Re: Private key generation
- From: "Valery Pryamikov" <valery@xxxxxxxxx>
- Date: Thu, 2 Mar 2006 23:28:37 +0100
while as talking about key escrow - note that Windows implements escrow of encryption keys by means of recovery agents, that btw. are also described in cited article.
-Valery.
http://www.harper.no/valery
"Valery Pryamikov" <valery@xxxxxxxxx> wrote in message news:u4vrQfkPGHA.344@xxxxxxxxxxxxxxxxxxxxxxx
As I wrote in my first answer to that thread - there are many situations when key pair is generated on trusted server. Some encryption schemes (like f.e. identity based encryption) simply requires generation of private key on server (which in latter case is serving role of key distribution center)... however one of the major reasons is that on corporate networks it is important to have reliable key escrow mechanisms. Whatever you produce while you are working for a company is an asset of that company and company must have guaranteed access to their assets...
High assurance keys (especially these that afterward are split in multiple shares using secret sharing schemes) may also require use of specialized equipment and computers that runs in a tempest/EM shielded locations. Plus many more reasons...
Microsoft certificate server could support such scenarios, but requires third-party CSPs and custom policy/exit modules. Default scenario supported by Microsoft Certificate Server is the most standard CA mode when CA just signs X509 certificate with emedded public keys.
-Valery.
http://www.harper.no/valery
"Mitch Gallant" <jensigner@xxxxxxxxxxxxxxxx> wrote in message news:%237fwtMkPGHA.428@xxxxxxxxxxxxxxxxxxxxxxxActually ... there are SOME models where the RSA key pair IS generated
on the server (some company in Texas, I believe do that!) ..
designed for roaming profiles or something ..
I guess the idea is that the company deploying that service can GUARANTEE
to store the private keys (and distribute them on demand) to the clients as
needed .. notwithstanding the issues with big-brother peeking at allo those "secured"
server private keys!
- Mitch Gallant
"Valery Pryamikov" <valery@xxxxxxxxx> wrote in message news:%23e$SSBkPGHA.3728@xxxxxxxxxxxxxxxxxxxxxxxProbably... I agree that it could be a bit misleading, but nevertheless this bullet is correct, esp. if we cite it completely and reflect what it actually means :-)
"Generating a private key and distributing it to the requester's protected certificate store (CryptoAPI and cryptographic service providers)."
-Valery.
http://www.harper.no/valery
"Mitch Gallant" <jensigner@xxxxxxxxxxxxxxxx> wrote in message news:uQGWr5jPGHA.2828@xxxxxxxxxxxxxxxxxxxxxxxI think the OP was referring to this bullet:
.. " Generating a private key and distributing it to the requester's protected certificate store "
which is a bit misleading.
That is the client part of the service ... which does generate the private key (locally) and
installs it to the local "protected certificate store" ..
which probablyl means DPAPI secured storage in a capi "keycontainer" file.
- Mitch Gallant
MVP Security
"Valery Pryamikov" <valery@xxxxxxxxx> wrote in message news:uqZgmFjPGHA.2124@xxxxxxxxxxxxxxxxxxxxxxxHi,
you have probably misread the article to which you are referring in your post. I've searched the article for occurrences of word "private" and the only place where they mistakenly used it instead of "public" was when they described what information about allocated certificates are archived on CA... but otherwise the article always states that private keys are generated by certificate requestors...
However, there are plenty situations when generation of private key on trusted server makes a perfect sense and is actually done that way. Such situations may vary from generation of high assurance private keys, enrolling private keys on tamper resistant devices, enterprise key escrow schemes, identity based encryption and many others.
-Valery.
http://www.harper.no/valery
"Francesco" <Francesco@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:544AB09C-D174-4E82-B242-3B669B9BA97D@xxxxxxxxxxxxxxxxHi,
I've read that in a certificate request the private key is generated by CA
and then sent to requester.
(http://technet2.microsoft.com/WindowsServer/en/Library/d7cd44f4-b39a-4d35-bb56-a239f72b7e4c1033.mspx)
Is this correct?
I believe that private and public keys are created by client (maybe csp) and
then, the public key, sent to the CA. In this way private key never pass
trougth the net.
Any suggestion?
Thanks
Francesco
.
- References:
- Re: Private key generation
- From: Valery Pryamikov
- Re: Private key generation
- From: Mitch Gallant
- Re: Private key generation
- From: Valery Pryamikov
- Re: Private key generation
- From: Mitch Gallant
- Re: Private key generation
- From: Valery Pryamikov
- Re: Private key generation
- Prev by Date: Re: Private key generation
- Next by Date: File IO Permissions
- Previous by thread: Re: Private key generation
- Next by thread: Re: Resetting AD Password
- Index(es):
Relevant Pages
|
