To all-

PGP and other programs allow the app to be pointed to different locations
for the private key store, including a floppy/CD/USB token. Thus keeping
the private key off machine for added protection. If you want to decrypt a
PGP message, slip that USB token into the slot and startup the program.

It occurs to me that the very same thing could be done with EFS, *if*

a) the local machine/personal account store can be found
b) the registry can be changed to point to a different location.

Doing this would really enhance data protection on 2k/XP.

The weakness of EFS is , (2k) using a data recovery agent and unlocking the
private keys by a simple account log on; easy enough to hijack if physical
access can be gained.

If that can be changed by moving the certs off machine, then to access a
file, just slip that CD or USB token in to place, attempt to open, the
Registry says- "Look on E:\", it goes to E: and uses the private key there.

Does anyone know where in the Registry the local machine and personal
account certificates are stored and can it redirect cert location?

Thanks

Yours-
Ridge Cook

Hi Ridge,

what you are describing is true for all certificate purposes but EFS. The
only location where EFS can reside for it to work is local hard disk. If
this was not true, a lot of people (including me) would be using EFS
certificates on smart card.

The problem is in LSASS.EXE design. It is designed to not interact with
desktop so when I have my certificate on smart card it can't ask me for PIN
(interaction with desktop). The second limitation is you have your EFS on
your USB disk or smart card, but they are not inserted into a computer. You
select a bunch of files on your hard drive and select encrypt. You just
created new par of keys (new set) with which this set of files will be
encrypted. Again this is limitation if lsass.exe because it can't ask you
.... Please insert USB or smart card for EFS certificates... (interaction
with desktop).

Microsoft promised to fix this in next version of Windows...

Still on the subject, certificates are no longer stored in registry, but are
stored in your profile.

C:\Documents and Settings\%username%\Application
Data\Microsoft\Protect\{GUID}

Mike

"Ridge Cook" <(E-Mail Removed)> wrote in message
news:uRVKc.4867$(E-Mail Removed)...
> To all-
>
> PGP and other programs allow the app to be pointed to different locations
> for the private key store, including a floppy/CD/USB token. Thus keeping
> the private key off machine for added protection. If you want to decrypt
a
> PGP message, slip that USB token into the slot and startup the program.
>
> It occurs to me that the very same thing could be done with EFS, *if*
>
> a) the local machine/personal account store can be found
> b) the registry can be changed to point to a different location.
>
> Doing this would really enhance data protection on 2k/XP.
>
> The weakness of EFS is , (2k) using a data recovery agent and unlocking
the
> private keys by a simple account log on; easy enough to hijack if physical
> access can be gained.
>
> If that can be changed by moving the certs off machine, then to access a
> file, just slip that CD or USB token in to place, attempt to open, the
> Registry says- "Look on E:\", it goes to E: and uses the private key
there.
>
> Does anyone know where in the Registry the local machine and personal
> account certificates are stored and can it redirect cert location?
>
> Thanks
>
> Yours-
> Ridge Cook
>
>
>

Dear Mike-

Thanks for the reply.

the certs are stored at-
Documents and
Settings\<username>\ApplicationData\Microsoft\SystemCertificates\My\Certific
ates folder.

But I can find no registry key pointing to that location.


> The problem is in LSASS.EXE design. It is designed to not interact with
> desktop so when I have my certificate on smart card it can't ask me for
PIN.

I know this is the protocol for EFS , using account log on security to
protect the files (a crazy idea); but if the private key could be shifted
elsewhere, then you would be depending on physical possession of a cert.
Not having a PIN might be acceptable in some circumstances. a 4-6 digit PIN
has limited security anyway and smartcards can be manipulated to give up
their information. That's not my concern at present.

>The second limitation is you have your EFS on
> your USB disk or smart card, but they are not inserted into a computer.
You
> select a bunch of files on your hard drive and select encrypt. You just
> created new par of keys (new set) with which this set of files will be
> encrypted.

This is SoP for EFS.

I guess I was hoping that the EFS call could be directed to another location
than where ever the certs are stored. The hybrid PK encryption
process is part of the Crypt.api (I assume) as its the same process as
S/MIME, SSL , and IPSec. I know IPSec can be linked to a smart card for
authentication, just wonder why the others can't. Perhaps its hard coded
into the .api. Don't know but maybe a Win SDK holder can help.

Found this about CertMgr and crypt.api-

http://msdn.microsoft.com/library/de...ty/certmgr.asp
"... A system store is a certificate store normally located in the registry
under currentUser. The user can refer to a system store by providing just
its name. It is not necessary to specify the certificate store provider
type. Depending on the type of StoreFile or system store, CertMgr chooses
the corresponding store provider type. ..."

But I don't see it under 'currentUser'

Still looking.

