Wikipedia

Data Protection API: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
Word order
Convert inline external links to (bare) refs
Line 5:
The DPAPI keys used for encrypting the user's RSA keys are stored under <code>%APPDATA%\Microsoft\Protect\{SID}</code> directory, where {SID} is the [[Security Identifier]] of that user. The DPAPI key is stored in the same file as the master key that protects the users private keys. It usually is 64 bytes of random data.
 
In 2010 [[Elie Bursztein]] and [[Jean-Michel Picod]] presented an analysis of the protocol titled ''Reversing DPAPI and Stealing Windows Secrets Offline'' at [Black Hat DC 2010.<ref>https://www.blackhat.com/html/bh-dc-10/bh-dc-10-briefings.html Black Hat DC 2010].</ref> In addition to their briefing, Bursztein and Picod released [http://www.dpapick.com DPAPIck] which allows offline decryption of data encrypted with DPAPI. In 2012 Passcape Software published in their blog more detailed article on [DPAPI internal logic<ref>http://passcape.com/index.php?section=blog&cmd=details&id=20 DPAPI internal logic]</ref> and presented [a tool<ref>http://passcape.com/windows_password_recovery_dpapi_decoder a tool]</ref> for fully offline DPAPI decryption and analysis. Unlike previous one, the tool utilizes some old Windows bugs (for example, you can decrypt Windows 2000 DPAPI blobs without knowing the owner logon password) and is fully compatible with Windows 8 DPAPI data structure. In Windows 8 Microsoft changed the way the DPAPI logic works. Now multiple user keys can be used to derive an encryption key to decrypt the user masterkey which is used then to decode a single DPAPI blob.
 
==Security properties==
Line 15:
 
==Use of DPAPI by Microsoft software==
While not universally implemented in all Microsoft products, the use of DPAPI by Microsoft products has increased with each successive version of Windows. However, many applications from Microsoft and third-party developers still prefer to use their own protection approach or have only recently switched to use DPAPI. For example, [[Internet Explorer]] versions 4.0-6.0, [[Outlook Express]] and [[MSN Explorer]] used the older Protected Storage (PStore) API to store saved credentials such as passwords etc. [[Internet Explorer 7]] now protects stored user credentials using DPAPI.<ref>{{cite web | url=http://www.symantec.com/connect/articles/password-management-concerns-ie-and-firefox-part-one | title=Password Management Concerns with IE and Firefox, part one | author=Mikhael Felker | date=December 8, 2006 | accessdate=2010-03-28 | publisher=[[SecurityFocus.com]], [[Symantec.com]]}}</ref>
|url=http://www.symantec.com/connect/articles/password-management-concerns-ie-and-firefox-part-one
|title=Password Management Concerns with IE and Firefox, part one
|author=Mikhael Felker
|date=December 8, 2006
|accessdate=2010-03-28
|publisher=[[SecurityFocus.com]], [[Symantec.com]]
}}</ref>
 
*Picture password, PIN and fingerprint in [[Windows 8]]
Line 33 ⟶ 26:
* Windows [[Rights Management Services]] client v1.1 and later
* [[Windows 2000]] and later for [[Extensible Authentication Protocol#EAP-TLS|EAP/TLS]] ([[VPN]] authentication) and 802.1x ([[WiFi]] authentication)
* Windows XP and later for [Stored User Names and Passwords<ref>http://technet.microsoft.com/en-us/library/bb457059.aspx Stored User Names and Passwords]</ref> (aka Credential Manager)
* [[.NET Framework]] 2.0 and later for [System.Security.Cryptography.ProtectedData<ref>http://msdn2.microsoft.com/en-us/library/system.security.cryptography.protecteddata.aspx System.Security.Cryptography.ProtectedData]</ref>
* Microsoft.Owin (Katana) cookie authentication (when self hosting)<ref>{{cite web|title=CookieAuthenticationOptions.TicketDataFormat Property (Microsoft.Owin.Security.Cookies)|url=http://msdn.microsoft.com/en-us/library/microsoft.owin.security.cookies.cookieauthenticationoptions.ticketdataformat(v=vs.113).aspx|accessdate=2015-01-15}}</ref>
 
Retrieved from "https://en.wikipedia.org/wiki/Data_Protection_API"