Re: Protecting private key on a soft cert

From: Michel Gallant (neutron_at_istar.ca)
Date: 06/17/04

• Next message: lelteto: "RE: CryptoAPI and PKCS#11 interoperability"
• Previous message: lelteto: "RE: Store data on a smart card using CryptoAPI"
• In reply to: saict: "Protecting private key on a soft cert"
• Next in thread: saict: "Re: Protecting private key on a soft cert"
• Reply: saict: "Re: Protecting private key on a soft cert"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 16 Jun 2004 19:08:34 -0400

CSP protection for MS providers in W2k+ is based on DPAPI.
A fair level of details on how the various keys are derived based on
logged on user is described here:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/windataprotection-dpapi.asp

- Mitch Gallant
   MVP Security

"saict" <thurberk@cscsw.com> wrote in message news:7eab6777.0406160828.56c12b5@posting.google.com...
> Hello,
>
> My understanding of how Microsoft handles a private key is that it
> stores an encrypted version in the registry. When an API call is made
> which requires its use the OS retrieves that key, decrypts it on the
> fly, uses it, erases it out of memory and returns the relevant result.
>
> Correct me if I'm wrong, but presuming my understanding is correct,
> can somebody give me any further details on private key protection?
>
> For example, is there some message generated to decrypt the private
> key which is also stored in the registry or somewhere else on the
> harddrive? If not, what are the mechanics of decrypting this private
> key on the fly? Where is Microsoft retrieving the decryption key from
> to decrypt the private key in the registry? Does anyone know what
> algorithm and key size is being used to encrypt the private key before
> it is stored in the registry?
>
> Thank you in advance for whatever answers you can supply.

---

• Next message: lelteto: "RE: CryptoAPI and PKCS#11 interoperability"
• Previous message: lelteto: "RE: Store data on a smart card using CryptoAPI"
• In reply to: saict: "Protecting private key on a soft cert"
• Next in thread: saict: "Re: Protecting private key on a soft cert"
• Reply: saict: "Re: Protecting private key on a soft cert"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Protecting private key on a soft cert ... My understanding of how Microsoft handles a private key is that it ... stores an encrypted version in the registry. ... is there some message generated to decrypt the private ... algorithm and key size is being used to encrypt the private key before ... (microsoft.public.platformsdk.security) Re: CryptAPI(encryption/decryption) ... It seems like you're missing the Base64 decode step when trying to decrypt ... I misspelled the Private Key as Primary Key. ... Is there any variation in the encryption format in openssl compared to ... "Dylan DSilva " wrote: ... (microsoft.public.pocketpc.developer) [OT] Re: Basic question about Public Private Key Pairs ... > and private keys allow me to decrypt, but vice versa is not possible (or ... a public key and a corresponding private key. ... You can encrypt something with each key; ... (microsoft.public.dotnet.security) RSA frustrations - encrypt with private, decrypt with public - possible? ... -User with name "Foo" requests license. ... -User has public key, ... sufficient - I want to encrypt / decrypt a small amount of arbitrary ... "distribute private key, ... (microsoft.public.dotnet.security) Re: CryptAPI(encryption/decryption) ... since symmetric encryption is faster than public key encryption. ... As per your reply I could get the handle of the private key. ... possible for B to decrypt the data using his Private Key. ... The PFX format encrypts the private key with the user supplied password ... (microsoft.public.pocketpc.developer)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)