Can Non Exportable Private Keys Be Exported?
yes, these tools exist. You can search internet for private key jailbreak. However, these applications require at least private key read permissions, so not all private keys can be dumped.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki
October 24th, 2012 3:06pm

anyone? It looks like the default perms for read are SYSTEM and Administrators.Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
Free Windows Admin Tool Kit Click here and download it now
October 26th, 2012 7:18am

anyone?
October 26th, 2012 7:20am

anyone? It looks like the default perms for read are SYSTEM and Administrators.Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
Free Windows Admin Tool Kit Click here and download it now
October 26th, 2012 7:31am

is this set at template level?
October 26th, 2012 10:15am

No, file system Even though you can define no export in the certificate template, this only prevents an MS domain joined machine from creating an exportable key. As stated earlier in the thread, if you can get the certificate and the files on the local file system, you could export the certificate with private key (not from the GUI) With versions prior to Windows 8, this is a valid concern and you have to accept the risk that your employees will not purchase software allowing export with private key (when it was disabled in the certificate template) With Windows 8, you could move to virtual smart cards where the certificate's private key is protected by your computers TPM. This could prevent any export attacks. Prior to windows 8, you would need to protect the key material with either an HSM or a smart card certificate on a smart card or smart card chip-based USB stick Brian
Free Windows Admin Tool Kit Click here and download it now
October 26th, 2012 12:23pm

No, file system Even though you can define no export in the certificate template, this only prevents an MS domain joined machine from creating an exportable key. As stated earlier in the thread, if you can get the certificate and the files on the local file system, you could export the certificate with private key (not from the GUI) With versions prior to Windows 8, this is a valid concern and you have to accept the risk that your employees will not purchase software allowing export with private key (when it was disabled in the certificate template) With Windows 8, you could move to virtual smart cards where the certificate's private key is protected by your computers TPM. This could prevent any export attacks. Prior to windows 8, you would need to protect the key material with either an HSM or a smart card certificate on a smart card or smart card chip-based USB stick Brian
October 26th, 2012 12:36pm

We are setting up a PKI solution for our Wifi network I understood that user and computer certificates created with not exportable template are safe. Today i read that the private keys can be exported with some 3rd party tools. are there any solutions for this? Thanks
Free Windows Admin Tool Kit Click here and download it now
October 26th, 2012 1:53pm

yes, these tools exist. You can search internet for private key jailbreak. However, these applications require at least private key read permissions, so not all private keys can be dumped.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki
October 26th, 2012 2:11pm

by default which users have " private key read permissions " ?
Free Windows Admin Tool Kit Click here and download it now
October 26th, 2012 4:17pm

We are setting up a PKI solution for our Wifi network I understood that user and computer certificates created with not exportable template are safe. Today i read that the private keys can be exported with some 3rd party tools. are there any solutions for this? Thanks Saving private keys in a HSM is probably the only way to truly protect them...Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
October 26th, 2012 5:52pm

so with XP and windows 7 the way to go is to block admin level access to machine ? or is that not enough?
Free Windows Admin Tool Kit Click here and download it now
October 27th, 2012 12:56pm

To be honest, no, that is not enough. It depends on your risk profile and what attacks you are trying to mitigate. Your choices are: 1) use smart cards 2) Trust that users will not buy the tools that would allow them to manually export. For example, use a Nordahl boot disk and reset the local Admin password or use a tool such as Elcomsoft EFS recovery tool (these are just examples) In most cases, setting the non-exportable tag will work. But, more orgs see this as an attack vector, hence the introduction of Virtual Smart Cards in Windows 8. Brian
October 27th, 2012 1:21pm

There is a even more simple way to export the key. Simply ask for an exportable key. This can be achieved by using the MMC and manually request the precise same certificate which you would get during autoenrollment. Autoenrollment requires Enrollment rights. So you cant prevent this. Unfortunately, "non exportability" is a "client feature" not anything defined within the certificate. And even Windows 7 does not respect the certificate template "do not export private key" definition when using the MMC and not autoenrollment. This for me seems to be a bug, not a feature. But it might even be by design :-) You might be able to make it a bit more difficult by disallowing certmgr snapin, but this makes supporters life a bit more difficult. So Brian is (like often:-) right: The only way to really protect the private key is an HSM, hence a smart card. Make users life easy and they will not want to circumvent your security measures. Patrick
Free Windows Admin Tool Kit Click here and download it now
November 9th, 2012 5:34pm

Just remember that a smart card and an HSM are two different devices. Both protect the private key in a manner that it cannot be exported, but they are two very different devices (huge price difference and role difference) Typically HSMs protect server private keys and smart card protect user private keys Brian
November 10th, 2012 11:03am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics