CryptoAPI Privat Key default Security level (Network Steve Forum)

CryptoAPI Privat Key default Security level

Hello, I'm trying to investigate is there a way to change Security lever to High by default for creating a new RSA exchange key. Many thanks for any suggestions.

May 10th, 2011 5:28am

Free Windows Admin Tool Kit Click here and download it now

May 13th, 2011 3:16am

http://msdn.microsoft.com/en-us/library/aa379414(v=vs.85).aspx XCN_NCRYPT_UI_FORCE_HIGH_PROTECTION_FLAG Specifies strong key protection. The user is typically prompted to enter a password when the key is created and whenever the key is used. The exact behavior is specified by the KSP being used. This value is not supported by the Certificate Enrollment API for legacy CSPs. Can you test using the following method : - Edit xenrprxy.inc (c:\Windows\System32\certsrv\en-US) and locate XEp_SetGenKeyFlags function - change this : objPrivateKey.KeyProtection = (0 != (CRYPT_USER_PROTECTED & nGenKeyFlags)) ? XCN_NCRYPT_UI_PROTECT_KEY_FLAG : XCN_NCRYPT_UI_NO_PROTECTION_FLAG; By : objPrivateKey.KeyProtection =2;// XCN_NCRYPT_UI_FORCE_HIGH_PROTECTION_FLAG -------------------------------------------------------------------------------------- for Windows XP systems The key should be added on user station HKLM\Software\Policies\Microsoft\Cryptography in the registry: · ForceKeyProtection. This key will force the Data Protection application programming interface (DPAPI) to disable the option that allows the user to choose whether to use a password to protect their private key. When set, the user must use a password to protect their private key. <"0"> = Do not force UI on key protection <"1"> = Default to UI, but let user change selection <"2"> = Force UI on key protection; disable option for user http://go.microsoft.com/fwlink/?LinkID=92522 page 39

May 13th, 2011 10:15am

This topic is archived. No further replies will be accepted.