Hi,

I have problem with a dialog box with title: "Signing data with your private
exchange key". In the box, it says: "An application is requesting access to
a Protected item. CryptoAPI Pirvate Key"

Background:
I have a client program which contacts my Web Service through SSL. The web
service require client certificate. Problems is whenever the application
contacts the web service, client certificate's private key is used to signed
the data, and the dialog box jumps out. My program can't proceed without
click on OK. But, my program is implemented as a Windows Service, no human
interaction is supposed to be presented.

There got to be a setting to authorized the use of private key
automatically, any idea?

Thanks,
Guogang

This is known as "strong private key protection" and is part of DPAPI. It
is an optional setting created at key generation or import time. You must
generate or install the key without this setting. To remove this setting,
export the key and re-import without this protection level. Or enroll a new
cert with a key and do not use this setting.

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

"Guogang" > wrote in message
...
> Hi,
>
> I have problem with a dialog box with title: "Signing data with your
private
> exchange key". In the box, it says: "An application is requesting access
to
> a Protected item. CryptoAPI Pirvate Key"
>
> Background:
> I have a client program which contacts my Web Service through SSL. The web
> service require client certificate. Problems is whenever the application
> contacts the web service, client certificate's private key is used to
signed
> the data, and the dialog box jumps out. My program can't proceed without
> click on OK. But, my program is implemented as a Windows Service, no human
> interaction is supposed to be presented.
>
> There got to be a setting to authorized the use of private key
> automatically, any idea?
>
> Thanks,
> Guogang
>
>

The same question gets asked quite a bit in the CAPICOM mail-list.
A client's ability to sign data should always require client prompting,
imho. Private RSA keys really should always be private, and the only
way to ensure that is with suitably-strong password protection.
I think we need to warn web applications designers of the dangers of
exposing private RSA keys (on server of client) to general use by
importing without Strong Private Key Protection. Doing this usually
means a vulnerable design not carefully thought out.

- Michel Gallant
MVP Security

"David Cross [MS]" > wrote in message
...
> This is known as "strong private key protection" and is part of DPAPI. It
> is an optional setting created at key generation or import time. You must
> generate or install the key without this setting. To remove this setting,
> export the key and re-import without this protection level. Or enroll a new
> cert with a key and do not use this setting.
>
> --
>
>
> David B. Cross [MS]
>
> --
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> http://support.microsoft.com
>
> "Guogang" > wrote in message
> ...
> > Hi,
> >
> > I have problem with a dialog box with title: "Signing data with your
> private
> > exchange key". In the box, it says: "An application is requesting access
> to
> > a Protected item. CryptoAPI Pirvate Key"
> >
> > Background:
> > I have a client program which contacts my Web Service through SSL. The web
> > service require client certificate. Problems is whenever the application
> > contacts the web service, client certificate's private key is used to
> signed
> > the data, and the dialog box jumps out. My program can't proceed without
> > click on OK. But, my program is implemented as a Windows Service, no human
> > interaction is supposed to be presented.
> >
> > There got to be a setting to authorized the use of private key
> > automatically, any idea?
> >
> > Thanks,
> > Guogang
> >
> >
>
>

Thanks, the change solves the problem.

It is interesting, in my previous settings, I am not asked for a password at
all, although I've selected "Strong Private Key Protection". As long as I
click the OK on the dialog, the program can go on.

Is there other ways to provide better protection of private key? I DO want
automatic use of the private key, and also want a strong protected private
key. Seems like I can't get both. :(

Thanks again,
Guogang


"David Cross [MS]" > wrote in message
...
> This is known as "strong private key protection" and is part of DPAPI. It
> is an optional setting created at key generation or import time. You must
> generate or install the key without this setting. To remove this setting,
> export the key and re-import without this protection level. Or enroll a
new
> cert with a key and do not use this setting.
>
> --
>
>
> David B. Cross [MS]
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> http://support.microsoft.com
>
> "Guogang" > wrote in message
> ...
> > Hi,
> >
> > I have problem with a dialog box with title: "Signing data with your
> private
> > exchange key". In the box, it says: "An application is requesting access
> to
> > a Protected item. CryptoAPI Pirvate Key"
> >
> > Background:
> > I have a client program which contacts my Web Service through SSL. The
web
> > service require client certificate. Problems is whenever the application
> > contacts the web service, client certificate's private key is used to
> signed
> > the data, and the dialog box jumps out. My program can't proceed without
> > click on OK. But, my program is implemented as a Windows Service, no
human
> > interaction is supposed to be presented.
> >
> > There got to be a setting to authorized the use of private key
> > automatically, any idea?
> >
> > Thanks,
> > Guogang
> >
> >
>
>

Michel Gallant (MVP) wrote:

> imho. Private RSA keys really should always be private, and the only
> way to ensure that is with suitably-strong password protection.
> I think we need to warn web applications designers of the dangers of
> exposing private RSA keys (on server of client) to general use by
> importing without Strong Private Key Protection. Doing this usually
> means a vulnerable design not carefully thought out.

