree with Daniel's statement: I believe you can backup the keys but
you cannot 'remove' them from the hard disk (I don't even know where the
keys are physically stored. Anyone??). I manage to achieve a decent
security with a similar scheme using PGP disk (not freeware though, you
have to buy it from Network Associates. See
http://www.pgp.com/products/mail-file-encryption/default.asp). Here are
my $.02 (well, it works for me anyway):

1 - Install PGP with its default settings.

2 - After the installation is complete (includes creating the public and
private keyrings), move the keyrings onto a smartcard (you can use a USB
reader on desktops or a PCCard adapter on laptops).

3 - Once this is done, create a PGPDisk (virtual encrypted disk stored
on your hard drive that can be mounted on demand using your private key
as a credential) that will be used to store all confidential information
(documents, e-mail files, etc...) I make the assumption that you do not
need to protect the entire hard disk, I may be wrong but I don't see why
someone would do that.

4 - When you travel, DO NOT store the smartcard in your PC bag (you have
to trust people not to do that. That is the weak link)

If the smartcard is missing, the virtual hard disk cannot be mounted and
the data cannot be accessed (PGPdisk uses BLOWFISH encryption (or is
that TWOFISH? Memory leak!). It can probably be broken but not easily.)
The advantage of having your keyring on a smartcard is that you can
easily use it on several machines. Achieving this with EFS involves a
whole PKI, I'm not sure you want to go there.

The scheme I use is actually a little more complicated. Contact me off
the list for more details (it involves multiple partitions on the hard
disk). 

--
Stephane Moulec
Network Systems Manager
Cuisine Solutions

-----Original Message-----
From: Varga Daniel (QI/RZS4) * [mailto:Daniel.Varga@de.bosch.com] 
Sent: Wednesday, February 20, 2002 3:03 AM
To: 'Laura A. Robinson'; focus-ms@securityfocus.com
Subject: RE: Cached Domain Password on Notebook, secure?

> No, the security of EFS stands or fails with the location of
> the user and recovery agent keys. Get them off the hard drive.

The user can export his public and private keys onto floppy. But this is
for backup reasons only. He cannot store his  keys on external media
exclusively (SmartCard, etc.). So the keys remain on the hard drive, no
chance.

An MS-Engineer assured me that it would be incredibly hard for an
attacker to get these keys but he failed to explain me why or how these
keys on the hard drive are protected. Can anyone of you?

thanks
--
Daniel

Relevant Pages

  • RE: MS Development Environment has not been installed for the curr
    ... Every night I have a task that runs to defragment the hard disk, ... Whenever I try to load Visual ... > prompted to insert the installation disk, if I cancel the dialog I get the ... > registry keys that VS tries to access during startup. ...
    (microsoft.public.vsnet.setup)
  • Re: WinCE 5.0 IDE CF card enumeration
    ... You don't have to change you h/w design. ... Due to hardware design I cannot switch the connections but need to have the reverse naming, i.e. CF card = "Hard Disk" and harddrive = "Hard Disk2". ... I tried swapping "DeviceId" settings between "...PDC20262\Device1" and "...PDC2026\Device0" registry keys and that did not work. ... I tried introducing "InstanceIndex" keys and that did not work. ...
    (microsoft.public.windowsce.platbuilder)
  • 9590 with odd blue baffle...
    ... Jerry Hogervorst sent me a 9590 complete with the keys and in pretty ... I was opening it up and giving it a cleaning when I saw a ... Figuring it was a blue hard disk tray, I pulled it out to find a large ...
    (comp.sys.ibm.ps2.hardware)
  • Re: startup very long
    ... I defrag my hard disk with perfect disk. ... I scan my pc with spybot search and destroy 1.3 and nod32. ... The keys in the register are right. ...
    (microsoft.public.windowsxp.general)
  • Re: Backup Registry - Ridiculously Difficult
    ... In this case, prior to deleting the keys - simply export them to a flat, ... I want to install MS Streets & Trips 2006 and am getting an error message ... that an MS KB article says can be resolved by deleting several registry ... Where the heck is the backup utility in XP Home? ...
    (microsoft.public.windowsxp.general)