[10226] in cryptography@c2.net mail archive
Re: Horseman Number 3: Osama Used 40 bits
daemon@ATHENA.MIT.EDU (Alan Ramsbottom)
Tue Jan 22 10:27:26 2002
From: "Alan Ramsbottom" <alancr@ntlworld.com>
To: <stefan.caunter@senecac.on.ca>
Cc: <cryptography@wasabisystems.com>
Date: Tue, 22 Jan 2002 12:15:15 -0000
Message-ID: <LMEDKDLGMAAFJHCJKOIFOENDCEAA.alancr@ntlworld.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
From: "Stef Caunter" <stefan.caunter@senecac.on.ca>
> An attacker with floppy boot access to a Win2K system would get reverse
> access to that machine's encrypted files only if the recovery cert for
> the domain was locally available (unlikely), or if the machine was not
> part of a domain.
In the two years or so since that EFS attack surfaced, I don't recall ever
seeing anyone ask *why* you get access in the stand-alone case.
The theory says a private key is encrypted under a random account 'master
key' which in turn is encrypted under a key derived from account credentials
(password and SID). Since the floppy based chntpw program works by simply
overwriting an account's password hash, any subsequent attempt to access a
private key should fail.
It works because the protected storage service can't handle password resets
when they are performed via a different (administrative) account, so it
maintains a second copy of each account's master key to recover from such
events. I believe the second copy is encrypted under some system secret (in
a domain this secret lives on the domain controller), but information about
this Win2K feature is scarce or opaque.
The documentation for WinXP implies this has changed i.e. there is no
automagic recovery of an account's master key if the password is reset via
another account. However there is a suggested recovery method that uses the
umm.. innovative Password Reset Disk.
-Alan-
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
