Revision as of 22:10, 10 November 2011 edit RussBot (talk \| contribs) Bots 1,418,462 edits m Robot: disambiguate RSA ← Previous edit		Revision as of 14:53, 6 July 2012 edit undo 84.153.166.139 (talk) No edit summary Next edit →
Line 3: For nearly all cryptosystems, one of the most difficult challenges is "key management" - in part, how to securely store the decryption key. If the key is stored in ''plain text'', then any user that can access the key can access the encrypted data. If the key is to be encrypted, another key is needed, and so on ad infinitum. DPAPI allows developers to encrypt keys using a symmetric key derived from the user's logon secrets, or in the case of system encryption, using the system's ___domain authentication secrets. The [[DPAPI]] keys used for encrypting the user's RSA keys are stored under "%~~USERPROFILE~~APPDATA%~~\Application Data~~\Microsoft\Protect\{[[Security Identifier\|SID]]}" ~~[[Windows XP]] or before, and in "%USERPROFILE%\AppData\Roaming\Microsoft\Protect\{[[Security Identifier\|SID]]}" in [[Windows Vista]] or later~~, where {[[Security Identifier\|SID]]} is the security identifier of that user. The DPAPI key is stored in the same file as the master key that protects the users private keys. It usually is 64 bytes of random data. Though the [[DPAPI]] internals are largely undocumented by Microsoft, [[Elie Bursztein]] and [[Jean-Michel Picod]] presented an analysis of the protocol titled, ''Reversing DPAPI and Stealing Windows Secrets Offline'' at [http://www.blackhat.com/html/bh-dc-10/bh-dc-10-briefings.html Black Hat DC 2010]. In addition to their briefing, Bursztein and Picod released [http://www.dpapick.com DPAPIck] which allows offline decryption of data encrypted with [[DPAPI]].

Data Protection API: Difference between revisions