Jeremey Barrett wrote:
Umm... reading your faq... (http://www.querisoft.com/SFFAQ.html) you state that you use the windows95 user password as the password for
encrypting files. You also seem to imply that you don't actually _ask_ for the password, windows gives it to you (albeit hashed or something already, I imagine). If that is the case, that is extremely worrisome. In fact it's outrageous.
That would imply that any _other_ application, benign or evil, could also access the same password and immediately decrypt files.
Is that so? (Not coding much on windows, I don't know if applications can access the user's hashed or encrypted password, but I would guess they could.)
SecureFile is not using the Win 95 password for encrypting the files. Win 95 or Win NT never hands over the password to any application. CAPI 2.0 is so nicely integrated with the OS that unless you have logged in you wont get access to you keys. Now SecureFile is CAPI 2.0 based application, so to use SecureFile you have to log in. Once this is done the crypto operations (encryption/signing) etc are performed using your keys. The advantage you gain is that, a separate SecureFile logon is not required and nobody but you will be able to access your keys as they are protected by the OS. The SecureFile setup ensures that on Win 95 you have actually logged in and that you are working in the "Multiple Profiles" mode. Thank you for your interest in SecureFile. Please feel free to ask any questions you may have. Anand Abhyankar SecureFile Team Querisoft Systems Pvt. Ltd.