RE: Thanks and a follow-up question on private keys
From: Steven Wenham (steve@sc-solutions.co.uk)Date: 09/11/02
- Previous message: Fabian Aubrey: "Authentication problems using VPN on MS ISA"
- Maybe in reply to: Phil Pinder: "Thanks and a follow-up question on private keys"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Steven Wenham <steve@sc-solutions.co.uk> To: 'Phil Pinder' <fp56@dial.pipex.com>, focus-ms@securityfocus.com, Fred.Langston@guardent.com, bkml@att.net Date: Wed, 11 Sep 2002 17:01:02 +0100
Hi Phil, all.
See:
http://msdn.microsoft.com/library/en-us/security/security/cryptoapi_system_a
rchitecture.asp
Basically keys are stored within Crypto Service Providers (CSP's). How the
CSP stores keys is CSP implementation dependant and of course possibly
subject to change. Some may choose to use protected storage or smart cards
for example.
Anybody can write a CSP (although it has to be signed by MS before it will
work [1]), third party CSP's may use smart cards or other hardware as
storage for keys. Smart cards for example have the advantage of being able
to request authentication before exercising the private keys and may never
have the capabilities to export the keys.
All applications (EMail, Web browsers, My Super App etc...) access the
CryptoAPI through the same interface. The CSP's have no idea of what sort
of application is being used to access them or why the keys or other
operations are being performed.
Applications may interrogate the CryptoAPI (only in Win2K onwards) for a
list of CSP's are available for use and then in turn interrogate each CSP's
to determine its capabilities. An application may present to a user the
choice of CSP's to use for performing operations. This is often performed
when obtaining a digital certificiate (be it for email, web browser or
whatever) - often the choice is an 'advanced' option.
[1] - by work I mean on unmodified systems or systems with the kernel
debugger active, this is windows version dependant.
Regards,
Steve.
-- Steven Wenham Smart Card Solutions Ltd. Tel: +44 (0)1223 716222 Fax: +44 (0)1223 716223 mailto:steve@sc-solutions.co.uk> -----Original Message----- > From: Phil Pinder [mailto:fp56@dial.pipex.com] > Sent: 10 September 2002 19:22 > To: focus-ms@securityfocus.com; Fred.Langston@guardent.com; > bkml@att.net > Subject: Thanks and a follow-up question on private keys > > > Hi all > > Thanks for the information on private keys. That's answered my burning > question. However, your replies generated another two.... > > It seems from some replies that protected storage is located > in a mixture of > undocumented locations on the hard-drive/registry, and hence > obfuscated. But > another reply seems to locate the private keys in files in :- > C:\Docs and settings\User\Application > data\Microsoft\Crypto\RSA\user's SID\ > and the master key used to encrypt the PK (itself encrypted > with SYSKEY and > the user's password hash) is located in :- > ..user\application data\microsoft\protect\user's sid\ > > Are these locations what is referred to as 'a mixture of > locations on the > hard-drive/registry'?? > > If so and although Admin-only accessible, wouldn't this mean > that these are > easily deleted by Admins (by mistake or by an intruder with > this privilege) > and secondly where is syskey located since this seems > fundamental in the > protection. > > Are email keys also held in the roaming profile (same as EFS keys)?? > > Many thanks > > Phil >
- Previous message: Fabian Aubrey: "Authentication problems using VPN on MS ISA"
- Maybe in reply to: Phil Pinder: "Thanks and a follow-up question on private keys"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
