Re: Where is the 2k/XP certificate store in the registry?
From: Miha Pihler (miha-news_at_atlantis.si)
Date: 07/19/04
- Next message: Miha Pihler: "Re: Scheduled Backup in XP"
- Previous message: JW: "Re: Restricted content"
- In reply to: Ridge Cook: "Where is the 2k/XP certificate store in the registry?"
- Next in thread: Ridge Cook: "Re: Where is the 2k/XP certificate store in the registry?"
- Reply: Ridge Cook: "Re: Where is the 2k/XP certificate store in the registry?"
- Reply: Roger Abell: "Re: Where is the 2k/XP certificate store in the registry?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 19 Jul 2004 22:49:58 +0200
Hi Ridge,
what you are describing is true for all certificate purposes but EFS. The
only location where EFS can reside for it to work is local hard disk. If
this was not true, a lot of people (including me) would be using EFS
certificates on smart card.
The problem is in LSASS.EXE design. It is designed to not interact with
desktop so when I have my certificate on smart card it can't ask me for PIN
(interaction with desktop). The second limitation is you have your EFS on
your USB disk or smart card, but they are not inserted into a computer. You
select a bunch of files on your hard drive and select encrypt. You just
created new par of keys (new set) with which this set of files will be
encrypted. Again this is limitation if lsass.exe because it can't ask you
... Please insert USB or smart card for EFS certificates... (interaction
with desktop).
Microsoft promised to fix this in next version of Windows...
Still on the subject, certificates are no longer stored in registry, but are
stored in your profile.
C:\Documents and Settings\%username%\Application
Data\Microsoft\Protect\{GUID}
Mike
"Ridge Cook" <RidgeCook@myrealboxdot.com> wrote in message
news:uRVKc.4867$f4.4293@newsread3.news.atl.earthlink.net...
> To all-
>
> PGP and other programs allow the app to be pointed to different locations
> for the private key store, including a floppy/CD/USB token. Thus keeping
> the private key off machine for added protection. If you want to decrypt
a
> PGP message, slip that USB token into the slot and startup the program.
>
> It occurs to me that the very same thing could be done with EFS, *if*
>
> a) the local machine/personal account store can be found
> b) the registry can be changed to point to a different location.
>
> Doing this would really enhance data protection on 2k/XP.
>
> The weakness of EFS is , (2k) using a data recovery agent and unlocking
the
> private keys by a simple account log on; easy enough to hijack if physical
> access can be gained.
>
> If that can be changed by moving the certs off machine, then to access a
> file, just slip that CD or USB token in to place, attempt to open, the
> Registry says- "Look on E:\", it goes to E: and uses the private key
there.
>
> Does anyone know where in the Registry the local machine and personal
> account certificates are stored and can it redirect cert location?
>
> Thanks
>
> Yours-
> Ridge Cook
>
>
>
- Next message: Miha Pihler: "Re: Scheduled Backup in XP"
- Previous message: JW: "Re: Restricted content"
- In reply to: Ridge Cook: "Where is the 2k/XP certificate store in the registry?"
- Next in thread: Ridge Cook: "Re: Where is the 2k/XP certificate store in the registry?"
- Reply: Ridge Cook: "Re: Where is the 2k/XP certificate store in the registry?"
- Reply: Roger Abell: "Re: Where is the 2k/XP certificate store in the registry?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
