4

I just discovered that windows can store certificates and keys that an application uses in a 'crypto store'.

I would like to know how secure the store is? If I select for example high security and require a password to access the store when an application requests a crt or key, is it encrypted properly? Any idea what the encryption used is?

Other question is, if I don't require a password, then I can't see how it provides any security as the crt and keys must still be in plain text within the store and accessible to anyone who has access to my computer. In this usage case it seems about as secure as putting the crt and keys in a folder on the desktop called 'crypt store' or something. I.e it's just a way to organise things but doesn't add anything useful.

Thanks for info.

Improve this question

2 Answers 2

Reset to default
2

The default certificate store is as secure as any other system-encrypted file on your computer. E.g. if someone knows your Windows username/password and can log in, he can access the certificate without any problem. However, if someone just gain access to your hard disk, without knowing your Windows credentials, than he cannot get access to the certificate store. So, this is better than just plaintext file on your computer. But if you make that file encrypted, using default Windows tools, than their security is very similar: if you forget your password, or reinstall Windows, their contents are lost forever and cannot be recovered.

Obviously, since the certificate in the default store must be accessible to programs once you log in, stronger security is not possible without using external hardware.

Improve this answer
3
  • I don't bother with having a password on my windows user account... It's too easy to bypass anyway. Looks like it's best to just select high security and set a password in the store. Just one more thing, do you know where the store is on the hdd? Can't browse it without using mmc.
    – starcraftcats
    Commented Dec 24, 2011 at 0:25
  • The certificate store is somewhere under c:\Users\All Users\Microsoft\Crypto, but don't mess with them directly. Just copying them won't work, e.g. for backup you need to use built-in functions, MMC, etc.
    – haimg
    Commented Dec 24, 2011 at 0:36
  • "I don't bother with having a password on my windows user account... It's too easy to bypass anyway." The only way to bypass the password is to have physical access to the machine.
    – surfasb
    Commented Dec 25, 2011 at 11:04
0

The keys are (for the user private MY keystore) stored depending on the cryptographic Service Provider (old or new API) in (source):

Legacy:
%APPDATA%\Microsoft\Crypto\RSA\User SID\
%APPDATA%\Microsoft\Crypto\DSS\User SID\
CNG:
%APPDATA%\Microsoft\Crypto\Keys

For the CNG API the keys are hold decrypted in the KeyIso Service (and the API will ask the Service to use them).

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .