Re: Does W2K hold user's email, EFS etc private key securely ?

From: bkml (bkml@att.net)
Date: 09/10/02 

From: "bkml" <bkml@att.net>
To: <Fred.Langston@guardent.com>, <fp56@dial.pipex.com>, <focus-ms@securityfocus.com>
Date: Mon, 9 Sep 2002 17:00:46 -0500

Fred,

I'm afraid that you've made some technically incorrect statements.

First, the location of private keys doesn't depend on how the Encrypted Data
Recovery Policy is applied via Group Policy or local policy. The private
keys (when imported) are stored in a user's Certificate Store. The
Certificate Store is in turn archived within the user account profile. From
a cryptographic perspective private keys are well protected within the user
profile. However, if someone can guess your password and load your profile,
they'll have your private keys.

Second, the file encryption key (FEK) is not the public key. The FEK is a
randomly generated, DESX/3DES key that is unique for every encrypted file.
It is the FEK that is encrypted using the user's EFS public key, and then
stored along with encrypted data in a data decryption field (DDF). That way
a person can retrieve the FEK using their EFS private key.

Third, private keys used for EFS can't be stored on smart cards. This
problem probably won't be solved until future versions of 2000/XP. You can
require smart card authentication for user logon, which would effectively
protect your EFS keys by limiting the success of password guessing or theft.

Phil, to answer your last question directly, EFS isn't used for email. But
if you want to move your EFS keys from one machine to another you either
have to use roaming profiles or export/import the key set. But this may not
be necessary. You may be perfectly happy using a different set of EFS
credentials on every computer.

Although it is an older article, the following KB doc offers a quick walk
through of EFS functionality:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q273856

This XP Pro Resource Kit has good info on EFS key storage and protection:
http://www.microsoft.com/technet/prodtechnol/winxppro/reskit/prnb_efs_qutx.a
sp

And a presentation I gave at SANS last year also has some decent tidbits of
info:
http://www.sans.org/SANS2001/Encrypting_File_System_Marshall.pdf 

----
Bruce K. Marshall - bruce_marshall@ins.com
International Network Services (INS) - Kansas City
      "The knowledge behind the network."

----- Original Message -----
From: <Fred.Langston@guardent.com>
To: <fp56@dial.pipex.com>; <focus-ms@securityfocus.com>
Sent: Thursday, September 05, 2002 6:52 PM
Subject: RE: Does W2K hold user's email, EFS etc private key securely ?

> Hi Phil,
>
> Everything depends on whether you are implementing EFS via GPO or locally,
> so more info is needed.
>
> Big points to remember:
>
> -LSASS handles EFS key management and uses the CryptoAPI, after LSASS
> everything runs in kernel mode
> -your FEK (public key) is stored in every encrypted file
> -the keys are stored locally during an interactive session in what MS
calls
> certificate storage or protected storage, a secure hard disk area (at
least
> so far).
> -Only the Cryptographic Provider modules running in kernel mode can access
> private keys.
> -Only the CertificateHash value is stored in the registry, not the keys
> (HKEY_CURRENT_USER\ Software\Microsoft\Windows NT\CurrentVersion\
> EFS\CurrentKeys\CertificateHash)
> -smart card key storage is available in XP
>
> Hope this helps.
>
> Fred Langston, CISSP
>   Principal Consultant
>   W: 206.903.8147 x223 F: 206.903.1862 M: 425.765.3330
>   Seattle, WA
>
>
> -----Original Message-----
> From: Phil Pinder [mailto:fp56@dial.pipex.com]
> Sent: Thursday, September 05, 2002 2:09 AM
> To: focus-ms@securityfocus.com
> Subject: Does W2K hold user's email, EFS etc private key securely ?
>
>
> Hi all,
>
> I'd be grateful if anyone can provide an answer to the following
questions:
>
> On Windows 2000 or .Net server, if a user/administrator creates
> public/private keys for use in EFS, email encryption etc, where is the
> user's private key actually stored, and how is this location protected. Is
> it secure?
>
> Is the private key held in the registry for example and how is it itself
> encrypted - using the Windows password I'm guessing since you are never
> prompted for a separate passphrase to protect this key.
>
> If held on the workstation, how is it retrieved if you email from a
> different workstation?
>
> Many thanks
>
> Phil Pinder

Relevant Pages

  • Re: EFS & decrypting/deleting decrypted files
    ... no EFS private key exists because it can not be done. ... AES 256 encryption algorithm which is extremely strong encryption. ... Directory domain it is also possible to archive EFS private keys. ... If any of you MVP's don't want to dish the shit on removing the f-n' ...
    (microsoft.public.windowsxp.security_admin)
  • Re: EFS Private Keys
    ... password is important to ensure that EFS ... > the private keys are protected however the key to the private key is the ... > stronger encryption available for EFSfiles permanently if you don't. ... >> Is there some super-secret OS key that is used to protect all private ...
    (microsoft.public.win2000.security)
  • Re: Dual boot security question
    ... to protect the files on the parental partition. ... If there are non-system files you need to protect, ... built-in file encryption on the Pro install - EFS. ... not have the keys to decrypt, but Home Edition can't grok EFS. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Password_Protect - Help
    ... NTFS and EFS will not even be noticed by programs, ... encryption system until after you have read up on how ... can protect files so that they are private to one account. ...
    (microsoft.public.windowsxp.security_admin)
  • RE: Protecting sensitive files on a Windows file server
    ... especially secure (using the file encryption is better though). ... Protecting sensitive files on a Windows file server ... recovery (which can also break EFS) and online password/data recovery ...
    (Security-Basics)