COMMAND

    Protected Store

SYSTEMS AFFECTED

    CryptoAPI (Windows 2000 all versions)

PROBLEM

    Following  is  based  on  a  Security Bulletin from the Microsoft.
    A Protected Store  is provided as  part of CryptoAPI,  in order to
    provide secure storage for  sensitive information such as  private
    keys  and  certificates.   By  design,  the Protected Store should
    always encrypt  the information  using the  strongest cryptography
    available   on   the   machine.    However,   the   Windows   2000
    implementation uses  40-bit key  to encrypt  the Protected  Store,
    even if stronger cryptography is installed on the machine.

    This vulnerability weakens the protection on the Protected  Store,
    but  does  not  eliminate  it.   An  attacker  would  need to gain
    complete administrative control over  the machine that houses  the
    Protected  Store  in  order  to  gain  access to it, and even then
    would  still  need  to  mount  a  brute-force cryptographic attack
    against  it.   However,  customers  who  follow  the   recommended
    remediation for this vulnerability can ensure that such an  attack
    would be significantly more difficult, if not impossible.

SOLUTION

    The patch package to  eliminate this vulnerability contains  a new
    version of PBASE.DLL, the module that provides the Protected Store
    functionality,  and   a  tool   named  Keymigrt.exe.    Installing
    PBASE.DLL will ensure that  all future additions to  the Protected
    Store are encrypted using the strongest cryptography available  on
    the machine.  However, the Keymigrt tool also needs to be run,  in
    order to re-encrypt  all items currently  in the Protected  Store.
    Patch availability:

        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23332

    On June 01, 2000, Microsoft released the original version of  this
    bulletin.  However,  an error was  subsequently discovered in  the
    patch,  and  on  July  26,  2000,  Microsoft  released a corrected
    version.