Re: Cracking Win2K EFS -- Whitepaper

From: Bronek Kozicki (bronekat_private)
Date: Tue Jul 27 1999 - 05:18:38 PDT

Next message: V. T. Mueller: "Security Bulletins Digest"

Previous message: Trevor Schroeder: "Re: (How) Does AntiSniff do what is claimed?"
Maybe in reply to: Mark: "Cracking Win2K EFS -- Whitepaper"
Next in thread: Alan Ramsbottom: "Re: Cracking Win2K EFS -- Whitepaper"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is a multi-part message in MIME format.

------=_NextPart_000_0018_01BED83A.E6499F80
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

I have read very carefully article "Cracking Win2000 EFS!" but still I
have questions:

1) where private/public key pair is stored ?

Article does not mention about (teorethical) possiblity to break into this
location. Authors main concern is about breaking into users/adminstrator
accounts using old (ie. working with Windows NT 4.0) techniques, not their
keys directly.

2) how will described security flaw work if only accounts used are placed
on domain contoller (or rather server running Microsoft Active Directory
Services) - not local accounts.

Under assumption that SAM used to create file (and validate all RA for it)
is still secure, described flaw will not work, or am I wrong? Under this
assumption reasonable policy (and in my believe not difficult to implement
in operation system) would be: "if non-local account is used to encrypt
file, DO NOT grant any local account Recovery Agent right on it". The only
question is if Microsoft will implement such (or similar) behaviour.

Another point (and much bigger problem IMO) is Windows NT "export version"
security thanks to poor keys used. Will ever Microsoft decide to use
something more secure, like 3DES ? I hope this particular algorithm is not
restricted ... and what about IDEA ?


Regards

Bronek Kozicki


------=_NextPart_000_0018_01BED83A.E6499F80
Content-Type: application/x-pkcs7-signature;
	name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
	filename="smime.p7s"

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFszCCAnIw
ggHboAMCAQICAwERvDANBgkqhkiG9w0BAQQFADCBuTELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl
c3Rlcm4gQ2FwZTEUMBIGA1UEBxMLRHVyYmFudmlsbGUxGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0
aW5nMSkwJwYDVQQLEyBUaGF3dGUgUEYgUlNBIElLIDE5OTguOS4xNiAxNzo1NTE2MDQGA1UEAxMt
VGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIFJTQSBJc3N1ZXIgMTk5OC45LjE2MB4XDTk5MDcwMjEz
NTcxN1oXDTAwMDcwMTEzNTcxN1owQzEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEg
MB4GCSqGSIb3DQEJARYRYnJvbmVrQHdwaS5jb20ucGwwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA
xiNE47c8GFw3rqw8kunswFkMb22GnWFMw0LwyhKOyhdNZk4u/L60pbRfAoFV8/uN6EoMbJ0ptDCT
qEegzXaOQwIDAQABo0EwPzAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAW
gBT+PmCca4wPsNgzxsrGHliwcTi14DANBgkqhkiG9w0BAQQFAAOBgQBoZNmBh7h3pX8PWD/gQ6wY
zV630f0mn789vDtesgZmQ6b55hCsNq93aJCN4ZvHIhU6uDTJnhxm8jVSAo4zFkXChGbmBR++YBlm
IbudadBJcYyx+eLT1ZxMWvIKArFrYjh+bVv2+YoEQxOcCObN+qC0BOrnXPXC78m3bR8KeHQmPTCC
AzkwggKioAMCAQICAQowDQYJKoZIhvcNAQEEBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxX
ZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRp
bmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1Ro
YXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1h
aWxAdGhhd3RlLmNvbTAeFw05ODA5MTYxNzU1MzRaFw0wMDA5MTUxNzU1MzRaMIG5MQswCQYDVQQG
EwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRQwEgYDVQQHEwtEdXJiYW52aWxsZTEaMBgGA1UE
ChMRVGhhd3RlIENvbnN1bHRpbmcxKTAnBgNVBAsTIFRoYXd0ZSBQRiBSU0EgSUsgMTk5OC45LjE2
IDE3OjU1MTYwNAYDVQQDEy1UaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgUlNBIElzc3VlciAxOTk4
LjkuMTYwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMSl5dTU0F8IAu4HIX0kv6trjh7rIAcC
FYRrj9CTJB8bne5osrksT+mTZxcQFx6h+UNBI7kwqnaXu/Pn/YHAtTGL9qZQJlTylSjrGaQelx6w
4ribwQSaMtA8CWxP5DVP8Ha/ABMDT0UIYPP8tNCQAYoSyZy6f1LqKpM1Njw85DUvAgMBAAGjNzA1
MBIGA1UdEwEB/wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAUcknCczTGVfQLdnKBfnf0h+fGsg4wDQYJ
KoZIhvcNAQEEBQADgYEALMeCHwFDPgeP7mlcqWSC+MCWrZMry5tQ10CagcK6pnadPJVA3FXB4VWC
easKKabVDOFXKD6P+bvV3w2TWKpbLYuPM+TdWBU1dnIVKb1C9FqSC3dfnSfbmi1OG4IGjtKNVruV
3tsMZQXelZ4C3VMXvr78a8MaInoUK2G9wp9eeloxggKSMIICjgIBATCBwTCBuTELMAkGA1UEBhMC
WkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTEUMBIGA1UEBxMLRHVyYmFudmlsbGUxGjAYBgNVBAoT
EVRoYXd0ZSBDb25zdWx0aW5nMSkwJwYDVQQLEyBUaGF3dGUgUEYgUlNBIElLIDE5OTguOS4xNiAx
Nzo1NTE2MDQGA1UEAxMtVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIFJTQSBJc3N1ZXIgMTk5OC45
LjE2AgMBEbwwCQYFKw4DAhoFAKCCAWcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG
9w0BCQUxDxcNOTkwNzI3MTIxODI5WjAjBgkqhkiG9w0BCQQxFgQUYSQzcTI9v35tpaP3g3R4yA4r
W2MwMwYJKoZIhvcNAQkPMSYwJDANBggqhkiG9w0DAgIBKDAHBgUrDgMCGjAKBggqhkiG9w0CBTCB
0gYJKwYBBAGCNxAEMYHEMIHBMIG5MQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBl
MRQwEgYDVQQHEwtEdXJiYW52aWxsZTEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKTAnBgNV
BAsTIFRoYXd0ZSBQRiBSU0EgSUsgMTk5OC45LjE2IDE3OjU1MTYwNAYDVQQDEy1UaGF3dGUgUGVy
c29uYWwgRnJlZW1haWwgUlNBIElzc3VlciAxOTk4LjkuMTYCAwERvDANBgkqhkiG9w0BAQEFAARA
DaqypKKtuJsFOsfjphA+cbjw9Xh1bcMzOC0CG75ajy6bWZEtOyrqG9HvFuIvhqhSBFcV3seEFFXo
tul909cFLgAAAAAAAA==

------=_NextPart_000_0018_01BED83A.E6499F80--

Next message: V. T. Mueller: "Security Bulletins Digest"
Previous message: Trevor Schroeder: "Re: (How) Does AntiSniff do what is claimed?"
Maybe in reply to: Mark: "Cracking Win2K EFS -- Whitepaper"
Next in thread: Alan Ramsbottom: "Re: Cracking Win2K EFS -- Whitepaper"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:53:56 PDT