Content deleted Content added
m Minor description of the newest Windows 10 problem |
|||
Line 7:
In 2010 [[Elie Bursztein]] and [[Jean-Michel Picod]] presented an analysis of the protocol titled ''Reversing DPAPI and Stealing Windows Secrets Offline'' at Black Hat DC 2010.<ref>{{cite web|url=https://www.blackhat.com/html/bh-dc-10/bh-dc-10-briefings.html|title=Black Hat ® Technical Security Conference: DC 2010 // Briefings|website=Blackhat.com|accessdate=14 October 2017}}</ref> In addition to their briefing, Bursztein and Picod released DPAPIck which allows offline decryption of data encrypted with DPAPI. In 2012 Passcape Software published in their blog more detailed article on DPAPI internal logic<ref>{{cite web|url=http://passcape.com/index.php?section=blog&cmd=details&id=20|title=Show blog article|website=Passcape.com|accessdate=14 October 2017}}</ref> and presented a tool<ref>{{cite web|url=http://passcape.com/windows_password_recovery_dpapi_decoder|title=DPAPI recovery|website=Passcape.com|accessdate=14 October 2017}}</ref> for fully offline DPAPI decryption and analysis. Unlike previous one, the tool utilizes some old Windows bugs (for example, you can decrypt Windows 2000 DPAPI blobs without knowing the owner logon password) and is fully compatible with Windows 8 DPAPI data structure. In Windows 8 Microsoft changed the way the DPAPI logic works. Now multiple user keys can be used to derive an encryption key to decrypt the user masterkey which is used then to decode a single DPAPI blob.
Windows 10 has a critical flaw in DPAPI implementation<ref>{{Cite web|url=https://www.passcape.com/index.php?setLang=2§ion=blog&cmd=details&id=38|title=DPAPI security flaw in Windows 10
==Security properties==
| |||