Particularly when used for digital signatures which could legally
bind the customer without their knowledge.

--
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe

In my case, it is a client certificate for client application to
authenticate itself in order to talk with web service. No human interaction
is available here.

I have no idea how secure private key can be in Windows XP.

Say, if I install a client certificate for current user (my login), is it
somehow encrypted to protect access from other login accounts?

"Gary Flynn" > wrote in message
...
>
>
> Michel Gallant (MVP) wrote:
>
> > imho. Private RSA keys really should always be private, and the only
> > way to ensure that is with suitably-strong password protection.
> > I think we need to warn web applications designers of the dangers of
> > exposing private RSA keys (on server of client) to general use by
> > importing without Strong Private Key Protection. Doing this usually
> > means a vulnerable design not carefully thought out.
>
> Particularly when used for digital signatures which could legally
> bind the customer without their knowledge.
>
> --
> Gary Flynn
> Security Engineer - Technical Services
> James Madison University
>
> Please R.U.N.S.A.F.E.
> http://www.jmu.edu/computing/runsafe
>

Yes, private cryptoapi keys are protected fairly strongly.
See info. on private keys in Win2000 Pro ResKit at:

http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/windows2000/techinfo/reskit/en-us/prork/prdd_sec_grhc.asp?frame=true :

"Unlike their corresponding public keys, private keys must be protected.
Therefore, all files in the RSA folder are automatically encrypted
with a random, symmetric key called the user?s master key. The user?s
master key is generated by the RC4 algorithm in the Base or Enhanced CSP.
RC4 generates a 128-bit key for computers with the Enhanced CSP (subject
to cryptography export restrictions) and a 56-bit key for computers with
only the Base CSP (available for all Windows 2000 computers). The master
key is generated automatically and is renewed periodically. It encrypts
each file in the RSA folder automatically as the file is created."

- Mitch

"Guogang" > wrote in message
...
> In my case, it is a client certificate for client application to
> authenticate itself in order to talk with web service. No human interaction
> is available here.
>
> I have no idea how secure private key can be in Windows XP.
>
> Say, if I install a client certificate for current user (my login), is it
> somehow encrypted to protect access from other login accounts?
>
> "Gary Flynn" > wrote in message
> ...
> >
> >
> > Michel Gallant (MVP) wrote:
> >
> > > imho. Private RSA keys really should always be private, and the only
> > > way to ensure that is with suitably-strong password protection.
> > > I think we need to warn web applications designers of the dangers of
> > > exposing private RSA keys (on server of client) to general use by
> > > importing without Strong Private Key Protection. Doing this usually
> > > means a vulnerable design not carefully thought out.
> >
> > Particularly when used for digital signatures which could legally
> > bind the customer without their knowledge.
> >
> > --
> > Gary Flynn
> > Security Engineer - Technical Services
> > James Madison University
> >
> > Please R.U.N.S.A.F.E.
> > http://www.jmu.edu/computing/runsafe
> >
>
>

That's very comforting. All I need to hold tightly is my username and
password. :)