Thanks again-

Ridge

----------------------------------




"Miha Pihler" <miha-(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi Ridge,
>
<snip>

Hi Mike,
Actually, lsass via winlogon can interact and does for
example in smart card logon. When XP came out there
were no smart cards with sufficient room to hold EFS
cert/key, plus it would take extension programming as
was needed for smartcard login, but certainly doable.
If cert/key is on the external storage, but cert without
decryption key is loaded on machine, then files can be
encrypted without triggering generation of new cert/key
pair.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Miha Pihler" <miha-(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi Ridge,
>
> what you are describing is true for all certificate purposes but EFS. The
> only location where EFS can reside for it to work is local hard disk. If
> this was not true, a lot of people (including me) would be using EFS
> certificates on smart card.
>
> The problem is in LSASS.EXE design. It is designed to not interact with
> desktop so when I have my certificate on smart card it can't ask me for
PIN
> (interaction with desktop). The second limitation is you have your EFS on
> your USB disk or smart card, but they are not inserted into a computer.
You
> select a bunch of files on your hard drive and select encrypt. You just
> created new par of keys (new set) with which this set of files will be
> encrypted. Again this is limitation if lsass.exe because it can't ask you
> ... Please insert USB or smart card for EFS certificates... (interaction
> with desktop).
>
> Microsoft promised to fix this in next version of Windows...
>
> Still on the subject, certificates are no longer stored in registry, but
are
> stored in your profile.
>
> C:\Documents and Settings\%username%\Application
> Data\Microsoft\Protect\{GUID}
>
> Mike
>
> "Ridge Cook" <(E-Mail Removed)> wrote in message
> news:uRVKc.4867$(E-Mail Removed)...
> > To all-
> >
> > PGP and other programs allow the app to be pointed to different
locations
> > for the private key store, including a floppy/CD/USB token. Thus
keeping
> > the private key off machine for added protection. If you want to
decrypt
> a
> > PGP message, slip that USB token into the slot and startup the program.
> >
> > It occurs to me that the very same thing could be done with EFS, *if*
> >
> > a) the local machine/personal account store can be found
> > b) the registry can be changed to point to a different location.
> >
> > Doing this would really enhance data protection on 2k/XP.
> >
> > The weakness of EFS is , (2k) using a data recovery agent and unlocking
> the
> > private keys by a simple account log on; easy enough to hijack if
physical
> > access can be gained.
> >
> > If that can be changed by moving the certs off machine, then to access a
> > file, just slip that CD or USB token in to place, attempt to open, the
> > Registry says- "Look on E:\", it goes to E: and uses the private key
> there.
> >
> > Does anyone know where in the Registry the local machine and personal
> > account certificates are stored and can it redirect cert location?
> >
> > Thanks
> >
> > Yours-
> > Ridge Cook
> >
> >
> >
>
>

XP and later uses DPAPI to store these.
With EFS keys storage on smart cards would not fit
in the timeframe when XP was developed.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Ridge Cook" <(E-Mail Removed)> wrote in message
news:ie0Lc.5624$(E-Mail Removed)...
> Dear Mike-
>
> Thanks for the reply.
>
> the certs are stored at-
> Documents and
>
Settings\<username>\ApplicationData\Microsoft\SystemCertificates\My\Certific
> ates folder.
>
> But I can find no registry key pointing to that location.
>
>
> > The problem is in LSASS.EXE design. It is designed to not interact with
> > desktop so when I have my certificate on smart card it can't ask me for
> PIN.
>
> I know this is the protocol for EFS , using account log on security to
> protect the files (a crazy idea); but if the private key could be shifted
> elsewhere, then you would be depending on physical possession of a cert.
> Not having a PIN might be acceptable in some circumstances. a 4-6 digit
PIN
> has limited security anyway and smartcards can be manipulated to give up
> their information. That's not my concern at present.
>
> >The second limitation is you have your EFS on
> > your USB disk or smart card, but they are not inserted into a computer.
> You
> > select a bunch of files on your hard drive and select encrypt. You just
> > created new par of keys (new set) with which this set of files will be
> > encrypted.
>
> This is SoP for EFS.
>
> I guess I was hoping that the EFS call could be directed to another
location
> than where ever the certs are stored. The hybrid PK encryption
> process is part of the Crypt.api (I assume) as its the same process as
> S/MIME, SSL , and IPSec. I know IPSec can be linked to a smart card for
> authentication, just wonder why the others can't. Perhaps its hard coded
> into the .api. Don't know but maybe a Win SDK holder can help.
>
> Found this about CertMgr and crypt.api-
>
>
http://msdn.microsoft.com/library/de...ty/certmgr.asp
> "... A system store is a certificate store normally located in the
registry
> under currentUser. The user can refer to a system store by providing just
> its name. It is not necessary to specify the certificate store provider
> type. Depending on the type of StoreFile or system store, CertMgr chooses
> the corresponding store provider type. ..."
>
> But I don't see it under 'currentUser'
>
> Still looking.
>
> Thanks again-
>
> Ridge
>
> ----------------------------------
>
>
>
>
> "Miha Pihler" <miha-(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Hi Ridge,
> >
> <snip>
>
>