Re: CRIME OCIPEP AV03-008 - Microsoft Windows XP Password Vulnera bility

From: Jacob Redding (dextor@private)
Date: Tue Feb 18 2003 - 10:17:30 PST

Next message: Rich Rohrich: "CRIME SPAM promoting illegal activity"

Previous message: Shaun Savage: "Re: CRIME TCPA ideas"
In reply to: Seth Arnold: "Re: CRIME OCIPEP AV03-008 - Microsoft Windows XP Password Vulnera bility"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 17 Feb 2003, Seth Arnold wrote:

> On Mon, Feb 17, 2003 at 05:40:23PM -0800, Richardson, John wrote:
> > 1.  On laptops, setting the BIOS password can also be used to have the disk
> > controller perform disk encryption.  I don't know how strong it REALLY is,
<snip>
<snip>
> > 2.  On XP, and Win2K also, if you use EFS (Encrypting File System) the OS
> > will decrypt the files for users with access to the keys.  Does this
<snip>
> As I recall the EFS design, the keys are encrypted with the NTLM hash
> of the login password for the user in question. Changing the password
> outside of the system may very well cause all the data encrypted by the
> account in question to be lost. (Changing the password back to its old
> value will probably result in a different NTML hash, otherwise dictionary
> attacks would probably be far easier, so I'd bet changing the password
> back to the original password would not restore the data.)

  Just to offer some corrections to the above. EFS does NOT use the NTLM
has of the login password to encrypt data. The system creates a unique
public/private key pair for each individual user (along with onefor the
system itself, and a few other things). This public key is NOT used to
encrypt the file however, a separate is key is created for each individual
file and that key is used to encrypt the file. Then the user's public key
is used to encrypt the file's unique key.

So in short here's the deal.

user--[has a]-->Public Key--[encrypts]-->File's key--[encrypts]-->File

  I won't go into the details of why the do this (has to do with
recovery), but that's how its done.

  here's the whitepaper.
http://www.microsoft.com/windows2000/techinfo/howitworks/security/encrypt.asp

  So you can most definitely change your password, login name, user
description and everything else about a user providing that you do not
delete the account (even if you recreate w/ the same name/password, think
sids). Once you delete the account you're screwed (time for the Recovery
Agent).

-Jacob

Next message: Rich Rohrich: "CRIME SPAM promoting illegal activity"
Previous message: Shaun Savage: "Re: CRIME TCPA ideas"
In reply to: Seth Arnold: "Re: CRIME OCIPEP AV03-008 - Microsoft Windows XP Password Vulnera bility"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Feb 18 2003 - 11:06:07 PST