Re: Where is the 2k/XP certificate store in the registry?
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 07/30/04
- Next message: Roger Abell: "Re: Where is the 2k/XP certificate store in the registry?"
- Previous message: Doug Knox MS-MVP: "Re: few questions"
- In reply to: Miha Pihler: "Re: Where is the 2k/XP certificate store in the registry?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 29 Jul 2004 22:55:30 -0700
Hi Mike,
Actually, lsass via winlogon can interact and does for
example in smart card logon. When XP came out there
were no smart cards with sufficient room to hold EFS
cert/key, plus it would take extension programming as
was needed for smartcard login, but certainly doable.
If cert/key is on the external storage, but cert without
decryption key is loaded on machine, then files can be
encrypted without triggering generation of new cert/key
pair.
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Miha Pihler" <miha-news@atlantis.si> wrote in message
news:e4688HdbEHA.4092@TK2MSFTNGP10.phx.gbl...
> Hi Ridge,
>
> what you are describing is true for all certificate purposes but EFS. The
> only location where EFS can reside for it to work is local hard disk. If
> this was not true, a lot of people (including me) would be using EFS
> certificates on smart card.
>
> The problem is in LSASS.EXE design. It is designed to not interact with
> desktop so when I have my certificate on smart card it can't ask me for
PIN
> (interaction with desktop). The second limitation is you have your EFS on
> your USB disk or smart card, but they are not inserted into a computer.
You
> select a bunch of files on your hard drive and select encrypt. You just
> created new par of keys (new set) with which this set of files will be
> encrypted. Again this is limitation if lsass.exe because it can't ask you
> ... Please insert USB or smart card for EFS certificates... (interaction
> with desktop).
>
> Microsoft promised to fix this in next version of Windows...
>
> Still on the subject, certificates are no longer stored in registry, but
are
> stored in your profile.
>
> C:\Documents and Settings\%username%\Application
> Data\Microsoft\Protect\{GUID}
>
> Mike
>
> "Ridge Cook" <RidgeCook@myrealboxdot.com> wrote in message
> news:uRVKc.4867$f4.4293@newsread3.news.atl.earthlink.net...
> > To all-
> >
> > PGP and other programs allow the app to be pointed to different
locations
> > for the private key store, including a floppy/CD/USB token. Thus
keeping
> > the private key off machine for added protection. If you want to
decrypt
> a
> > PGP message, slip that USB token into the slot and startup the program.
> >
> > It occurs to me that the very same thing could be done with EFS, *if*
> >
> > a) the local machine/personal account store can be found
> > b) the registry can be changed to point to a different location.
> >
> > Doing this would really enhance data protection on 2k/XP.
> >
> > The weakness of EFS is , (2k) using a data recovery agent and unlocking
> the
> > private keys by a simple account log on; easy enough to hijack if
physical
> > access can be gained.
> >
> > If that can be changed by moving the certs off machine, then to access a
> > file, just slip that CD or USB token in to place, attempt to open, the
> > Registry says- "Look on E:\", it goes to E: and uses the private key
> there.
> >
> > Does anyone know where in the Registry the local machine and personal
> > account certificates are stored and can it redirect cert location?
> >
> > Thanks
> >
> > Yours-
> > Ridge Cook
> >
> >
> >
>
>
- Next message: Roger Abell: "Re: Where is the 2k/XP certificate store in the registry?"
- Previous message: Doug Knox MS-MVP: "Re: few questions"
- In reply to: Miha Pihler: "Re: Where is the 2k/XP certificate store in the registry?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
