1997-03-09 - Re: SecureFile

Header Data

From: Jeremey Barrett <jeremey@veriweb.com>
To: anand@querisoft.com
Message Hash: 3fd095d8774fa3bb911b5bec6e05ccb8c68cff06a317b35eed3e59f0dc32f4c9
Message ID: <33228FE6.38DED08@veriweb.com>
Reply To: <33203B5E.28D8E637@veriweb.com>
UTC Datetime: 1997-03-09 18:48:37 UTC
Raw Date: Sun, 9 Mar 1997 10:48:37 -0800 (PST)

Raw message

From: Jeremey Barrett <jeremey@veriweb.com>
Date: Sun, 9 Mar 1997 10:48:37 -0800 (PST)
To: anand@querisoft.com
Subject: Re: SecureFile
In-Reply-To: <33203B5E.28D8E637@veriweb.com>
Message-ID: <33228FE6.38DED08@veriweb.com>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

Anand Abhyankar wrote:
> 
> SecureFile is not using the Win 95 password for encrypting the files.
> Win 95 or Win NT never hands over the password to any application.

Good.

> 
> CAPI 2.0 is so nicely integrated with the OS that unless you have logged
> in you wont get access to you keys. Now SecureFile is CAPI 2.0 based
> application, so to use SecureFile you have to log in. Once this is done
> the crypto operations (encryption/signing) etc are performed using your
> keys.
> 
> The advantage you gain is that, a separate SecureFile logon is not
> required and nobody but you will be able to access your keys as they are
> protected by the OS.

Out of curiosity, do you know how the keys are protected by windoze
itself?
I have the CAPI cd but have had all of 5 minutes to look at it.  I would 
presume they're hashing your password into a key and then encrypting
with 
it, or encrypting another key with it. Any idea?

What is somewhat bothersome (and this would go for anything using CAPI
in the way your product does) is the reliance upon the windoze password.
If that were compromised, it seems all other CAPI integrated keys would
also be compromised. Let's hope they choose good passwords, and know not
to re-use the same one on the net somewhere. :-)
(BTW, does windoze allow arbitrary length passwords or phrases, or does
it
have a short limit?)

Jeremey.

- -- 
=-----------------------------------------------------------------------= 
Jeremey Barrett                                  VeriWeb Internet Corp.
Crypto, Ecash, Commerce Systems                  http://www.veriweb.com/

PGP Key fingerprint =  3B 42 1E D4 4B 17 0D 80  DC 59 6F 59 04 C3 83 64
=-----------------------------------------------------------------------=

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMyKP5y/fy+vkqMxNAQHayQQAlQ1URquOTf0LNqX4Gsw340KRNsz+e4hk
hJDaw61vNzWV7oCQtZeTYrpWYnf9nuZ0r3qaTGHE8b+s3whAEz7iXtS/DzNXz3dQ
0fce/EW9oMHjZa9xiilPb4FMbRMJJFShJ2WUSP/ZuMkaKXVftu5UG5I/FHxhpt+g
A4sqBEOangQ=
=PLfS
-----END PGP SIGNATURE-----





Thread