[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Long] How to recover private keys for various Microsoftproducts
At 4:29 AM +0000 1/21/98, Peter Gutmann wrote:
> How to recover private keys for Microsoft Internet Explorer, Internet
> Information Server, Outlook Express, and many others
> - or -
> Where do your encryption keys want to go today?
>
> Peter Gutmann, <[email protected]>
>
>Summary
>-------
>
>Microsoft uses two different file formats to protect users private keys, the
>original (unnamed) format which was used in older versions of MSIE, IIS, and
>other software and which is still supported for backwards-compatibility reasons
>in newer versions, and the newer PFX/PKCS #12 format. Due to a number of
>design and implementation flaws in Microsofts software, it is possible to break
>the security of both of these formats and recover users private keys, often in
>a matter of seconds. In addition, a major security hole in Microsofts
>CryptoAPI means that many keys can be recovered without even needing to break
>the encryption. These attacks do not rely for their success on the presence of
>weak, US-exportable encryption, they also affect US versions.
>
>As a result of these flaws, no Microsoft internet product is capable of
>protecting a users keys from hostile attack. By combining the attacks
>described below with widely-publicised bugs in MSIE which allow hostile sites
>to read the contents of users hard drives or with an ActiveX control, a victim
>can have their private key sucked off their machine and the encryption which
>"protects" it broken at a remote site without their knowledge.
>
Seems a good way to teach M$ a security lesson is to use Peter's code to snatch M$' ant significant keys on their corporate servers and publish. Of course, they're probably too smart to leave important data just lying around on unsecure '95/NT servers and instead use Linux ;-)
--Steve