[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Information on key handling with Microsoft products (fwd)
> There's been some discussion recently on this news alias about how
> handles key management (and some related topics) in CryptoAPI (more
> specifically, the Microsoft base CSPs). Below is a document we've put
> together to help answer these questions.
> Product Manager, Windows NT Security
> Microsoft Corporation
> Microsoft's Response to Recent Questions on the Recovery
> of Private Keys from various Microsoft Products
> Recently, there has been discussion on some Internet forums about the
> methods Microsoft uses to store private keys in some of its products, as
> well as about CryptoAPI's role in key management. These discussions
> some inaccurate information about the PFX and PKCS-12 formats, as well as
> how Microsoft implements these formats in its products.
> This paper was prepared by the Microsoft Public Key Infrastructure team to
> provide some additional insight and clarification on these issues, and in
> some cases, identify long-term plans that Microsoft has to continue the
> improvement of security in our products.
> One area to clarify at the outset is the role of CryptoAPI. Implications
> that any key management problem on Microsoft's Internet products would be
> example of fundamental problems with CryptoAPI are absolutely inaccurate.
> CryptoAPI is a set of cryptographic technologies that are provided for use
> by other software--sort of a cryptographic toolbox. The actual
> functions are provided through Cryptographic Service Providers (CSPs),
> are implemented as DLLs. With the exception of the details about a
> PKCS-12 attack, all the issues raised in the recent discussions are
> specifically aimed at Microsoft's base CSPs, not at CryptoAPI. The base
> CSPs are the royalty-free, software-based CSPs provided with Windows NT
> Windows 95, and Internet Explorer. These attacks do not apply in general
> other CryptoAPI CSPs and do not indicate any fundamental concerns with the
> security of the CryptoAPI architecture or applications built upon it.
> Microsoft products do not "store" private key material using PKCS-12,
> contrary to recent descriptions on the Internet. For clarification,
> is a standard format, used for export/import of Public Key Certificates
> related key material. At present, the only Microsoft product that
> use of this format is Microsoft Internet Explorer 4.x. Internet Explorer
> uses PKCS-12 solely as a means of migrating a user's Certificate and
> public-private key pair between multiple Internet Explorer installations
> between Internet Explorer and other products, such as Netscape
> Some background might help. Microsoft originally developed the draft
> specification for an encrypted export/import format, referred to as PFX,
> the PFX specification was never implemented by Microsoft. Instead, the
> specification was handed over to RSA Labs and it became the draft PKCS-12
> specification. The design was then reviewed, and contributed to, by a
> number of other companies to arrive at the current PKCS-12 standard.
> Microsoft and Netscape have both implemented PKCS-12 with 40-bit
> This was done to provide a common, exportable solution that was completely
> The example of breaking a PKCS-12 data blob, which was given in discussion
> on the Internet, is not an attack on the "weak" cryptography of PKCS-12.
> Rather, it is simply a dictionary attack (long known and well understood
> cryptography), which works well if people use poorly-chosen passwords to
> protect the PKCS-12 data blob. Examples of such bad passwords include
> in the English dictionary. In our implementation of PKCS-12, we could
> possibly do some things to make brute-force attack against an exported
> PKCS-12 data blob more difficult. For example, performing a dictionary
> on the password before accepting it for encrypting the data blob would
> reduce the use of weak passwords. Alternatively, we could iterate the
> function to increase "diversity" making it much more expensive for an
> attacker to search. However, neither of these methods are required for
> protection of the data blob. Good security is always a combination of
> technology and policy. As part of a strong security policy, strong
> should be used on all resources. The Microsoft Security Advisor website
> (http://www.microsoft.com/security) has some guidelines for choosing
> One statement by the original poster argues that Microsoft managed to
> a security format that actually makes it easier to break into the
> data. As stated above, a number of well respected companies were involved
> extensively in the design and review of PKCS-12 before it became a
> An iteration count, which would make the type of attack described above
> difficult (in terms of time), was added late in the PKCS-12 evolution. It
> was, however, too late to make it into the Internet Explorer 4 product
> release. Future versions of Internet Explorer will include support for the
> an iteration count, further strengthening the security of exported key
> Of course, in general the PKCS-12 data objects will not be available on a
> user's machine, since they are only used by Internet Explorer 4.x when
> exporting key material to, or importing key material from another system.
> with any sensitive data, users should take care when working PKCS-12 data
> blobs and not leave them on their hard drives.
> Exploiting Internet Explorer
> One of the fundamental requirements to perform any possible cryptographic
> attack discussed in the recent postings is the assumption that a malicious
> entity could somehow access to data on a user's computer system, without
> permission or knowledge of the user. This is a large leap of faith.
> that are using Public Key Certificates today are generally sophisticated
> savvy users, or part of a larger corporate infrastructure with
> administrators. This class of users will certainly keep abreast of current
> security issues and install security-related patches and updates as they
> become available. Microsoft has been extremely responsive in dealing with
> all known Internet Explorer security attacks and has posted patches for
> currently known attacks. And, of course, security issues are certainly not
> limited to Microsoft software.
> Information on security-related issues with Microsoft products is
> on the Microsoft Security Advisor website at
> Attacks against Authenticode signing keys
> Another concern identified was that if a malicious hacker could steal a
> user's or company's Authenticode signing key, that hacker could sign
> with that key and distribute them. Then when other users tried to download
> the signed object, they would think the key's owner really signed the
> object, which might contain malicious code. The Authenticode program has
> been designed to ensure that only trusted programs are allowed to run on a
> users machine. As stated earlier Microsoft has been very responsive is
> addressing security issues with IE.
> However, it is extremely unlikely anyone could be successful with a
> simplistic strategy for stealing Authenticode signing keys and then using
> them. As noted above, there are security patches already released for
> Internet Explorer bugs that could possibly allow a key blob to be stolen
> a user's hard disk (assuming a user left an Authenticode 'key' file on
> hard disk). Second, anyone signing code using Authenticode technology is
> extremely unlikely to leave their key material sitting on an end user
> machine routinely used for browsing the Internet.
> Microsoft recommends storing key material, such as that used in
> Authenticode, in hardware tokens. Such tokens prevent any of these attacks
> from getting started as the keys are not stored in the PC and are not
> exportable. The Authenticode signing keys that Microsoft uses for all our
> software, for instance, are stored in such a physical hardware key storage
> Attacks on Encrypted Key material
> There is some confusion over the algorithms and methods that Microsoft
> to provide protection of encrypted key material in Internet Explorer when
> using the standard Microsoft base CSPs. There were changes between
> Explorer 3.0x and Internet Explorer 4.x specifically to address any
> concern. Note, this concern is unlikely to be valid for any third-party
> software CSP and is not relevant to hardware CSPs.
> Microsoft is constantly working to improve the security of our products.
> determined that there were better suited methods for storing keys than
> the RSA RC4 stream cipher algorithm used in Internet Explorer 3.0x. In
> particular, a stream cipher, such as RC4, is not ideally suited for this
> particular use because it can be susceptible to a "known-keystream
> In a known-keystream attack, if you know the plain text, which you
> might be able to determine given the number of standard PKCS-8 fields, you
> can recover the keystream. If you recover the keystream, then a XOR
> function will indeed decrypt anything else encrypted with the same key.
> However, Microsoft only used this RC4-based implementation in the base
> that shipped with Internet Explorer 3.0x. The CSPs that shipped in
> Explorer 4.x protect private key material in a form that is encrypted
> DES, which is a block cipher and is not susceptible to the known-keystream
> attack that can be used against RC4.
> Again, note that this kind of attack assumes some degree of security
> on the user's system such that the keystream could be obtained.
> Key export attacks
> The original Internet posting raises concern about the CryptoAPI interface
> CryptExportKey(). This function is fully documented and does indeed
> private key material in an encrypted format. The presence of the
> CryptExportKey() function is to support functionality such as migrating
> material between machines for a user or creating a backup copy of a key.
> should be noted however, that many CSPs, including most hardware based
> do not allow exportable private keys and will return and error in response
> to a CryptExportKey() request.
> Also, Microsoft's base software CSPs provide a means to mark keys as
> non-exportable when they are generated. An additional security protection
> is provided if the flag CRYPT_USER_PROTECTED is set, in which case each
> of the private key, including export, requires the user to supply a
> to access the key. Some commercial CAs are not currently setting this
> and do not provide the user a way to request it during Certificate
> enrollment. We recognize this as a problem. We will continue working
> CAs to assist them in supporting these security features. However, we
> also make available a utility to allow setting this flag after key
> generation for users concerned with this type of attack.
> The posting also asserts that an ActiveX control could be downloaded from
> web page, simply ask for the current users key, ship the key off for
> collection by an unscrupulous person, and then delete itself without a
> If users run unsigned code, or code from an unknown origin, a number of
> unpleasant things can happen. This could indeed occur if the key as been
> marked exportable and the CRYPT_USER_PROTECTED flag is not set. However,
> such a scenario assumes that the user follows few or no policies with
> to good security, such as running code from unknown sources. Similarly, if
> the user were running software from unknown/untrusted sources, that
> could reformat their hard drive, or manipulate other user data. This
> is certainly not new.
> There was also discussion of 16 dialog boxes appearing to the user for
> password if the CRYPT_USER_PROTECTED flag is set. Certainly asking the
> too many times would be better than too few times, however in our tests,
> under extreme (and uncommon cases), a user might be asked for their
> at most four times when a key is used with the Microsoft base CSPs.
> the claim came from an early beta release.
> Users Guide http://www.microsoft.com/sitebuilder/resource/mailfaq.asp
> contains important info including how to unsubscribe. Save time, search
> the archives at http://microsoft.ease.lsoft.com/archives/index.html