Microsoft Security Bulletin (MS00-032): Frequently Asked Questions
What's this bulletin about?
Microsoft Security Bulletin MS00-032 announces the availability of a patch that eliminates a vulnerability in Microsoft® Windows 2000. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This vulnerability could make it easier for a malicious user to compromise sensitive data belonging to a Windows 2000 user. By design, Windows 2000 should encrypt this data using the strongest cryptography available on the machine, but, because of the vulnerability, it's actually protected with weaker cryptography.
Before a malicious user could attempt to exploit this vulnerability, he would need to have already gained complete control over the user's machine in order to obtain the data. Even if he had done so, this vulnerability would only make it possible - not trivial - to compromise the information.
What causes the vulnerability?
The vulnerability results because the Windows 2000 Protected Store always encrypts users' private key material using 40-bit cryptography, even when higher-grade cryptography has been enabled on the machine.
What is the Windows 2000 Protected Store?
The Protected Store is a storage facility provided as part of CryptoAPI. It's primarily used to securely store private keys that have been issued to a user. All of the information in the Protected Store is encrypted, using a key that is derived from the user's logon password. Access to the information is tightly regulated so that only the owner of the material can access it.
The Protected Store isn't unique to Windows 2000. As noted above, it's part of CryptoAPI, which ships as part of Windows 95, Windows 98, and Windows NT 4.0. However, only the Windows 2000 Protected Store is affected by the security vulnerability at issue here.
What do you mean by "40-bit cryptography"?
When we refer to "40-bit cryptography", we're quantifying the strength of the cryptographic protection that the Windows 2000 Protected Store provides to users' sensitive data. The number of bits refers to the length of the keys that are used to encrypt the data - the more bits in the key, the stronger the protection.
What is the problem with the Windows 2000 Protected Store?
By design, Windows 2000 should always encrypt the information in the Protected Store using the highest-strength cryptography available on the machine. However, in actuality, it uses 40-bit cryptography regardless of what other cryptography may be present. If a malicious user were able to obtain a copy of a user's Protected Store, the use of weaker cryptography could make it easier to conduct a brute-force attack and compromise the contents.
What cryptography should Windows 2000 use to encrypt the Protected Store?
By default, Windows 2000 ships with 56-bit cryptography enabled. In this case, it should use 56-bit DES to encrypt the Protected Store. If Windows 2000 has been upgraded using the High Encryption Pack, it should use 168-bit Triple DES to encrypt the Protected Store.
How would a malicious user obtain a copy of someone else's Protected Store?
It would not be a simple feat. Cryptography aside, access to the Protected Store also is regulated through the usual Windows 2000 access controls, which allows only System processes to access it. Thus, before a malicious user could even try to brute-force the cryptographic protection on the store, he would need to gain administrative control of the machine that the Protected Store resides on - the user's machine in most cases, or, in the case of a user who uses roaming profiles, the machine that houses the profile.
Assuming that a malicious user did obtain a copy of the Protected Store, how long would it take him to break 40-bit cryptographic protection?
It's impossible to say, as it would depend on several factors. To understand why, consider how a brute-force attack generally works: the attacker select a key, uses it to decrypt the encrypted data, then assesses the result to see if the key he chose happened to be the right one. If it wasn't, he would select a new key and repeat the process, and continue until he happens to select the correct key.
The speed with which a brute-force attack could be carried out is largely dependent on the amount of processing power that can bring to bear on the problem. The faster keys can be generated and tested, the faster that malicious user could locate the right one. As a benchmark, in 1997 a network of 250 off-the-shelf machines were used to jointly brute-force a 40-bit key in about 4 hours; it almost certainly would be possible to complete such an attack with fewer machine and in less time today.
However, it's important to remember that every item in the Protected Store is encrypted with a different key. This means that a separate brute-force attack would need to be mounted against every item in the Protected Store.
What's the value in encrypting the Protected Store using stronger cryptography?
