How to make privatekey of a certificate entirely non exportable from personal store?

How to make privatekey of a certificate entirely non exportable from personal store?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
How to make privatekey of a certificate entirely non exportable from personal store? GNUlihd 04-06-2007
Posted by S. Pidgorny on April 9, 2007, 1:44 am
If you were  Registered and logged in, you could reply and use other advanced thread options
G'day:


> With what key you will encrypt private key? For example, if you will use
> EFS for this - you will create deadlock, because to decrypt your private
> key you will need that private key! So you need some other key...

You can assign password protection when you generate the keys, can't you?

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *



Posted by Nick Domukhovsky on April 9, 2007, 2:03 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> G'day:
>
>
>> With what key you will encrypt private key? For example, if you will use
>> EFS for this - you will create deadlock, because to decrypt your private
>> key you will need that private key! So you need some other key...
>
> You can assign password protection when you generate the keys, can't you?
>
Yes. And this variant already been mentioned. So there is no need to
invent a bicycle...


--
With best regards
Nickolay Domukhovsky, MCSA

Posted by GNUlihd on April 6, 2007, 5:53 am
If you were  Registered and logged in, you could reply and use other advanced thread options
http://matrixalaya.blogspot.com/2007/03/exporting-non-exportable-certificates.html


Posted by S. Pidgorny on April 6, 2007, 8:12 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
The problem: I can create a disc image of a system, and it will include all
the cryptographic material stored there.
How do I mitigate the risk: full disc encryption. Preferably, Vista's
BitLocker.

Nice utility though.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

>
http://matrixalaya.blogspot.com/2007/03/exporting-non-exportable-certificates.html
>



Posted by Can Balioglu on April 7, 2007, 5:56 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi,

The information in the blog is actually wrong. As first, there is no such a
thing as "non-exportable certificate". The correct term must be "certificate
having a non-exportable private key". And you can never export a
non-exportable private key. This would be one of the biggest vulnerabilities
in Windows history.

Calling the CertSaveStore function just serializes the specified certificate
store including all certificates in that store and all *Microsoft specific
certificate context properties* associated with these certificates. One of
these context properties points to the key container of the certificate's
private key. So only the "name" of the key container is serialized. If this
all serialization/deserialization process occurs in the same system, then
both the original and the duplicated version of the certificate will point
to the same key container which makes you think that you also have a
duplicated private key.

If you deserialize the store in a different system, then the "View
Certificate" dialog of CryptoAPI mistakenly indicates that the certificate
has a private key without checking the existence of the key container.
However, if you try to use any functionality requiring the private key
(signing, encrypting, etc.) you will receive the error NTE_BAD_KEYSET
meaning that the key container does not exists.

So do not worry about exportable "non-exportable certificates".

Regards...

Can Balioglu
can.balioglu at averina.com

Averina Software - Code Signing and IT Security Solutions
http://www.averina.com



> As we know non-exportable certificate can be exported along with
> privatekey programmatically or not even using any program,
> (http://matrixalaya.blogspot.com/2007/03/exporting-non-exportable-
> certificates.html) how to make privatekey of a certificate entirely
> non exportable from personal store?
>
> In my case the security of the certificate is very important and the
> machine owner should not be bothered about any password after the
> certificate is once installed in the machine. It is also important
> that the privatekey need to be entirely non exportable.
>
> Is it possible or any work around?
>
> Thanks in advance,
> GNUlihd
>



Similar ThreadsPosted
how to check .pfx certificates in personal store remotely April 5, 2006, 11:50 am
Error in Signtool - "Personal" certifcate store was not found August 4, 2006, 9:10 pm
Certificates, Autoenrollment, Credential Roaming and User's Personal Store April 29, 2008, 10:53 am
Certificate store question February 4, 2008, 1:01 pm
Is there a way to get certificate store path from CERT_CONTEXT March 6, 2006, 11:07 am
Where is the offline CA's certificate store ? How to retrieve the issued cert's? April 27, 2006, 3:49 pm
Private key Not Exportable May 5, 2008, 12:47 pm
CA store July 6, 2006, 4:22 pm
Store private key in assembly May 6, 2008, 5:56 am
Access to local machine store June 2, 2008, 4:08 am

The site map in XML format XML site map

Contact Us | Privacy Policy