Tuesday, December 11, 2007
Honey, where are my keys???
Cross-post from my main blog: --------------- No, really? Suppose, you’ve got a certificate from some certificate authority, installed it in the localmachine store, and then your application cannot see it!!! What happened? Is it a bug? Is it a virus? Did somebody stole you precious key??? Not quite… Let’s see what’s happening when you install the certificate. The certificate itself is stored in the registry, and it includes the public key. However, the private key is stored separately in a special folder. That’s “%system drive%\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys”, or whatever it is in a localized version. This folder is quite special. First of all, a normal consumer Windows does not have much to keep there. Sometimes, it’s just empty. Unfortunately, this is important to our story. Read on! So, you install the certificate, and the file with the private key is created in this folder. Where does it gets its permissions? Right, from the folder. That’s quite logical, isn’t it? Step 2, and that a smart thing, maybe a too smart thing, happens. Crypto layer, which created this file, removes the permissions for Everyone (WD) identity on this file. Which is also quite logical, you cannot have a private key that everybody can read, can you? Now, what does it mean if Everyone was the only one having access to this folder? Right, nobody can get your key. Not even Admin or SYSTEM – semi-divine identity in Windows used to run system processes. That’s not fun, but wait, here is more! If for some reason at some moment in the history of the machine this folder gets empty, it may – I repeat, it may – be deleted by the same code that created file for private key and maintained it so far. Then, some other application starts and tried to import a private key. Guess, what happens? The folder is magically recreated. Sounds good? Wait a bit for a small detail. It’s recreated under the current user. Ouch, ouch, ouch! What does it mean for you? It means that on any well used Windows system you don’t have a predictable state of this folder and your private keys. And if you install certificates under one user, it may not work under another user. So, the generic word of wisdom is: take care of ACLs on your private keys, if you install them, or it may be the last time you’ve seen them!