RE: Re[2]: Relative Security Provided by Cached Domain Credential s?

From: Kim Oppalfens (Kim.Oppalfens_at_azlan.be)
Date: 05/27/04

  • Next message: Jake Frost: "USB Drive Privileges" 
    To: Vyacheslav Ponomarenko <VPonomarenko@taos.com>, focus-ms@securityfocus.com
Date: Thu, 27 May 2004 08:41:49 +0200

    Correct, and you have to trust the server for delegation.
    This indeed makes smartcards not usable for efs on file servers.

    But that was not the point I was trying to make.
    The point is that even if you manage to get an efs private key to be stored
    on a smartcard, the smartcard will never be checked during encryption or
    decryption of efs files. Just because efs was not build to do that it just
    checks the profile for a private key even if you are using efs on your local
    disks.

    At least that is the way I understood it, again if anyone is actually doing
    efs with smartcards I would love to hear about it. More specifically I would
    love to hear how they got it done. But at this point I am afraid it is just
    a theoratical solution that you cannot bring into practice.

    Kim Oppalfens
     

    -----Original Message-----
    From: Vyacheslav Ponomarenko [mailto:VPonomarenko@taos.com]
    Sent: woensdag 26 mei 2004 5:14
    To: focus-ms@securityfocus.com
    Cc: Kim Oppalfens
    Subject: Re[2]: Relative Security Provided by Cached Domain Credentials?

    Kim,

    When you use EFS on a file server it encrypts/decrypts data on user's behalf
    via delegation. Thus it can only access keys stored in user's profile.

    Vyacheslav

    Tuesday, May 25, 2004, 6:56:01 AM, you wrote:

    KO> I have seen mentioned the use of smartcards for efs certificates in
    KO> this thread a couple of times.

    KO> Although it would be nice in theory it was my understanding that
    KO> this cannot be used at present because not thought about in the efs
    KO> API, so during decreption or encryption for that matter only the
    KO> personal certificate store is checked for a key, not any smartcard
    related stuff.

    KO> At least that is what I understood about efs and smartcards.
    KO> Has any of you actually tested the smartcard solution, or it this
    KO> how you would theoratically handle it?

    KO> Kim Oppalfens

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Jake Frost: "USB Drive Privileges"

    Relevant Pages

    • Re: EFS and Smart Card
      ... EFS is mostly implemented in the lsass.exe process, ... So when the smartcard CSP attempts to ... smartcards, some extra code would need to be written to obtain the PIN ahead ... > I am still very curious why EFS does not support smart card. ...
      (microsoft.public.security)
    • Re: EFS and Smart Card
      ... EFS is mostly implemented in the lsass.exe process, ... So when the smartcard CSP attempts to ... smartcards, some extra code would need to be written to obtain the PIN ahead ... > I am still very curious why EFS does not support smart card. ...
      (microsoft.public.windowsxp.security_admin)
    • Re: EFS and Smart Card
      ... EFS is mostly implemented in the lsass.exe process, ... So when the smartcard CSP attempts to ... smartcards, some extra code would need to be written to obtain the PIN ahead ... > I am still very curious why EFS does not support smart card. ...
      (microsoft.public.win2000.security)
    • RE: Relative Security Provided by Cached Domain Credentials?
      ... But you can use EFS with smartcards because of caching EFS certificate and private keys. ... during decreption or encryption for that matter only the personal ...
      (Focus-Microsoft)
    • Re: efs and "encryption" overall... help?
      ... What I referred to was that the only way to make totally sure that the EFS ... encrypted files are safe is to export/delete the certificate and private key ... require the user to enter the password used to protect the private key. ... >> uses much stronger encryption to encrypt EFS files, ...
      (microsoft.public.windows.server.networking)