Sea of Troubles

Open Challenge - Soft Certificates

If you’re a security geek, there’s a good chance you’ve heard systems engineers say “oh, we’ll just use soft certs and mark them non-exportable. That’s secure!” Frankly, this scares me, but I can’t provide hard proof beyond “that requires us to trust the operating system more than I’m willing to.”

So, I’m opening a challenge. I challenge you, the internet, to demonstrate an attack against non-exportable user and computer certificates and private keys. I’ll accept either programmatic attacks, or a detailed description of how to carry out a manual attack. In order to win, I have to be able to successfully carry out the attack on my own hardware, and recover both the certificate and private key that has been marked non-exportable from either the user or computer certificate store on a Windows 2000 SP4 or Windows XP SP2 machine. You may assume that local administrator privileges have been obtained, but not LocalSystem. You should indicate what privilege is required.

Because I’m a starving student, I can’t offer much bounty, but I’ll throw AU$50 toward the winner via PayPal. If anyone else wants to pitch in to the prize, I’m more than happy to coordinate, but I’d rather not hold the money.


  1. This entire contest is null-and-void if a public attack exists as of midday December 22, 2004 UTC.

  2. You may choose whether you allow further distribution of the attack, but I reserve the right to announce that the challenge has been won (but I won’t mention who you are). I would obviously prefer public disclosure, but I’m willing to negotiate confidentiality.

  3. Claims can be made via email to simon.brown at gmail dot com. Encryption should use PGP key 0xc1c54da4, and signed email is preferred.

  4. Bounty will be delivered via PayPal; notification of PayPal details should be done via encrypted and signed email.

  5. In the interests of disclosure, this challenge has been issued previously in conversation, but no attack has been demonstrated.