Although it clearly would not be trivial to brute-force a 40-bit key, longer keys would significantly decrease the likelihood that anyone could compromise the data in the Protected Store, even if they could obtain it.
- As noted above, the default Windows 2000 settings will (after the patch is installed) encrypt the Protected Store using 56-bitkey. Where a 40-bit key was cracked in 1997 by a network of 250 machines in 4 hours, cracking a 56-bit key later the same year took a network of tens of thousands of machines 210 days.
- If the High Encryption Pack has been installed, Windows 2000 will (after the patch is installed) encrypt the Protected Store using 168-bit key. Keys of this length are believed to be computationally infeasible to break via brute force methods.
How can I tell what strength cryptography is installed on my Windows 2000 machine?
The easiest way is to open Internet Explorer, click on Help, then About Internet Explorer. Immediately under the version information, you'll see a field labeled "Cipher Strength", which will be set to either 56 or 128 bits.
I've got 56-bit crypto installed on my machine. How do I upgrade it?
You can download and install the High Encryption Pack at http://www.microsoft.com/windows2000/downloads/
Who should use the patch?
Microsoft recommends that all Windows 2000 users apply the patch and run the tool, to ensure that the protection on their Protected Store is as strong as it can be.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin
What's in the patch package?
There are two items in the patch package:
- A new version of PSBASE.DLL, the software module that performs encryption and decryption of the Protected Store. The new version will use the strongest cryptography available on the machine for all items written to the Protected Store in the future.
- A tool, Keymigrt.exe, that will decrypt and re-encrypt all items currently in the Protected Store.
Why is a tool needed?
The patch ensures that any future data added to the Protected Store is encrypted using the strongest cryptography available. However, it cannot upgrade the protection on items that already exist. The tool is used to do this - it decrypts what's already in the Protected Store, then re-encrypts it using stronger cryptography.
How do I get the tool?
Just run the patch using the -x option. This causes the patch files to be extracted into a folder of your choice. Keymigrt.exe is one of the files in the patch. Keep in mind that the -x option does not install the patch, so you will still need to run the patch normally in order to install it.
Does it matter whether I install the patch first or run the tool first?
Yes. The tool cannot be run unless the patch has already been installed.
I'm a system administrator. Can I run the tool on my users' machines?
No. Not even an administrator can access users' Protected Stores, so the tool can't be run from a central location. We recommend either of two approaches:
- Have each user run the tool on his or her own machine
- Install the tool as a logon script to ensure that it runs the next time each user logs on.
It's important that users know that the tool will run, as some users may have configured their environments so that they are prompted whenever an item is retrieved from the Protected Store.
What run-time options are available for the tool?
The KB article contains a complete description of the Keymigrt tool, but here is a summary of the run-time options for it:
-v - verbose - display information about each key as it is upgraded
-s - show current state - display information about the keys and security settings, but make no modifications.
-m - upgrade keys for the machine, as opposed to the current user. The tool must be run as an administrator in order to use this option.
-u - upgrade keys protected by a password. Some keys may be configured so that the user is required to enter a password anytime they are used. By default, Keymigrt does not upgrade these keys (this is done to allow Keymigrt to be used in batch mode). The -u flag will upgrade all keys, including ones that require the user to enter a password.
-f - force a key upgrade, even if the keys already are sufficiently protected.
-e - force an encryption strength upgrade, even if the keys already are sufficiently protected.
-? - help
When Windows 2000 Service Pack 1 is released, will this patch be included in it?
The patch will be included in the Service Pack, but the Keymigrt tool can't be. This means that, after you install SP1, all items you subsequently create in the Protected Store will be encrypted using the strongest cryptography available on the machine. However, the Service Pack will not change the encryption of any items already in the Protected Store. If you've previously run Keymigrt in conjunction with the patch, the items will already be strongly encrypted; if you haven't already applied the patch, you'll need to run Keymigrt after applying the Service Pack.
How can I tell if I installed the patch correctly?
The KB article provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
- Microsoft has developed a patch that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued a Knowledge Base article explaining the vulnerability and patch in more detail.
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.