Thanks,
Guogang

"Michel Gallant (MVP)" > wrote in message
...
> Yes, private cryptoapi keys are protected fairly strongly.
> See info. on private keys in Win2000 Pro ResKit at:
>
>
http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/windows2000/techinfo/reskit/en-us/prork/prdd_sec_grhc.asp?frame=true :
>
> "Unlike their corresponding public keys, private keys must be protected.
> Therefore, all files in the RSA folder are automatically encrypted
> with a random, symmetric key called the user?s master key. The user?s
> master key is generated by the RC4 algorithm in the Base or Enhanced CSP.
> RC4 generates a 128-bit key for computers with the Enhanced CSP (subject
> to cryptography export restrictions) and a 56-bit key for computers with
> only the Base CSP (available for all Windows 2000 computers). The master
> key is generated automatically and is renewed periodically. It encrypts
> each file in the RSA folder automatically as the file is created."
>
> - Mitch
>
> "Guogang" > wrote in message
> ...
> > In my case, it is a client certificate for client application to
> > authenticate itself in order to talk with web service. No human
interaction
> > is available here.
> >
> > I have no idea how secure private key can be in Windows XP.
> >
> > Say, if I install a client certificate for current user (my login), is
it
> > somehow encrypted to protect access from other login accounts?
> >
> > "Gary Flynn" > wrote in message
> > ...
> > >
> > >
> > > Michel Gallant (MVP) wrote:
> > >
> > > > imho. Private RSA keys really should always be private, and the only
> > > > way to ensure that is with suitably-strong password protection.
> > > > I think we need to warn web applications designers of the dangers of
> > > > exposing private RSA keys (on server of client) to general use by
> > > > importing without Strong Private Key Protection. Doing this usually
> > > > means a vulnerable design not carefully thought out.
> > >
> > > Particularly when used for digital signatures which could legally
> > > bind the customer without their knowledge.
> > >
> > > --
> > > Gary Flynn
> > > Security Engineer - Technical Services
> > > James Madison University
> > >
> > > Please R.U.N.S.A.F.E.
> > > http://www.jmu.edu/computing/runsafe
> > >
> >
> >
>
>

from what I have seen in a very large enterprise, weak passwords
are almost the most vulnerable part of client computers in the workplace
- Mitch

"Guogang" > wrote in message
...
> That's very comforting. All I need to hold tightly is my username and
> password. :)
>
> Thanks,
> Guogang
>
> "Michel Gallant (MVP)" > wrote in message
> ...
> > Yes, private cryptoapi keys are protected fairly strongly.
> > See info. on private keys in Win2000 Pro ResKit at:
> >
> >
>
http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/windows2000/techinfo/reskit/en-us/prork/prdd_sec_grhc.asp?frame=true :
> >
> > "Unlike their corresponding public keys, private keys must be protected.
> > Therefore, all files in the RSA folder are automatically encrypted
> > with a random, symmetric key called the user?s master key. The user?s
> > master key is generated by the RC4 algorithm in the Base or Enhanced CSP.
> > RC4 generates a 128-bit key for computers with the Enhanced CSP (subject
> > to cryptography export restrictions) and a 56-bit key for computers with
> > only the Base CSP (available for all Windows 2000 computers). The master
> > key is generated automatically and is renewed periodically. It encrypts
> > each file in the RSA folder automatically as the file is created."
> >
> > - Mitch
> >
> > "Guogang" > wrote in message
> > ...
> > > In my case, it is a client certificate for client application to
> > > authenticate itself in order to talk with web service. No human
> interaction
> > > is available here.
> > >
> > > I have no idea how secure private key can be in Windows XP.
> > >
> > > Say, if I install a client certificate for current user (my login), is
> it
> > > somehow encrypted to protect access from other login accounts?
> > >
> > > "Gary Flynn" > wrote in message
> > > ...
> > > >
> > > >
> > > > Michel Gallant (MVP) wrote:
> > > >
> > > > > imho. Private RSA keys really should always be private, and the only
> > > > > way to ensure that is with suitably-strong password protection.
> > > > > I think we need to warn web applications designers of the dangers of
> > > > > exposing private RSA keys (on server of client) to general use by
> > > > > importing without Strong Private Key Protection. Doing this usually
> > > > > means a vulnerable design not carefully thought out.
> > > >
> > > > Particularly when used for digital signatures which could legally
> > > > bind the customer without their knowledge.
> > > >
> > > > --
> > > > Gary Flynn
> > > > Security Engineer - Technical Services
> > > > James Madison University
> > > >
> > > > Please R.U.N.S.A.F.E.
> > > > http://www.jmu.edu/computing/runsafe
> > > >
> > >
> > >
> >
> >
>
>

In other words:
Lots of obsfucation, and eventaully, somewhere in the infrastructure and
code, all private key storage is protected by a password or other fixed
value.

