Revision as of 19:33, 17 March 2023 edit SWinxy (talk \| contribs) Extended confirmed users, Template editors 13,080 edits m Adding short description: "Windows API for cryptography" Tag: Shortdesc helper ← Previous edit		Revision as of 08:28, 27 March 2023 edit undo Citation bot (talk \| contribs) Bots 5,863,308 edits Alter: title. Add: authors 1-1. Removed parameters. Some additions/deletions were parameter name changes. \| Use this bot. Report bugs. \| Suggested by Whoop whoop pull up \| #UCB_webform 1453/3352 Next edit →
Line 1: {{Short description\|Windows API for cryptography}} '''Data Protection Application Programming Interface''' ('''DPAPI''') is a simple [[cryptography\|cryptographic]] [[application programming interface]] available as a built-in component in [[Windows 2000]] and later versions of [[Microsoft Windows]] [[operating system]]s. In theory, the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy. A detailed analysis of DPAPI inner-workings was published in 2011 by [[Elie Bursztein\|Bursztein]] et al.<ref>{{cite conference\|~~last~~last1=Bursztein\|~~first~~first1=Elie\|last2=Picod\|first2=Jean Michel\|date=2010\|title=Recovering Windows secrets and EFS certificates offline\|book-title=WoOT 2010\|publisher=Usenix\|url=https://elie.net/publication/recovering-windows-secrets-and-efs-certificates-offline/}}</ref> For nearly all [[cryptosystem]]s, one of the most difficult challenges is "[[key management]]"{{snd}} in part, how to securely store the decryption key. If the key is stored in ''[[plain text]]'', then any user that can access the key can access the encrypted data. If the key is to be encrypted, another key is needed, and so on. DPAPI allows developers to encrypt keys using a symmetric key derived from the user's logon secrets, or in the case of system encryption, using the system's ___domain authentication secrets. Line 33: * Windows XP and later for stored user names and passwords<ref>{{cite web\|url=https://technet.microsoft.com/en-us/library/bb457059.aspx\|title=What's New in Security for Windows XP Professional and Windows XP Home Edition\|website=Technet.microsoft.com\|access-date=14 October 2017}}</ref> (aka Credential Manager) * [[.NET Framework 2.0]] and later for System.Security.Cryptography.ProtectedData<ref>{{cite web\|url=http://msdn2.microsoft.com/en-us/library/system.security.cryptography.protecteddata.aspx\|title=ProtectedData Class (System.Security.Cryptography)\|website=Msdn2.microsoft.com\|access-date=14 October 2017}}</ref> * Microsoft.Owin (Katana) authentication by default when self-hosting (including cookie authentication and [[OAuth]] tokens)<ref>{{cite web\|title=CookieAuthenticationOptions.TicketDataFormat Property (Microsoft.Owin.Security.Cookies)\|url=http://msdn.microsoft.com/en-us/library/microsoft.owin.security.cookies.cookieauthenticationoptions.ticketdataformat(v=vs.113).aspx\|access-date=2015-01-15}}</ref><ref>{{cite web\|title=OAuthAuthorizationServerOptions.AccessTokenFormat Property (Microsoft.Owin.Security.OAuth)\|url=http://msdn.microsoft.com/en-us/library/microsoft.owin.security.oauth.oauthauthorizationserveroptions.accesstokenformat(v=vs.113).aspx\|access-date=2018-11-26}}</ref> ==References==

Data Protection API: Difference between revisions