From: "Stef Caunter" <[EMAIL PROTECTED]> > An attacker with floppy boot access to a Win2K system would get reverse > access to that machine's encrypted files only if the recovery cert for > the domain was locally available (unlikely), or if the machine was not > part of a domain.
In the two years or so since that EFS attack surfaced, I don't recall ever seeing anyone ask *why* you get access in the stand-alone case. The theory says a private key is encrypted under a random account 'master key' which in turn is encrypted under a key derived from account credentials (password and SID). Since the floppy based chntpw program works by simply overwriting an account's password hash, any subsequent attempt to access a private key should fail. It works because the protected storage service can't handle password resets when they are performed via a different (administrative) account, so it maintains a second copy of each account's master key to recover from such events. I believe the second copy is encrypted under some system secret (in a domain this secret lives on the domain controller), but information about this Win2K feature is scarce or opaque. The documentation for WinXP implies this has changed i.e. there is no automagic recovery of an account's master key if the password is reset via another account. However there is a suggested recovery method that uses the umm.. innovative Password Reset Disk. -Alan- --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
