Re: Can Windows be pointed to other locations for private keys?
From: Lars Olaussen (Isolauss_at_hotmail.com)
Date: 07/22/04
- Next message: Jorge MartÃnez: "Import certificates from tokens"
- Previous message: Victor Pereira: "Re: Token Privileges"
- In reply to: Ridge Cook: "Re: Can Windows be pointed to other locations for private keys?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 22 Jul 2004 15:02:44 +0200
"Ridge Cook" <RidgeCook@myrealboxdot.com> wrote ...
> It lists numerous Registry keys pointing to physical locations.
> I have those keys but no values are set.
>
> So the next question becomes, what is pointing the system to
> the locations if its not set in the Registry and can new Registry
> entries over ride the default and point to different locations.
> I don't know, not a Registry hoodoo man.
I would expect that the CSPs points to these locations, or that they
are hard coded into the EFS source code.
> Sorry if this sounds elementary . I agree 3rd party applications
> would be stronger, but EFS is not a bad idea, just relying on
> log on security to protect the private key is a bad idea. I'm
> active in some areas of the crypto community and while
> programs like PGP are very effective, they are tough to
> explain; the concepts of public key encryption are not intuitive.
I think EFS is a good idea myself, but the implementation
is not strong enough. But it is always difficult to get the right
balance between usability and security.
> For most people EFS , would work very well, especially on
> shared machines or in an office environment....if there was the
> ability to move the private key to a USB token/wallet sized
> CD. Smart cards and PINs would be an un-necessary
> complication. Physical control of the private key can be
> compared to control of one's house/car key.
If the keys are generated and backed up in a secure and
controlled environment, I would agree, that it works OK.
But there are many people out there who has lost too much
data by not having key backup. So I would recommend
people without knowledge of crypto to not get involved
with EFS yet. Especially if they do not back up their data
in clear text on a regular basis.
Physical control of the keys would be easier if the keys were
actually stored on a token. Then it would be more difficult for
key loggers and other rogue software to access the keys and
data, and the user would be in control.
To have the keys encrypted on a floppy/CD is a way to secure
the keys a bit, but the key material would be accessible to
applications on the computer. By using a token with a key
container and crypto engine, the keys would never be visible
to the host computer.
Requiring smartcard logon and combining this with EFS makes
EFS stronger, in the sense that the user password will be a
strong auto-generated password which again is used to secure
the credentials by DPAPI. Then the log on security provided
to secure the private key would be enhanced a bit.
Regards,
Lars Olaussen
Isolauss@hotmail.com
- Next message: Jorge MartÃnez: "Import certificates from tokens"
- Previous message: Victor Pereira: "Re: Token Privileges"
- In reply to: Ridge Cook: "Re: Can Windows be pointed to other locations for private keys?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
