From: Anand Abhyankar <anand@querisoft.com>
Date: Sat, 8 Mar 1997 22:49:43 -0800 (PST)
To: Jeremey Barrett <jeremey@veriweb.com>
Subject: Re: SecureFile
In-Reply-To: <33203B5E.28D8E637@veriweb.com>
Message-ID: <33231935.6969@querisoft.com>
MIME-Version: 1.0
Content-Type: text/plain


Jeremey Barrett wrote:
> Umm... reading your faq... (http://www.querisoft.com/SFFAQ.html) you
> state that you use the windows95 user password as the password for

> encrypting files. You also seem to imply that you don't actually
> _ask_ for the password, windows gives it to you (albeit hashed
> or something already, I imagine). If that is the case, that is extremely
> worrisome. In fact it's outrageous.

 
> That would imply that any _other_ application, benign or evil, could
> also
> access the same password and immediately decrypt files.
> 
> Is that so? (Not coding much on windows, I don't know if applications
> can access the user's hashed or encrypted password, but I would guess
> they could.)

SecureFile is not using the Win 95 password for encrypting the files.
Win 95 or Win NT never hands over the password to any application.

CAPI 2.0 is so nicely integrated with the OS that unless you have logged
in you wont get access to you keys. Now SecureFile is CAPI 2.0 based
application, so to use SecureFile you have to log in. Once this is done
the crypto operations (encryption/signing) etc are performed using your
keys.

The advantage you gain is that, a separate SecureFile logon is not
required and nobody but you will be able to access your keys as they are
protected by the OS.

The SecureFile setup ensures that on Win 95 you have actually logged in
and that you are working in the "Multiple Profiles" mode.

Thank you for your interest in SecureFile. Please feel free to ask any
questions you may have.

Anand Abhyankar
SecureFile Team
Querisoft Systems Pvt. Ltd.