Re: Need advice: Storing EFS, S/MIME, VPN certs on USB token
From: Roger Abell [MVP] (mvpNOSPAM@asu.edu)
Date: 12/09/02
- Next message: Jupiter Jones: "Re: cryptographic (bla, bla, bla,)"
- Previous message: honkhonkhonk: "privacy & security"
- In reply to: Paul Lange: "Re: Need advice: Storing EFS, S/MIME, VPN certs on USB token"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Roger Abell [MVP]" <mvpNOSPAM@asu.edu> Date: Sun, 8 Dec 2002 23:11:03 -0700
Hi Paul,
I can appreciate your concerns, and hopes to minimize
the obligatory "pocket clutter".
However, at this point I think you are ahead of the
released technology. AFAIK there is no alternative
for use of EFS except having the private key loaded
into the OS's secure store.
There were changes made between W2k and XP that
have closed the loopholes that most endangered the stolen
laptop/harddrive issues. Namely the administrator is no
longer a default recovery agent everywhere, and the way
the secured store is accessed (actually, the old secure
store name is now outdated) via the DPAPI includes
the accounts password for LILO based SAM password
zapping is ineffective. And, as indicated, the old way
of storing secrets is no more, which may help ease your
concerns from the W2k track-record.
In general it is, as you say, just common sense to not
keep the door key hanging beside the door. However,
in the case of the way access is controlled to the stored
cert key, someone would at a minimum need a detailed
understanding of how the system handles its secrets,
and quite a bit of determination. Whether this is shared
knowledge in industrial spying and forensics circles at
present I cannot say, but doubt. It is certainly not in
current cracker toolkits. Now that larger storages that
are quite small are available, which they were not just
a short time back (when XP was being finalized) it would
not be surprising to see an effort made to allow alternate
storage for ones private certs and keys in a way that would
allow them to be used as transparently by the OS as the
designed storage method. For now however, I know of
no such included alternative.
-- Roger "Paul Lange" <pel@spaceship.com> wrote in message news:6ea0366c.0212071545.3e63af5d@posting.google.com... > Mr. Abell, > > I ask this question primarily with EFS in mind. I work off of a > laptop most of the time, and I'd like to begin storing encrypted files > on it with EFS. > > However, it does not make sense philosophically to keep the key to > your encrypted files on the same device as the encrypted files. > Granted, it is protected by the master key encrypting the cert store, > but if my laptop is stolen, all bets are off. > > I have to trust that the encryption protecting the cert store can't be > hacked, and I'm not sure that Microsoft has earned that trust yet. > They made a mess of that situation with Win2k. And, again, it just > doesn't make sense to me to keep the decryption cert on the same > device as the encrypted files. > > From a security standpoint, yes, a USB token with a cert in the clear > can be easily stolen and manipulated. However, chances are, I will > still have the encrypted files somewhere else. I can revoke the > stolen cert and rekey everything. If my laptop is stolen, I can > revoke the cert, but I can't do that for the EFS files on the laptop. > > So I turn to USB devices. I have looked at smart cards, and I have > looked at the proprietary equivalent of smart cards in USB tokens. I > like those options, but I want to minimize the bulge in my pocket. > I'm already carrying a RSA SecurID token. I'll soon be carrying a USB > HDD for holding Palm device files and mp3s. Add to that a proprietary > smart card / USB token solution, and I'm up to three devices plus my > car keys and the other obligatory pocket Stuff. > > At this point, to help consolidate some of these, I'm willing to take > the risk of keeping my cert in the clear on my USB HDD. As far as > backup goes, I can always put a copy of the cert on a floppy and keep > it somewhere safe in case I lose the USB HDD to misplacement, > accident, or theft. > > However, I don't like having to do the manual export/import game every > time I need to encrypt or decrypt. That's a pain I'd like to avoid, > if possible. > > - Paul Lange > > > > "Roger Abell [MVP]" <mvpNOSPAM@asu.edu> wrote in message news:<OcTBH1AnCHA.2344@TK2MSFTNGP10>... > > "Paul Lange" <pel@spaceship.com> wrote in message > > news:6ea0366c.0212041533.7260f57f@posting.google.com... > > > I have become interested in the use of certs for EFS, S/MIME, and VPN > > > tunnels under Windows XP Professional. However, I am concerned about > > > security, and I would like to have the private key of the cert(s) for > > > those services saved on a removable device. > > > > > > Ideally, I would like to be able to save a cert to a USB keychain HDD > > > and have XP query that device when it comes time to use the private > > > key of the cert. However, I would also like to use the USB keychain > > > HDD for something other than a cert store, say perhaps a file store > > > for use with additional devices. > > > > > > What options exist out there to address this need? > > > > > > Thanks in advance, > > > > > > - Paul Lange > > > > The Certificates mmc snap-in is used to export > > certificates, with and without the private key. > > You can then copy (and should, followed by > > a delete) the exported off to other storage. > > Some usb ramdrives come with software that > > partitions the storage into an encrypted and a > > non-encrypted part. > > However, in order for XP to use a cert or the > > private key one must first import these. So, > > if you export them and have them removed > > from the certificate store (using the Certificates > > interface) you would have to get them back > > into the Certificates store before they could be > > used. > > Finally, one must question why you want to do > > this since the certificates store is most likely a > > safer place to keep these compared to a usb > > keychain device. I do appreciate the ease and > > portability. It is just that the certificates store > > is protected with some rather deep strategy and > > strong algorithmic technology, which you may > > be underestimating.
- Next message: Jupiter Jones: "Re: cryptographic (bla, bla, bla,)"
- Previous message: honkhonkhonk: "privacy & security"
- In reply to: Paul Lange: "Re: Need advice: Storing EFS, S/MIME, VPN certs on USB token"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
