Re: Cracking Win2K EFS -- Whitepaper

[bronek () WPI COM PL (Bronek Kozicki)]

I have read very carefully article "Cracking Win2000 EFS!" but still I
have questions:

1) where private/public key pair is stored ?

Article does not mention about (teorethical) possiblity to break into this
location. Authors main concern is about breaking into users/adminstrator
accounts using old (ie. working with Windows NT 4.0) techniques, not their
keys directly.

2) how will described security flaw work if only accounts used are placed
on domain contoller (or rather server running Microsoft Active Directory
Services) - not local accounts.

Under assumption that SAM used to create file (and validate all RA for it)
is still secure, described flaw will not work, or am I wrong? Under this
assumption reasonable policy (and in my believe not difficult to implement
in operation system) would be: "if non-local account is used to encrypt
file, DO NOT grant any local account Recovery Agent right on it". The only
question is if Microsoft will implement such (or similar) behaviour.

Another point (and much bigger problem IMO) is Windows NT "export version"
security thanks to poor keys used. Will ever Microsoft decide to use
something more secure, like 3DES ? I hope this particular algorithm is not
restricted ... and what about IDEA ?

Regards

Bronek Kozicki

<!-- attachment="smime.p7s" -->
<HR>
<UL>
<LI>application/x-pkcs7-signature attachment: smime.p7s
</UL>