RE: Cached Domain Password on Notebook, secure?

From: Alan Ramsbottom (alancr@ntlworld.com)
Date: 02/20/02 

From: "Alan Ramsbottom" <alancr@ntlworld.com>
To: "Varga Daniel (QI/RZS4) *" <Daniel.Varga@de.bosch.com>, "'Laura A. Robinson'" <larobins@bellatlantic.net>, <focus-ms@securityfocus.com>
Date: Wed, 20 Feb 2002 18:03:56 -0000

> From: Varga Daniel (QI/RZS4) * [mailto:Daniel.Varga@de.bosch.com]

> An MS-Engineer assured me that it would be incredibly hard for an
> attacker to get these keys

Hmm.. it depends on a lot of things, not least what you're running. It's way
overdue, but there's now a useful overview of the DPAPI used for storing
private key blobs on WinXP here (URL will wrap):

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/ht
ml/windataprotection-dpapi.asp

A lot of that still applies to Win2K, but if you have that OS then please
don't overlook this part:

 "One feature we do not discuss is that DPAPI can be configured to operate
with a Windows 2000 server in a legacy mode. In this mode, it is possible to
backup the MasterKeys under a local LSA secret. The MasterKeys, along with
the LSA, and any protected data can then be stolen by an adversary and
decrypted at will. For this to occur, however, an Administrator must modify
the registry to configure DPAPI for this legacy mode."

Perhaps someone knows different, but I've long assumed these backup
MasterKeys (used to automagically recover from certain password reset
events) are why that old chntpw/EFS attack worked.

-Alan-

Relevant Pages

  • Re: What can I do about breakin attempts?
    ... are not just more secure, but also much easier to manage/handle; ... is a potential attacker). ... as long as there are no serious security flaws known about ... Passwords are simply not as secure as encrypted keys. ...
    (comp.os.linux.security)
  • Re: Pin generation algorithm question
    ... > You have to secure a number of keys in this instance, ... > tokens in the database with a secret key cipher, or better a keyed hash, and ... Assume that an attacker can monitor requests and observe the ...
    (sci.crypt)
  • Re: Is key hashing needed on AES?
    ... key attack is one where th attacker knows the ... With password keys it is quite common to have multiple ... Unless you have a purpose where the examined derivation ... weakness that is aleviated by prehashing, then make prehashing a part of ...
    (sci.crypt)
  • Re: Bijective - an explanation please?
    ... of all bitstrings of length n or less map to images that begin ... > rejecting keys, though. ... Are you modeling the attacker as a moron? ... about) plaintext is the goal. ...
    (sci.crypt)