RE: Does W2K hold user's email, EFS etc private key securely ?
From: Fred.Langston@guardent.comDate: 09/10/02
- Previous message: bkml: "Re: Does W2K hold user's email, EFS etc private key securely ?"
- Maybe in reply to: Phil Pinder: "Does W2K hold user's email, EFS etc private key securely ?"
- Next in thread: Schwarz, Roland: "RE: Does W2K hold user's email, EFS etc private key securely ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Fred.Langston@guardent.com To: bkml@att.net, fp56@dial.pipex.com, focus-ms@securityfocus.com Date: Mon, 9 Sep 2002 18:47:57 -0400
Hi Bruce,
Thanks for the input, Bruce. I still stand by my statement that everything
in EFS is related to how it's implemented. My statement about that
purposely didn't mentioned key storage and was intended to get people to
look at the enterprise EFS deployment issues.
Saying that a key is stored in the user profile is technically true but
saying it's in protected storage (a users certificate store), which is
equally true, is much more pertinent to the Phil's question. Why? First,
it is not accessible via user interaction with the file system at all. Then
there's the roaming profile issue. Again, you must look at the whole
architecture, not just one machine. I answered this in terms of how the key
is protected as opposed to where in the file structure it's stored. I
believe that was the intent of Phil's inquiry.
You are correct about the FEK. Should have made that more clear.
You are definitely correct that the main flaw with EFS is the fact that
getting a user's password kills EFS protection outright. But...
We are currently using EFS key storage on Smart cards with XP, so that one's
incorrect. This one goes a long way toward solving the previously mentioned
problem. At the time of your SANS article, you were correct, but things
have changed with, as you said, newer versions.
And, lastly, I took the 'etc.' in Phil's email to include all cert. storage,
not just EFS. Mea culpa.
This is a great detail-oriented article for EFS along with the ones you
suggested:
www.winntmag.com/Articles/Index.cfm?ArticleID=5387&Key=Internals
Fred Langston, CISSP
Principal Consultant
W: 206.903.8147 x223 F: 206.903.1862 M: 425.765.3330
Seattle, WA www.guardent.com
________________________________________
G U A R D E N T
Enterprise Security and Privacy Programs
-----Original Message-----
From: bkml [mailto:bkml@att.net]
Sent: Monday, September 09, 2002 3:01 PM
To: Fred Langston; fp56@dial.pipex.com; focus-ms@securityfocus.com
Subject: Re: Does W2K hold user's email, EFS etc private key securely ?
Fred,
I'm afraid that you've made some technically incorrect statements.
First, the location of private keys doesn't depend on how the Encrypted Data
Recovery Policy is applied via Group Policy or local policy. The private
keys (when imported) are stored in a user's Certificate Store. The
Certificate Store is in turn archived within the user account profile. From
a cryptographic perspective private keys are well protected within the user
profile. However, if someone can guess your password and load your profile,
they'll have your private keys.
Second, the file encryption key (FEK) is not the public key. The FEK is a
randomly generated, DESX/3DES key that is unique for every encrypted file.
It is the FEK that is encrypted using the user's EFS public key, and then
stored along with encrypted data in a data decryption field (DDF). That way
a person can retrieve the FEK using their EFS private key.
Third, private keys used for EFS can't be stored on smart cards. This
problem probably won't be solved until future versions of 2000/XP. You can
require smart card authentication for user logon, which would effectively
protect your EFS keys by limiting the success of password guessing or theft.
Phil, to answer your last question directly, EFS isn't used for email. But
if you want to move your EFS keys from one machine to another you either
have to use roaming profiles or export/import the key set. But this may not
be necessary. You may be perfectly happy using a different set of EFS
credentials on every computer.
Although it is an older article, the following KB doc offers a quick walk
through of EFS functionality:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q273856
This XP Pro Resource Kit has good info on EFS key storage and protection:
http://www.microsoft.com/technet/prodtechnol/winxppro/reskit/prnb_efs_qutx.a
sp
And a presentation I gave at SANS last year also has some decent tidbits of
info:
http://www.sans.org/SANS2001/Encrypting_File_System_Marshall.pdf
---- Bruce K. Marshall - bruce_marshall@ins.com International Network Services (INS) - Kansas City "The knowledge behind the network."----- Original Message ----- From: <Fred.Langston@guardent.com> To: <fp56@dial.pipex.com>; <focus-ms@securityfocus.com> Sent: Thursday, September 05, 2002 6:52 PM Subject: RE: Does W2K hold user's email, EFS etc private key securely ?
> Hi Phil, > > Everything depends on whether you are implementing EFS via GPO or locally, > so more info is needed. > > Big points to remember: > > -LSASS handles EFS key management and uses the CryptoAPI, after LSASS > everything runs in kernel mode > -your FEK (public key) is stored in every encrypted file > -the keys are stored locally during an interactive session in what MS calls > certificate storage or protected storage, a secure hard disk area (at least > so far). > -Only the Cryptographic Provider modules running in kernel mode can access > private keys. > -Only the CertificateHash value is stored in the registry, not the keys > (HKEY_CURRENT_USER\ Software\Microsoft\Windows NT\CurrentVersion\ > EFS\CurrentKeys\CertificateHash) > -smart card key storage is available in XP > > Hope this helps. > > Fred Langston, CISSP > Principal Consultant > W: 206.903.8147 x223 F: 206.903.1862 M: 425.765.3330 > Seattle, WA > > > -----Original Message----- > From: Phil Pinder [mailto:fp56@dial.pipex.com] > Sent: Thursday, September 05, 2002 2:09 AM > To: focus-ms@securityfocus.com > Subject: Does W2K hold user's email, EFS etc private key securely ? > > > Hi all, > > I'd be grateful if anyone can provide an answer to the following questions: > > On Windows 2000 or .Net server, if a user/administrator creates > public/private keys for use in EFS, email encryption etc, where is the > user's private key actually stored, and how is this location protected. Is > it secure? > > Is the private key held in the registry for example and how is it itself > encrypted - using the Windows password I'm guessing since you are never > prompted for a separate passphrase to protect this key. > > If held on the workstation, how is it retrieved if you email from a > different workstation? > > Many thanks > > Phil Pinder
- Previous message: bkml: "Re: Does W2K hold user's email, EFS etc private key securely ?"
- Maybe in reply to: Phil Pinder: "Does W2K hold user's email, EFS etc private key securely ?"
- Next in thread: Schwarz, Roland: "RE: Does W2K hold user's email, EFS etc private key securely ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
