Are "unexportable" certificates a real security measure or just security theater?

Question

Recently I was working on recovering data from dead (bricked PSU) Windows XP machine, which included some client certificates installed into IE 6. I plugged in a temporary PSU and tried to export the certificate, only to be told that "these certificates are marked as non-exportable, and thus the private key can not be exported".

I've done some searching around the intertubes, however the only advices I could find were related to pre-install scenarios (ie. there is apparently an option which you can check during the installation to avoid this situation).

My questions would be:

Is this a real security measure? It seems to me that you can simply patch the verification logic in IE6 (or the CryptoAPI) and force the export of the certificate / private-key
Is there a ready-made tool to do this? (for backup purposes for example)

Dscoduc · Accepted Answer · 2017-08-21T22:07:47.413

7

Exporting private keys on certificates that have been marked non-exportable? Uh, how about a tool called Jailbreak...

edited Aug 21 '17 at 22:07

answered Jan 21 '10 at 08:31

Dscoduc

1,095
2
8
15

2

Is this it: https://www.isecpartners.com/tools/application-security/jailbreak.aspx ? – rakslice Feb 19 '13 at 01:39
Yes, sorry but I took my blog offline. – Dscoduc Aug 21 '17 at 22:07
Link to the current version on GitHub: https://github.com/iSECPartners/jailbreak – James Cameron Dec 06 '18 at 16:43

score 1 · Answer 2 · answered Dec 25 '09 at 19:26

"Unexportable" means the private key is inaccessible to CryptExportKey(). It might be possible to patch CryptoAPI in memory, but I haven't found any references to it.

There also might be a way to load the registry "hive" in another system and either copy the certificates or edit the "unexportable" bit... but again, no such things on the googlenet.

score 0 · Answer 3 · edited Dec 18 '11 at 15:50

Update:

There is a new version of mimikatz that also supports CNG Export (Windows Vista / 7 / 2008 ...)

download (and launch with administrative privileges; trunk version for last version)
privilege::debug (or not if you're already system or target only CryptoApi)
crypto::patchcng (nt 6) and/or crypto::patchcapi (nt 5 & 6)
crypto::exportCertificates and/or crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE

pfx files are passwords protected "mimikatz"

Old post:

Maybe can you try another tool with other private keys functions : "mimikatz", it export other keys that other cannot export (non exportable, medium protected, orphan, etc..) The "bit" is not altered on system file, only the program context is altered :) For example, an user (not administrator) can export his own protected / non exportable keys without particulars rights.

Are "unexportable" certificates a real security measure or just security theater?

3 Answers3