[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SecureFile
-----BEGIN PGP SIGNED MESSAGE-----
Anand Abhyankar wrote:
>
> SecureFile is not using the Win 95 password for encrypting the files.
> Win 95 or Win NT never hands over the password to any application.
Good.
>
> CAPI 2.0 is so nicely integrated with the OS that unless you have logged
> in you wont get access to you keys. Now SecureFile is CAPI 2.0 based
> application, so to use SecureFile you have to log in. Once this is done
> the crypto operations (encryption/signing) etc are performed using your
> keys.
>
> The advantage you gain is that, a separate SecureFile logon is not
> required and nobody but you will be able to access your keys as they are
> protected by the OS.
Out of curiosity, do you know how the keys are protected by windoze
itself?
I have the CAPI cd but have had all of 5 minutes to look at it. I would
presume they're hashing your password into a key and then encrypting
with
it, or encrypting another key with it. Any idea?
What is somewhat bothersome (and this would go for anything using CAPI
in the way your product does) is the reliance upon the windoze password.
If that were compromised, it seems all other CAPI integrated keys would
also be compromised. Let's hope they choose good passwords, and know not
to re-use the same one on the net somewhere. :-)
(BTW, does windoze allow arbitrary length passwords or phrases, or does
it
have a short limit?)
Jeremey.
- --
=-----------------------------------------------------------------------=
Jeremey Barrett VeriWeb Internet Corp.
Crypto, Ecash, Commerce Systems http://www.veriweb.com/
PGP Key fingerprint = 3B 42 1E D4 4B 17 0D 80 DC 59 6F 59 04 C3 83 64
=-----------------------------------------------------------------------=
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMyKP5y/fy+vkqMxNAQHayQQAlQ1URquOTf0LNqX4Gsw340KRNsz+e4hk
hJDaw61vNzWV7oCQtZeTYrpWYnf9nuZ0r3qaTGHE8b+s3whAEz7iXtS/DzNXz3dQ
0fce/EW9oMHjZa9xiilPb4FMbRMJJFShJ2WUSP/ZuMkaKXVftu5UG5I/FHxhpt+g
A4sqBEOangQ=
=PLfS
-----END PGP SIGNATURE-----