'Re: Embarassment for choosing CAPI?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ms-cryptoapi
Subject:    Re: Embarassment for choosing CAPI?
From:       Blair Dillaway <blaird () MICROSOFT ! COM>
Date:       1998-01-27 0:27:06
[Download RAW message or body]


If you are running IE 4.x the approach described below doesn't work.  (There
were some direct dependencies on the Registry in CSPs shipped with IE 3.x,
but these weaknesses have been addressed in our current product).  The
export and/or key protection flag must be set at the time the key is
generated or imported into the Microsoft base CSPs.  This information is
actually stored, in an encrypted form, with the key blob.  This is why we'll
post a utility to let users change these settings if they're concerned.  The
operation requires the key actually be exported and then re-imported with
the new settings.  Note that there is no way to make a non-exportable key
exportable with this utility.

It is obviously preferrable that the user be allowed to specify these
settings as part of the Certificate enrollment process.  We are working
various CAs to try and make sure this is uniformly supported in the future.

Blair Dillaway
Program Manager, Microsoft Corp.

> -----Original Message-----
> From: John Boyer [SMTP:jboyer@MAILHOST.UWI.COM]
> Sent: Monday, January 26, 1998 12:09 PM
> To:   CryptoAPI@DISCUSS.MICROSOFT.COM
> Subject:      Embarassment for choosing CAPI?
>
> Here's a little more fuel for this fire...  I just modified the registry
> entry for EExport from 01 to 00.  I was then able to successfully do a
> digital signature.  Furthermore, I was also able to successfully export
> the
> certificate using IE4 with no password request.  I even tried rebooting
> after the regedit change and before the IE4 export to ensure the system
> wasn't caching any export settings.
>
> Now I'm logged in as myself, so any question of encoding the export flag
> with the user's password is irrelevant.  What am I changing when I set
> EExport to 0?  Why am I able to export my cert.?  Why does it still work
> after I change it?
>
> Is it possible for regedit and other programs to change the user setting
> that demands a password before exporting keys?
>
> In essence, am I going to be embarassed with my customers for choosing
> Microsoft CryptoAPI?
>
> John Boyer
> Software Development Manager
> UWI.Com -- The Internet Forms Company
> jboyer@uwi.com
> (250) 479 8334 ext. 143
>
>
> -----Original Message-----
> From: Neil Hopcroft <neil@JCP.CO.UK>
> To: CryptoAPI@DISCUSS.MICROSOFT.COM <CryptoAPI@DISCUSS.MICROSOFT.COM>
> Date: Monday, January 26, 1998 11:28 AM
> Subject: Re: Information on key handling with Microsoft products
>
>
> >> 1) You stated that Microsoft will put out a utility that can mark a
> cert.
> as
> >> user password protected from export after it is generated.  Since this
> would
> >> break the CA's signature, obviously that flag isn't included in the
> >> signature.  So, what pieces exactly does the CA sign and what pieces of
> a
> >> cert. are modifiable?
> >
> >Presumably this is key data which is not actually placed into the
> >certificate...perhaps more worrying is that if MS can write a program
> that
> >prevents the key from being exported at a later stage what is to prevent
> me
> >(Johnny Hacker) from writing a program that briefly sets the key to be
> >exportable? Is this just a flag buried in the registry somewhere or is
> the
> key
> >encrypted so it means nothing without knowing the password? Do programs
> which
> >have legitimate reason to use keys actually have access to them or do
> they
> just
> >have access to the use of them?
> >
> >> 4) I don't agree that your audience consists mostly of 'security savvy'
> >> users who will download all security patches.  A growing number of
> banks
> are
> >> trying very hard to get anyone with an internet connection (most of
> which
> >> will not fit your description) to do their banking over the web.  These
> >> people will often not know of security holes and their patches, and may
> take
> >> a while getting around to them.  It is therefore important to do more
> QA
> >> testing and work out the bugs before releasing this type of software.
> In
> >> the meantime, perhaps it would help for us to have a document that we
> can
> >> distribute to all users of our software describing what steps they can
> take
> >> to ensure that their private keys REALLY are secure.
> >
> >Just because they know about security doesn't mean they aren't
> vulnerable,
> >surely? The shear quantity of potential problems in IE makes me query the
> value
> >of supporting it in a trust based system, if ANYONE wants into it they
> can
> get
> >in...
> >
> >Neil
> >
> >----------------------------------------------------------------
> >Users Guide http://www.microsoft.com/sitebuilder/resource/mailfaq.asp
> >contains important info including how to unsubscribe.  Save time, search
> >the archives at http://microsoft.ease.lsoft.com/archives/index.html
> >
>
> ----------------------------------------------------------------
> Users Guide http://www.microsoft.com/sitebuilder/resource/mailfaq.asp
> contains important info including how to unsubscribe.  Save time, search
> the archives at http://microsoft.ease.lsoft.com/archives/index.html

----------------------------------------------------------------
Users Guide http://www.microsoft.com/sitebuilder/resource/mailfaq.asp
contains important info including how to unsubscribe.  Save time, search
the archives at http://microsoft.ease.lsoft.com/archives/index.html

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic