Content deleted Content added
Nsjlcuwdbcc (talk | contribs) m added hyperlinks |
m Task 18 (cosmetic): eval 8 templates: hyphenate params (8×); |
||
Line 1:
'''DPAPI (Data Protection Application Programming Interface)''' is a simple [[cryptography|cryptographic]] [[application programming interface]] available as a built-in component in [[Windows 2000]] and later versions of [[Microsoft Windows]] [[operating system]]s. In theory the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy. A detailed analysis of DPAPI inner-workings was published in 2011 by [[Elie Bursztein|Bursztein]] et al.<ref>{{cite conference|last=Bursztein|first=Elie|last2=Picod|first2=Jean Michel|date=2010|title=Recovering Windows secrets and EFS certificates offline|
For nearly all [[Cryptosystem|cryptosystems]], one of the most difficult challenges is "key management" - in part, how to securely store the decryption key. If the key is stored in ''plain text'', then any user that can access the key can access the encrypted data. If the key is to be encrypted, another key is needed, and so on. DPAPI allows developers to encrypt keys using a symmetric key derived from the user's logon secrets, or in the case of system encryption, using the system's ___domain authentication secrets.
Line 8:
DPAPI doesn't store any persistent data for itself; instead, it simply receives [[plaintext]] and returns [[ciphertext]] (or vice versa).
DPAPI security relies upon the Windows operating system's ability to protect the Master Key and [[RSA (algorithm)|RSA]] private keys from compromise, which in most attack scenarios is most highly reliant on the security of the end user's credentials. A main encryption/decryption key is derived from user's password by [[PBKDF2]] function.<ref>{{cite web|title=Windows Password Recovery - DPAPI Master Key analysis|url=http://www.passcape.com/windows_password_recovery_dpapi_master_key|website=Passcape.com|
Delegated access can be given to keys through the use of a [[COM+]] object. This enables [[Internet Information Services|IIS]] [[web servers]] to use DPAPI.
==Use of DPAPI by Microsoft software==
While not universally implemented in all Microsoft products, the use of DPAPI by Microsoft products has increased with each successive version of Windows. However, many applications from Microsoft and third-party developers still prefer to use their own protection approach or have only recently switched to use DPAPI. For example, [[Internet Explorer]] versions 4.0-6.0, [[Outlook Express]] and [[MSN Explorer]] used the older Protected Storage (PStore) API to store saved credentials such as passwords etc. [[Internet Explorer 7]] now protects stored user credentials using DPAPI.<ref>{{cite web | url=http://www.symantec.com/connect/articles/password-management-concerns-ie-and-firefox-part-one | title=Password Management Concerns with IE and Firefox, part one | author=Mikhael Felker | date=December 8, 2006 |
*Picture password, PIN and fingerprint in [[Windows 8]]
* [[Encrypting File System]] in Windows 2000 and later
* SQL Server [[Transparent Data Encryption]] (TDE) Service Master Key encryption<ref>{{cite web|url=https://msdn.microsoft.com/en-us/library/ms189586(v=sql.110).aspx|title=Encryption Hierarchy|website=Msdn.microsoft.com|
* [[Internet Explorer 7]], both in the standalone version available for [[Windows XP]] and in the integrated versions available in [[Windows Vista]] and [[Windows Server 2008]]
* [[Windows Mail]] and [[Windows Live Mail]]
Line 24:
* Windows [[Rights Management Services]] client v1.1 and later
* [[Windows 2000]] and later for [[Extensible Authentication Protocol#EAP-TLS|EAP/TLS]] ([[VPN]] authentication) and 802.1x ([[WiFi]] authentication)
* Windows XP and later for Stored User Names and Passwords<ref>{{cite web|url=https://technet.microsoft.com/en-us/library/bb457059.aspx|title=What's New in Security for Windows XP Professional and Windows XP Home Edition|website=Technet.microsoft.com|
* [[.NET Framework]] 2.0 and later for System.Security.Cryptography.ProtectedData<ref>{{cite web|url=http://msdn2.microsoft.com/en-us/library/system.security.cryptography.protecteddata.aspx|title=ProtectedData Class (System.Security.Cryptography)|website=Msdn2.microsoft.com|
* Microsoft.Owin (Katana) authentication by default when self hosting (including cookie authentication and OAuth tokens)<ref>{{cite web|title=CookieAuthenticationOptions.TicketDataFormat Property (Microsoft.Owin.Security.Cookies)|url=http://msdn.microsoft.com/en-us/library/microsoft.owin.security.cookies.cookieauthenticationoptions.ticketdataformat(v=vs.113).aspx|
==References==
| |||