Re: Relative Security Provided by Cached Domain Credentials?

From: Nicolas RUFF (lists) (ruff.lists_at_edelweb.fr)
Date: 05/26/04

  • Next message: Kim Oppalfens: "RE: Relative Security Provided by Cached Domain Credentials?" 
    Date: Wed, 26 May 2004 19:14:26 +0200
To: focus-ms@securityfocus.com

    > I have seen mentioned the use of smartcards for efs certificates in this
    > thread a couple of times.
    >
    > Although it would be nice in theory it was my understanding that this cannot
    > be used at present because not thought about in the efs API, so during
    > decreption or encryption for that matter only the personal certificate store
    > is checked for a key, not any smartcard related stuff.
    >
    > At least that is what I understood about efs and smartcards.
    > Has any of you actually tested the smartcard solution, or it this how you
    > would theoratically handle it?

            Hello,

    I do not have any personal experience of EFS + SmartCards. I guess it would work because of the
    CryptoAPI abstraction between applications and certificate stores, but I won't take it for granted
    because Microsoft documentation contradicts from one source to another.

    However I managed to get the following combo working : SmartCard + USB Token Reader + Windows 2003
    Domain Controller + Windows XP Client + "SmartCard User" certificate. This certificate has been
    successfully used for Domain Logon, Mail Encryption and Mail Signature.

    Hope it helps.

    Regards,
    - Nicolas RUFF
    -----------------------------------
    Security Consultant
    EdelWeb (http://www.edelweb.fr/)
    -----------------------------------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Kim Oppalfens: "RE: Relative Security Provided by Cached Domain Credentials?"

    Relevant Pages

    • RE: Relative Security Provided by Cached Domain Credentials?
      ... But you can use EFS with smartcards because of caching EFS certificate and private keys. ... during decreption or encryption for that matter only the personal ...
      (Focus-Microsoft)
    • RE: Relative Security Provided by Cached Domain Credentials?
      ... certificates on smartcards work fine. ... I do not have any personal experience of EFS + SmartCards. ... certificate stores, but I won't take it for granted because Microsoft ...
      (Focus-Microsoft)
    • Re: CA Services enrollment agent and templates
      ... In our office we use certificates in smartcards extensively: ... card logon, e-mail and so on. ... capable of subverting whatever security measures have been put in place to ... revocate the certificate, take a new smart card and request a new ...
      (microsoft.public.windows.server.security)
    • Smartcard certificates naming convention
      ... could all the smartcards of a spesific organization have ... or the Common Name of the end-entity certificate ...
      (sci.crypt)
    • Re: Smartcard certificates naming convention
      ... the smartcards of a spesific organization have the same Common Name ... the Common Name of the end-entity certificate inside the smartcard ... relative to the entity who owns the private key, ...
      (sci.crypt)