lyal

"Michel Gallant (MVP)" > wrote in message
...
> Yes, private cryptoapi keys are protected fairly strongly.
> See info. on private keys in Win2000 Pro ResKit at:
>
>
http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/
windows2000/techinfo/reskit/en-us/prork/prdd_sec_grhc.asp?frame=true :
>
> "Unlike their corresponding public keys, private keys must be protected.
> Therefore, all files in the RSA folder are automatically encrypted
> with a random, symmetric key called the user?s master key. The user?s
> master key is generated by the RC4 algorithm in the Base or Enhanced CSP.
> RC4 generates a 128-bit key for computers with the Enhanced CSP (subject
> to cryptography export restrictions) and a 56-bit key for computers with
> only the Base CSP (available for all Windows 2000 computers). The master
> key is generated automatically and is renewed periodically. It encrypts
> each file in the RSA folder automatically as the file is created."
>
> - Mitch
>
> "Guogang" > wrote in message
> ...
> > In my case, it is a client certificate for client application to
> > authenticate itself in order to talk with web service. No human
interaction
> > is available here.
> >
> > I have no idea how secure private key can be in Windows XP.
> >
> > Say, if I install a client certificate for current user (my login), is
it
> > somehow encrypted to protect access from other login accounts?
> >
> > "Gary Flynn" > wrote in message
> > ...
> > >
> > >
> > > Michel Gallant (MVP) wrote:
> > >
> > > > imho. Private RSA keys really should always be private, and the only
> > > > way to ensure that is with suitably-strong password protection.
> > > > I think we need to warn web applications designers of the dangers of
> > > > exposing private RSA keys (on server of client) to general use by
> > > > importing without Strong Private Key Protection. Doing this usually
> > > > means a vulnerable design not carefully thought out.
> > >
> > > Particularly when used for digital signatures which could legally
> > > bind the customer without their knowledge.
> > >
> > > --
> > > Gary Flynn
> > > Security Engineer - Technical Services
> > > James Madison University
> > >
> > > Please R.U.N.S.A.F.E.
> > > http://www.jmu.edu/computing/runsafe
> > >
> >
> >
>
>

Eventaully, somewhere in all the infrastructure and code, all encryption
keys are stored protected by a password.
Rarely, 2 passwords

lyal

"Michel Gallant (MVP)" > wrote in message
...
> from what I have seen in a very large enterprise, weak passwords
> are almost the most vulnerable part of client computers in the workplace
> - Mitch
>
> "Guogang" > wrote in message
> ...
> > That's very comforting. All I need to hold tightly is my username and
> > password. :)
> >
> > Thanks,
> > Guogang
> >
> > "Michel Gallant (MVP)" > wrote in message
> > ...
> > > Yes, private cryptoapi keys are protected fairly strongly.
> > > See info. on private keys in Win2000 Pro ResKit at:
> > >
> > >
> >
>
http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/
windows2000/techinfo/reskit/en-us/prork/prdd_sec_grhc.asp?frame=true :
> > >
> > > "Unlike their corresponding public keys, private keys must be
protected.
> > > Therefore, all files in the RSA folder are automatically encrypted
> > > with a random, symmetric key called the user?s master key. The user?s
> > > master key is generated by the RC4 algorithm in the Base or Enhanced
CSP.
> > > RC4 generates a 128-bit key for computers with the Enhanced CSP
(subject
> > > to cryptography export restrictions) and a 56-bit key for computers
with
> > > only the Base CSP (available for all Windows 2000 computers). The
master
> > > key is generated automatically and is renewed periodically. It
encrypts
> > > each file in the RSA folder automatically as the file is created."
> > >
> > > - Mitch
> > >
> > > "Guogang" > wrote in message
> > > ...
> > > > In my case, it is a client certificate for client application to
> > > > authenticate itself in order to talk with web service. No human
> > interaction
> > > > is available here.
> > > >
> > > > I have no idea how secure private key can be in Windows XP.
> > > >
> > > > Say, if I install a client certificate for current user (my login),
is
> > it
> > > > somehow encrypted to protect access from other login accounts?
> > > >
> > > > "Gary Flynn" > wrote in message
> > > > ...
> > > > >
> > > > >
> > > > > Michel Gallant (MVP) wrote:
> > > > >
> > > > > > imho. Private RSA keys really should always be private, and the
only
> > > > > > way to ensure that is with suitably-strong password protection.
> > > > > > I think we need to warn web applications designers of the
dangers of
> > > > > > exposing private RSA keys (on server of client) to general use
by
> > > > > > importing without Strong Private Key Protection. Doing this
usually
> > > > > > means a vulnerable design not carefully thought out.
> > > > >
> > > > > Particularly when used for digital signatures which could legally
> > > > > bind the customer without their knowledge.
> > > > >
> > > > > --
> > > > > Gary Flynn
> > > > > Security Engineer - Technical Services
> > > > > James Madison University
> > > > >
> > > > > Please R.U.N.S.A.F.E.
> > > > > http://www.jmu.edu/computing/runsafe
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>