Where is the 2k/XP certificate store in the registry?

[Ridge Cook]

To all-

PGP and other programs allow the app to be pointed to different locations
for the private key store, including a floppy/CD/USB token. Thus keeping
the private key off machine for added protection. If you want to decrypt a
PGP message, slip that USB token into the slot and startup the program.

It occurs to me that the very same thing could be done with EFS, *if*

a) the local machine/personal account store can be found
b) the registry can be changed to point to a different location.

Doing this would really enhance data protection on 2k/XP.

The weakness of EFS is , (2k) using a data recovery agent and unlocking the
private keys by a simple account log on; easy enough to hijack if physical
access can be gained.

If that can be changed by moving the certs off machine, then to access a
file, just slip that CD or USB token in to place, attempt to open, the
Registry says- "Look on E:\", it goes to E: and uses the private key there.

Does anyone know where in the Registry the local machine and personal
account certificates are stored and can it redirect cert location?

Thanks

Yours-
Ridge Cook

 

[Miha Pihler]

Hi Ridge,

what you are describing is true for all certificate purposes but EFS. The
only location where EFS can reside for it to work is local hard disk. If
this was not true, a lot of people (including me) would be using EFS
certificates on smart card.

The problem is in LSASS.EXE design. It is designed to not interact with
desktop so when I have my certificate on smart card it can't ask me for PIN
(interaction with desktop). The second limitation is you have your EFS on
your USB disk or smart card, but they are not inserted into a computer. You
select a bunch of files on your hard drive and select encrypt. You just
created new par of keys (new set) with which this set of files will be
encrypted. Again this is limitation if lsass.exe because it can't ask you
.... Please insert USB or smart card for EFS certificates... (interaction
with desktop).

Microsoft promised to fix this in next version of Windows...

Still on the subject, certificates are no longer stored in registry, but are
stored in your profile.

C:\Documents and Settings\%username%\Application
Data\Microsoft\Protect\{GUID}

Mike

 

[Ridge Cook]

Dear Mike-

Thanks for the reply.

the certs are stored at-
Documents and
Settings\<username>\ApplicationData\Microsoft\SystemCertificates\My\Certific
ates folder.

But I can find no registry key pointing to that location.

The problem is in LSASS.EXE design. It is designed to not interact with
desktop so when I have my certificate on smart card it can't ask me for

PIN.

I know this is the protocol for EFS , using account log on security to
protect the files (a crazy idea); but if the private key could be shifted
elsewhere, then you would be depending on physical possession of a cert.
Not having a PIN might be acceptable in some circumstances. a 4-6 digit PIN
has limited security anyway and smartcards can be manipulated to give up
their information. That's not my concern at present.

The second limitation is you have your EFS on
your USB disk or smart card, but they are not inserted into a computer. You
select a bunch of files on your hard drive and select encrypt. You just
created new par of keys (new set) with which this set of files will be
encrypted.

This is SoP for EFS.

I guess I was hoping that the EFS call could be directed to another location
than where ever the certs are stored. The hybrid PK encryption
process is part of the Crypt.api (I assume) as its the same process as
S/MIME, SSL , and IPSec. I know IPSec can be linked to a smart card for
authentication, just wonder why the others can't. Perhaps its hard coded
into the .api. Don't know but maybe a Win SDK holder can help.

Found this about CertMgr and crypt.api-

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/certmgr.asp
"... A system store is a certificate store normally located in the registry
under currentUser. The user can refer to a system store by providing just
its name. It is not necessary to specify the certificate store provider
type. Depending on the type of StoreFile or system store, CertMgr chooses
the corresponding store provider type. ..."

But I don't see it under 'currentUser'

Still looking.

Thanks again-

Ridge

----------------------------------

Hi Ridge,

<snip>

 

[Roger Abell]

Hi Mike,
Actually, lsass via winlogon can interact and does for
example in smart card logon. When XP came out there
were no smart cards with sufficient room to hold EFS
cert/key, plus it would take extension programming as
was needed for smartcard login, but certainly doable.
If cert/key is on the external storage, but cert without
decryption key is loaded on machine, then files can be
encrypted without triggering generation of new cert/key
pair.

 

[Roger Abell]

XP and later uses DPAPI to store these.
With EFS keys storage on smart cards would not fit
in the timeframe when XP was developed.