CryptoAPI Privat Key default Security level
Hello,
I'm trying to investigate is there a way to change Security lever to High by default for creating a new RSA exchange key.
Many thanks for any suggestions.
May 10th, 2011 5:28am
http://msdn.microsoft.com/en-us/library/aa379414(v=vs.85).aspx
XCN_NCRYPT_UI_FORCE_HIGH_PROTECTION_FLAG
Specifies strong key protection. The user is typically prompted to enter a password when the key is created and whenever the key is used. The exact behavior is specified by the KSP being used. This value is not supported by the
Certificate Enrollment API for legacy CSPs.
Can you test using the following method :
-
Edit xenrprxy.inc (c:\Windows\System32\certsrv\en-US) and locate XEp_SetGenKeyFlags function
-
change this :
objPrivateKey.KeyProtection = (0 != (CRYPT_USER_PROTECTED & nGenKeyFlags)) ? XCN_NCRYPT_UI_PROTECT_KEY_FLAG : XCN_NCRYPT_UI_NO_PROTECTION_FLAG;
By :
objPrivateKey.KeyProtection =2;// XCN_NCRYPT_UI_FORCE_HIGH_PROTECTION_FLAG
Free Windows Admin Tool Kit Click here and download it now
May 13th, 2011 3:16am
http://msdn.microsoft.com/en-us/library/aa379414(v=vs.85).aspx
XCN_NCRYPT_UI_FORCE_HIGH_PROTECTION_FLAG
Specifies strong key protection. The user is typically prompted to enter a password when the key is created and whenever the key is used. The exact behavior is specified by the KSP being used. This value is not supported by the
Certificate Enrollment API for legacy CSPs.
Can you test using the following method :
-
Edit xenrprxy.inc (c:\Windows\System32\certsrv\en-US) and locate XEp_SetGenKeyFlags function
-
change this :
objPrivateKey.KeyProtection = (0 != (CRYPT_USER_PROTECTED & nGenKeyFlags)) ? XCN_NCRYPT_UI_PROTECT_KEY_FLAG : XCN_NCRYPT_UI_NO_PROTECTION_FLAG;
By :
objPrivateKey.KeyProtection =2;// XCN_NCRYPT_UI_FORCE_HIGH_PROTECTION_FLAG
--------------------------------------------------------------------------------------
for Windows XP systems
The key should be added on user station
HKLM\Software\Policies\Microsoft\Cryptography
in the registry:
·
ForceKeyProtection.
This key will force the Data Protection application programming interface (DPAPI) to disable the option that allows the user to choose whether to use a password to protect their private key. When set, the user must use a password
to protect their private key.
<"0"> = Do not force UI on key protection
<"1"> = Default to UI, but let user change selection
<"2"> = Force UI on key protection; disable option for user
http://go.microsoft.com/fwlink/?LinkID=92522
page 39
May 13th, 2011 10:15am