[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ms-cryptoapi
Subject:    Re: Information on key handling with Microsoft products
From:       Dr Stephen Henson <shenson () BIGFOOT ! COM>
Date:       1998-01-30 17:06:34
[Download RAW message or body]


Alan Braggins wrote:
>
> Dr Stephen Henson <shenson@BIGFOOT.COM> writes:
> >
> > At least I *hope* it's possible to do things that way. The obscure
> > internals about how keys are encrypted in the registry are best kept
> > that way: obscure.
>
> If the keys are protected by sufficiently strong encryption,
> obscurity is unnecessary, if they aren't, it is insufficient.
>

My point is that if the actual public key algorithm is done on the host
PC (as opposed to external hardware) it is vulnerable because it must be
able to read the private key in unencrypted form to use it. It is thus
open to potential trojan attack no matter how well the key storage is
encrypted (this applies equally to other implementations e.g. Netscape).

I agree obscurity is insufficient. It is unfortunately the best that you
can do.

Steve.

----------------------------------------------------------------
Users Guide http://www.microsoft.com/sitebuilder/resource/mailfaq.asp
contains important info including how to unsubscribe.  Save time, search
the archives at http://microsoft.ease.lsoft.com/archives/index.html

[prev in list] [next in list] [prev in thread] [next in thread]