RSAKeyLength setting for EFS - XP or Vista only?

[Guest]

Hi folks, I should really know this one, but I cannot recall definitively...

When the EFS client libraries asks Windows to generate the keys for an EFS
certificate enrollment, it'll generate 1024-bit RSA keys by default. In
Windows Server 2003 (and Vista, I believe) this default setting can be
controlled by the Registry setting HKLM\Software\Microsoft\Windows
NT\CurrentVersion\EFS\RSAKeyLength.

Q1: is this setting used in Windows Vista?
Q2: is this setting available in Windows XP SP2?
Q3: is this setting available after installing the post-SP2 hotfix 912761?
[Or a setting under HKLM\Software\Policies\Microsoft\Windows
NT\CurrentVersion\EFS\]
Q4: does this control the generation of keys only for self-signed certs, or
also for CA-enrolled certs (where the key length isn't specified in the cert
template)?

Thanks very much for any help anyone can provide!

 

[steve patrick]

Hi folks, I should really know this one, but I cannot recall definitively...

When the EFS client libraries asks Windows to generate the keys for an EFS
certificate enrollment, it'll generate 1024-bit RSA keys by default. In
Windows Server 2003 (and Vista, I believe) this default setting can be
controlled by the Registry setting HKLM\Software\Microsoft\Windows
NT\CurrentVersion\EFS\RSAKeyLength.

Q1: is this setting used in Windows Vista?
Q2: is this setting available in Windows XP SP2?
Q3: is this setting available after installing the post-SP2 hotfix 912761?
[Or a setting under HKLM\Software\Policies\Microsoft\Windows
NT\CurrentVersion\EFS\]
Q4: does this control the generation of keys only for self-signed certs, or
also for CA-enrolled certs (where the key length isn't specified in the cert
template)?

Thanks very much for any help anyone can provide!

Hey Mike

I stumbled across this post while looking for something else and
thought id pipe up - this value is not used in XP in any form , but it
is used in Vista.
Ill have to look into Q4 a bit more...

steve

 

[steve patrick]

Hi folks, I should really know this one, but I cannot recall definitively...

When the EFS client libraries asks Windows to generate the keys for an EFS
certificate enrollment, it'll generate 1024-bit RSA keys by default. In
Windows Server 2003 (and Vista, I believe) this default setting can be
controlled by the Registry setting HKLM\Software\Microsoft\Windows
NT\CurrentVersion\EFS\RSAKeyLength.

Q1: is this setting used in Windows Vista?
Q2: is this setting available in Windows XP SP2?
Q3: is this setting available after installing the post-SP2 hotfix 912761?
[Or a setting under HKLM\Software\Policies\Microsoft\Windows
NT\CurrentVersion\EFS\]
Q4: does this control the generation of keys only for self-signed certs, or
also for CA-enrolled certs (where the key length isn't specified in the cert
template)?

Thanks very much for any help anyone can provide!

Hey Mike

I stumbled across this post while looking for something else and
thought id pipe up - this value is not used in XP in any form , but it
is used in Vista.
Ill have to look into Q4 a bit more...

steve- Hide quoted text -

- Show quoted text -

Looks like self signed only...

 

[Guest]

Thanks Steve.

I can certainly understand that this RSAKeyLength setting didn't exist in XP
originally. Can you confirm (i.e. are you certain) that this setting didn't
come through in the hotfix for 912761 either? I know that it isn't mentioned
in the KB article, but I'm hoping that it might've gotten bundled into the
libraries that were updated.

Cheers,
--
Mike Smith-Lonergan
Intel Security Center of Excellence
http://paranoidmike.blogspot.com

Hi folks, I should really know this one, but I cannot recall definitively...

When the EFS client libraries asks Windows to generate the keys for an EFS
certificate enrollment, it'll generate 1024-bit RSA keys by default. In
Windows Server 2003 (and Vista, I believe) this default setting can be
controlled by the Registry setting HKLM\Software\Microsoft\Windows
NT\CurrentVersion\EFS\RSAKeyLength.

