-----BEGIN PGP SIGNED MESSAGE----- In <88531016604880@cs26.cs.auckland.ac.nz>, on 01/21/98 at 04:29 AM, pgut001@cs.auckland.ac.nz (Peter Gutmann) said:
Summary -------
Microsoft uses two different file formats to protect users private keys, the original (unnamed) format which was used in older versions of MSIE, IIS, and other software and which is still supported for backwards-compatibility reasons in newer versions, and the newer PFX/PKCS #12 format. Due to a number of design and implementation flaws in Microsofts software, it is possible to break the security of both of these formats and recover users private keys, often in a matter of seconds. In addition, a major security hole in Microsofts CryptoAPI means that many keys can be recovered without even needing to break the encryption. These attacks do not rely for their success on the presence of weak, US-exportable encryption, they also affect US versions.
This is a battle I have been fighting for years now. Do not TRUST Mircosoft for security. Plane and simple. They have shown for years now that they are incapable or unwilling to spend the time, money, and effort to produce secure products (Remember the MS claims of NT being C2 rated? LOL!!!). I have spent quite a bit of effort trying to educate ISV's not to use the MS crypto API for a variety of reasons. Unfortunately, for the most part it falls on deaf ears. Most ISV's are unwilling to accept the fact that security as an afterthought does not work. Combine this a public that does not care about security but is willing to accept the warm fuzzies from pseudo-security and you get bug filled crap like the MS CryptoAPI accepted throughout the market place. I have come to the point now that I will not use any commercial security software nor will I recommend it to any of my clients. If it is not burdened with GAK, as with software from IBM and Lotus, it is flawed by shear incompetence as with software from Microsoft and Netscape. - -- - --------------------------------------------------------------- William H. Geiger III http://users.invweb.net/~whgiii Geiger Consulting Cooking With Warp 4.0 Author of E-Secure - PGP Front End for MR/2 Ice PGP & MR/2 the only way for secure e-mail. OS/2 PGP 2.6.3a at: http://users.invweb.net/~whgiii/pgpmr2.html - --------------------------------------------------------------- Tag-O-Matic: You're throwing it all out the Windows! -----BEGIN PGP SIGNATURE----- Version: 2.6.3a-sha1 Charset: cp850 Comment: Registered_User_E-Secure_v1.1b1_ES000000 iQCVAwUBNMTN3o9Co1n+aLhhAQHuagQApRiDHrPDtI82nUd8/7TOE64EZmlLn0zD NoHK5edUYuCRdzKfw4/4MzmIHwrasF7IpJDoQ5djtkSc8AQCsSpI4vMlq1LiyU3K DngvVGhVfsSxJ+Sbt5HAsQyEr0tnJmI92fswJrsvEMKEsd5sLhadrbW4e+CoQxUS 1m62eo1hAWs= =Lsuq -----END PGP SIGNATURE-----