Re: Protecting private key on a soft cert

From: saict (thurberk_at_cscsw.com)
Date: 06/21/04

  • Next message: Denis: "RE: IAzClientContext AccessCheck returns 0x80070057"
    Date: 21 Jun 2004 14:23:03 -0700
    
    

    "Michel Gallant" <neutron@istar.ca> wrote in message news:<OsAMYMIVEHA.1292@TK2MSFTNGP10.phx.gbl>...
    > "saict" <thurberk@cscsw.com> wrote in message
    > news:7eab6777.0406170655.7ebb9e80@posting.google.com...
    > > "Michel Gallant" <neutron@istar.ca> wrote in message
    > news:<uAz2rb$UEHA.3332@tk2msftngp13.phx.gbl>...
    > > > CSP protection for MS providers in W2k+ is based on DPAPI.
    > > > A fair level of details on how the various keys are derived based on
    > > > logged on user is described here:
    > > >
    > > >
    > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/windataprotection-dpapi.asp
    > > >
    > > > - Mitch Gallant
    > > > MVP Security
    > >
    > > Thank you again, Mitch, for your valuable feedback. Would I be
    > > correct in saying that the private key is, in the end, protected by
    > > the user's login credential?
    >
    > If you don't provide extra "entropy" (i.e. "Strong Protection" option), than that is
    > correct. Any process running under your loging credentials would have access to
    > using the private key. That is why Strong Protection (based on another password-derived
    > encryption) is important when importing (say from PKCS #12) private key to CSP.
    > This is described fairly well in the dpapi article above.
    > - Mitch

    Yes, I understand that. I was just trying to get a feel for how
    securely this was happening by default. A discussion at a PKI
    conference had most of us thinking this was done by some sort of
    'security by obscurity' scheme, so we were happy to get your answer.


  • Next message: Denis: "RE: IAzClientContext AccessCheck returns 0x80070057"

    Relevant Pages

    • Re: Manual import of pkcs12 file
      ... which protection is done first? ... > it's only the private key being protected, as well as some key meta-data. ... CryptProtectData is only called once. ... DPAPI will just encrypt ...
      (microsoft.public.platformsdk.security)
    • Re: Preventing Software Piracy ???
      ... Cracking PGP is infeasible. ... then copy protection would become uncrackable. ... wants to run the program to provide the private key needed to unlock it. ... I have seen some license systems utilize GPG to sign their license files. ...
      (comp.security.misc)
    • Re: Preventing Software Piracy ???
      ... then copy protection would become uncrackable. ... The main protection offered by PGP is that the private key ... It is stored on the dongle in encrypted form. ... license files. ...
      (comp.security.misc)
    • Re: Copyright protection... HOW???
      ... I don't quite understand, Mitch. ... Get a standard digital certificate from a certificate CA (Certificate ... This is proven cryptographically strong protection, ... There would be seperate administrator and user serials - you never ...
      (microsoft.public.powerpoint)
    • Re: Sensitive data in code ...
      ... you need to balance the cost of exposure against the cost ... You need to consider for each protection scenario how much it costs ... We do this by embedding a private key in the executable itself. ... not find our "master password", but we still are not totally ...
      (microsoft.public.security)