Q1: is this setting used in Windows Vista?
Q2: is this setting available in Windows XP SP2?
Q3: is this setting available after installing the post-SP2 hotfix 912761?
[Or a setting under HKLM\Software\Policies\Microsoft\Windows
NT\CurrentVersion\EFS\]
Q4: does this control the generation of keys only for self-signed certs, or
also for CA-enrolled certs (where the key length isn't specified in the cert
template)?

Thanks very much for any help anyone can provide!

Hey Mike

I stumbled across this post while looking for something else and
thought id pipe up - this value is not used in XP in any form , but it
is used in Vista.
Ill have to look into Q4 a bit more...

steve- Hide quoted text -

- Show quoted text -

Looks like self signed only...

 

[steve patrick]

Thanks Steve.

I can certainly understand that this RSAKeyLength setting didn't exist in XP
originally. Can you confirm (i.e. are you certain) that this setting didn't
come through in the hotfix for 912761 either? I know that it isn't mentioned
in the KB article, but I'm hoping that it might've gotten bundled into the
libraries that were updated.

Cheers,
--
Mike Smith-Lonergan
Intel Security Center of Excellencehttp://paranoidmike.blogspot.com

On Jun 4, 3:25 pm, Mike Smith-Lonergan <[email protected]>
wrote:
Hi folks, I should really know this one, but I cannot recall definitively...
When the EFS client libraries asks Windows to generate the keys for an EFS
certificate enrollment, it'll generate 1024-bit RSA keys by default. In
Windows Server 2003 (and Vista, I believe) this default setting can be
controlled by the Registry setting HKLM\Software\Microsoft\Windows
NT\CurrentVersion\EFS\RSAKeyLength.
Q1: is this setting used in Windows Vista?
Q2: is this setting available in Windows XP SP2?
Q3: is this setting available after installing the post-SP2 hotfix 912761?
[Or a setting under HKLM\Software\Policies\Microsoft\Windows
NT\CurrentVersion\EFS\]
Q4: does this control the generation of keys only for self-signed certs, or
also for CA-enrolled certs (where the key length isn't specified in the cert
template)?
Thanks very much for any help anyone can provide!
--
Mike Smith-Lonergan
Intel Security Center of Excellencehttp://paranoidmike.blogspot.com
Hey Mike
I stumbled across this post while looking for something else and
thought id pipe up - this value is not used in XP in any form , but it
is used in Vista.
Ill have to look into Q4 a bit more...
steve- Hide quoted text -
- Show quoted text -

Looks like self signed only...- Hide quoted text -

- Show quoted text -

Just checked and it is not - is there something which would lead you
to believe that it is in XP?


steve

 

[Guest]

Hi Steve, no I don't know of anything I've seen in XP that would lead me to
believe it *is* there... but I was *hoping* that since this shipped in
Windows Server 2003, that there would've been some incentive to backport it
to the XP codebase (where it's far more useful).

I know that an organization can *try* to control the minimum key length for
CA-enrolled certs by judicious use of v2 templates. However, most of the
organizations with which I've worked are after some assurance they can
control this behaviour at the client (either as well as or instead of cert
template controls), since there are multiple pathways in the EFS component
driver that can lead to non-v2 cert template enrollment (at least prior to
Vista).

- Do you know if the XP EFS component driver's cert enrollment code paths
would all lead to honouring (a client-side RSA key length minimum)? [I could
swear there's a Registry setting in Windows Vista and perhaps earlier to
enforce a minimum RSA key length for all CAPI-generated certs/keypairs, but
for the life of me I can't find a reference to it anywhere on the 'net. If
I'm just dreaming, feel free to ignore this question.]
- i.e. do all cert enrollment code paths (that don't reuse existing
keypairs) end up calling CryptGenKey() & CryptGetProvParam()?
- Would this mean that the EFS component driver is merely passing in a
specific key length value (via dwFlags) to CryptGenKey(), when an
administrator sets RSAKeyLength in the Registry? [only for self-signed cert
enrollment of course]


BTW, Jan DeClerq wrote about the RSAKeyLength setting in a WindowsITPro
article (InstantdocID 46252), and said "Windows 2003 also lets you specify
larger default RSA key sizes for keys that are generated for EFS." This
implies that the setting also affects enrollment for non-self-signed certs -
was this just an oversight on Jan's part? [It's an understandable mistake,
since this isn't well documented, but I want to make sure I'm getting the
facts straight.]