-----BEGIN PGP SIGNED MESSAGE----- Anand Abhyankar wrote:
SecureFile is not using the Win 95 password for encrypting the files. Win 95 or Win NT never hands over the password to any application.
Good.
CAPI 2.0 is so nicely integrated with the OS that unless you have logged in you wont get access to you keys. Now SecureFile is CAPI 2.0 based application, so to use SecureFile you have to log in. Once this is done the crypto operations (encryption/signing) etc are performed using your keys.
The advantage you gain is that, a separate SecureFile logon is not required and nobody but you will be able to access your keys as they are protected by the OS.
Out of curiosity, do you know how the keys are protected by windoze itself? I have the CAPI cd but have had all of 5 minutes to look at it. I would presume they're hashing your password into a key and then encrypting with it, or encrypting another key with it. Any idea? What is somewhat bothersome (and this would go for anything using CAPI in the way your product does) is the reliance upon the windoze password. If that were compromised, it seems all other CAPI integrated keys would also be compromised. Let's hope they choose good passwords, and know not to re-use the same one on the net somewhere. :-) (BTW, does windoze allow arbitrary length passwords or phrases, or does it have a short limit?) Jeremey. - -- =-----------------------------------------------------------------------= Jeremey Barrett VeriWeb Internet Corp. Crypto, Ecash, Commerce Systems http://www.veriweb.com/ PGP Key fingerprint = 3B 42 1E D4 4B 17 0D 80 DC 59 6F 59 04 C3 83 64 =-----------------------------------------------------------------------= -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMyKP5y/fy+vkqMxNAQHayQQAlQ1URquOTf0LNqX4Gsw340KRNsz+e4hk hJDaw61vNzWV7oCQtZeTYrpWYnf9nuZ0r3qaTGHE8b+s3whAEz7iXtS/DzNXz3dQ 0fce/EW9oMHjZa9xiilPb4FMbRMJJFShJ2WUSP/ZuMkaKXVftu5UG5I/FHxhpt+g A4sqBEOangQ= =PLfS -----END PGP SIGNATURE-----