Re: Can Windows be pointed to other locations for private keys?

From: Ridge Cook (RidgeCook_at_myrealboxdot.com)
Date: 07/22/04

• Next message: Rhett Gong [MSFT]: "Re: CryptImportKey Question"
• Previous message: Nataliya: "LSALogonUser, smart card"
• In reply to: Lars Olaussen: "Re: Can Windows be pointed to other locations for private keys?"
• Next in thread: Lars Olaussen: "Re: Can Windows be pointed to other locations for private keys?"
• Reply: Lars Olaussen: "Re: Can Windows be pointed to other locations for private keys?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 22 Jul 2004 05:41:38 GMT

Dear Lars-

Thanks for the reply.

This page was very interesting

http://msdn.microsoft.com/library/en-us/security/security/system_store_locations.asp

(currently offline, though on last night -available in Google's cache)

It lists numerous Registry keys pointing to physical locations. I have
those keys but no values are set.

So the next question becomes, what is pointing the system to the locations
if its not set in the Registry and can new Registry entries over ride the
default and point
to different locations. I don't know, not a Registry hoodoo man.

Sorry if this sounds elementary . I agree 3rd party applications would be
stronger, but EFS is not a bad idea, just relying on log on security to
protect the private key is a bad idea. I'm active in some areas of the
crypto community and while programs like PGP are very effective, they are
tough to explain; the concepts of public key encryption are not intuitive.

For most people EFS , would work very well, especially on shared machines or
in an office environment....if there was the ability to move the private key
to a USB token/wallet sized CD. Smart cards and PINs would be an
un-necessary complication. Physical control of the private key can be
compared to control of one's house/car key.

Thanks again.

Yours-
Ridge

----- Original Message -----
From: "Lars Olaussen" <Isolauss@hotmail.com>
Newsgroups: microsoft.public.platformsdk.security
Sent: Tuesday, July 20, 2004 1:50 AM
Subject: Re: Can Windows be pointed to other locations for private keys?

> "Ridge Cook" <RidgeCook@myrealboxdot.com> wrote ...

<snip>

> Ridge,
>
> The Cryptographic Service Provider (CPS) defines where
> the certificate's corresponding private key is stored.
>
> There are CSPs that allows for storing and using private
> keys in tokens, as smartcards and USB tokens. Some are
> even provided with the Windows installation. But most
> will be installed when installing the token.
>
> A little information is provided here:
> http://www.microsoft.com/resources/documentation/
> IIS/6/all/techref/en-us/iisRG_SEC_41.mspx
>
>
> EFS requires Microsoft's own CSPs, the RSA Base Provider
> or the Enhanced provider.
>
> These CSPs store the credentials (private key) according
> to this document here:
>
> http://msdn.microsoft.com/library/en-us/security/security/
> system_store_locations.asp
>
> Since you can't use another CSP, you cannot change the
> store of the private keys. If you need stronger key protection
> for your file/disk encryption, you would have to use a
> 3rd party product. But just remember that even though
> the key protection could be better, the use and handling
> of the key might be worse.
>
> More about the components of EFS is in this doucment,
> and the other documents in the same Chapter:
>
> http://www.microsoft.com/resources/documentation/Windows/
> XP/all/reskit/en-us/Default.asp?url=/resources/documentation/
> windows/xp/all/reskit/en-us/prnb_efs_kcef.asp
>
>
> Regards,
> Lars Olaussen
> Isolauss@hotmail.com
>
>

---

• Next message: Rhett Gong [MSFT]: "Re: CryptImportKey Question"
• Previous message: Nataliya: "LSALogonUser, smart card"
• In reply to: Lars Olaussen: "Re: Can Windows be pointed to other locations for private keys?"
• Next in thread: Lars Olaussen: "Re: Can Windows be pointed to other locations for private keys?"
• Reply: Lars Olaussen: "Re: Can Windows be pointed to other locations for private keys?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: efs and "encryption" overall... help? ... What I referred to was that the only way to make totally sure that the EFS ... encrypted files are safe is to export/delete the certificate and private key ... require the user to enter the password used to protect the private key. ... >> uses much stronger encryption to encrypt EFS files, ... (microsoft.public.windows.server.networking) Re: Replace Domain Controller ... Depending on your EFS recovery you may also want to backup your EFS private ... Export your Private Key from Recovery Agent ... private key so that you can recover encrypted data in the event that you ... (microsoft.public.windows.server.active_directory) Re: Self-Signed EFS and AD ... EFS needs your private key available locally to work. ... Certs are public infomation and hence published to AD. Private keys ... > Certificate instead of creating a new one every time I change a PC? ... (microsoft.public.windowsxp.security_admin) Re: Have key(s) for EFS files, still denied ... It sounds like you do not have the correct EFS private key to access your ... EFS files from your description. ... In the fall of 2004 we bought a new Dell laptop and I moved/copied EFS ... In October 2005 I reformatted our Gateway C partition and re-installed XP. ... (microsoft.public.windowsxp.security_admin) Re: EFS recovery problem ... Peter & Roger, ... This seems to be exactly what "broke" my efs. ... it appears the private key may be gone. ... Dave ... (microsoft.public.windowsxp.security_admin)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)