Is it possible to suppress 'remember password' in the CryptoAPI high-security dialog?
Mathew
Re: Is it possible to suppress 'remember password' in the CryptoAPI
high-security dialog?
I have a digital signature application where the private keys must be used
in the high security mode that the CrypoAPI supports for keys. It would be
inappropriate for users to use the 'remember password' checkbox, so I'd like
to remove the option from this dialog. Can I do that?
Regards
Mathew
PS.
The dialog I 'm referring to occurs when you call 'CryptSignHash', when
signing with keys imported under the high security options. You can
programatically import a key in a mode that causes this dialog using:
PFXImportCertStore( &blob, password.c_str(), CRYPT_USER_PROTECTED |
CRYPT_USER_KEYSET );
The dialog that is displayed is from CrypoAPI and is labelled 'Signing data
with your private exhange key', and has the prompt 'An application is
requesting access to a Protected item.' Under details the description is
'CryptoAPI Private Key'.
David Cross [MS]
at this article:
strong private key protection:
http://support.microsoft.com/default.aspx?scid=kb;en-us;320828
--
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
"Mathew" <mat...@nospam.planet> wrote in message
news:ueeXRDZA...@TK2MSFTNGP12.phx.gbl...
Mathew
Thanks David. I'm using Windows XP Pro and have not been able to find a
policy setting that correlates to the description, unfortunately it only
says:
"... the administrator can set a policy enforce strong password protection
on user's computer. ", I couldn't find where it described the policy name.
Does anyone know where I would find the policy and it's exact name?
Also, it wasn't clear from the description in the article that this isn't
what I'm already getting - I want to change the dialog I'm already getting
to remove the 'remember password' option. Hopefully these policy settings
might be the way to control this type of behaviour in the absense of any
ability to do so through the CryptoAPI. Do you happen to know if 'fixed
time-out' period means hard coded fixed or fixed by policy but not user
customizable?
Regards
Mathew
"David Cross [MS]" <dcr...@online.microsoft.com> wrote in message
news:u5BW0reA...@TK2MSFTNGP09.phx.gbl...
David Cross [MS]
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography registry subkey:
- ForceKeyProtection
When enabled, this DWORD value forces the data protection application
programming interface (DPAPI) to disable the option in the user interface
that permits password selection. This forces the user to type a password.
This key can contain the following values:
- 0: Do not force user interface on key protection
- 1: Maintain user interface. This permits the user to change protection
selection.
- 2: Disable the user interface option. This forces users to use a
password.
- CachePrivateKeys
This DWORD value maintains a value of 1, only if the following registry key
is
used:
- PrivateKeyLifetimeSeconds
This DWORD value contains the number of seconds a key can remain cached
without being used. The key cache timer will be reset on every
successful use
in the CSP.
--
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
"Mathew" <mat...@nospam.planet> wrote in message
news:OeyEmXlA...@TK2MSFTNGP11.phx.gbl...
Mathew
That sounds exactly what I'm after. The only problem now is that it isn't
working for me. I assumed XP Pro SP1 contained the hotfix as the article
only talks of older operating systems. I set the registry key (copy-pasted
from exported .reg file to avoid copy errors) as follows:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography]
...
"ForceKeyProtection"=dword:00000002
but, the behaviour hasn't changed. Do you have any tips for figuring out
why this isn't working? Also, is there some documentation on this that I
should have been able to find?
Regards
Mathew
"David Cross [MS]" <dcr...@online.microsoft.com> wrote in message
news:u8$xrYrAE...@TK2MSFTNGP12.phx.gbl...
Rhett Gong [MSFT]
There are other dependency issues for this problem. I suggest you contact PSS for this hotfix.
For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:
http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS
For how to "How to Obtain the Latest Windows 2000 Service Pack" at: http://support.microsoft.com/default.aspx?scid=kb;EN-US;260910
Please note: Requesting for a hotfix will not be charged.
Have a nice day!
Rhett Gong [MSFT]
Microsoft Online Partner Support
This posting is provided "AS IS" with no warranties, and confers no rights.
Please reply to newsgroups only. Thanks.
Mathew
Okay, I shall do.
Thanks
Mathew
"Rhett Gong [MSFT]" <v-ra...@online.microsoft.com> wrote in message
news:ptkQE%23OBEH...@cpmsftngxa06.phx.gbl...
Mathew
I contacted PSS and they said this hotfix only applied to Windows 2000. As
mentioned I'm looking for a solution that works under Windows XP. Ideally
I'd like a solution that can be incorprated into our product, but it's
possible we could refer people to Microsoft for hotfixes if that were no
alternative.
So, backing up to the suggestion from David Cross; what do I have to do to
get the ForceKeyProtection, CachePrivateKeys and PrivateKeyLifetime registry
keys respected by Windows XP?
Thanks
Mathew
"Mathew" <mat...@nospam.planet> wrote in message
news:ecloh7U...@TK2MSFTNGP10.phx.gbl...
Rhett Gong [MSFT]
repro sample to me.(please note to remove the "online" from my email address.)
Have a great weekend!
Rhett Gong [MSFT]
Microsoft Online Partner Support
This posting is provided "AS IS" with no warranties, and confers no rights.
Mathew
Yes, I have SP1, and the registry settings don't get the desired behaviour.
I shall email you a sample as soon as I get time.
Regards
Mathew
"Rhett Gong [MSFT]" <v-ra...@online.microsoft.com> wrote in message
news:lRmej9tE...@cpmsftngxa06.phx.gbl...
Rhett Gong [MSFT]
I check it in my XP sp1 box. No matter I select "remember password" or not, the "sign data with your private exchange key" dialog still prompt out to require
the password.
I believe this has resolved your problem, since the "Rememver password" is useless whether I checked it or not.
Please let me know if you still need assist on this problem. Thanks.
Have a great weekend.
Mathew
In some cases it does remember the password. There's a timeout involved,
and perhaps it depends upon the process not exiting, but in my app I
certainly can get a situation where the password is remembered, so no, this
isn't a resolution.
Even if the option were completely useless, that should constitute a bug.
It's not satisfactory because admins and auditors can't reasonable guess the
'remember password' feature posed no problem because it didn't work. What
if the next critical update form MS fixed the problem?
The solution discussed by David Cross seems the most promising answer, that
is using the registry settings ForceKeyProtection, CachePrivateKeys and
PrivateKeyLifetime registry. Does anybody know how to control these
settings or their equivalents in Windows XP?
Regards
Mathew
"Rhett Gong [MSFT]" <v-ra...@online.microsoft.com> wrote in message
news:SPMHGNI...@cpmsftngxa06.phx.gbl...
Rhett Gong [MSFT]
>There's a timeout involved,
>and perhaps it depends upon the process not exiting, but in my app I
>certainly can get a situation where the password is remembered, so no, this
>isn't a resolution.
let me know if there is more I can do to assist you on this problem.
>What if the next critical update form MS fixed the problem?
I have not seen any similar problem in our bug DB. So if I know steps to repro it, I will have it filed.
PS. If this is urgent, I suggest you contacting PSS directly for your specific problem (not the hotfix for kb320828).
Thanks,