Re: DPAPI protection credentials used with smartcard logons
From: Alon Bar-Lev (alon_at_xor-t.com)
Date: 05/27/04
- Next message: Roelof: "Re: Filecertstore private key"
- Previous message: Alon Bar-Lev: "Re: How to renew a certificate programmicaly"
- In reply to: John Banes [MS]: "Re: DPAPI protection credentials used with smartcard logons"
- Next in thread: Amit Rahul [MS]: "Re: DPAPI protection credentials used with smartcard logons"
- Reply: Amit Rahul [MS]: "Re: DPAPI protection credentials used with smartcard logons"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 27 May 2004 13:56:03 +0200
Hello,
I want to add one more question...
If that is the case, how often this derivation is changed?
In the case of a password, every time the user changes his password, the
DPAPI refreshes.
Should we understand that in environment where only smartcards are being
used, this secret is never changed?
This question is referring also to Kerberos tickets decryption... As I
understand it works the same.
Best Regards,
Alon Bar-Lev
"John Banes [MS]" <jbanes@online.microsoft.com> wrote in message
news:egYwKj2QEHA.3732@TK2MSFTNGP11.phx.gbl...
> DPAPI doesn't special case the smartcard case. It encrypts user data with
a
> derivation of the user password (the NTOWF) in the same way, regardless of
> whether the user logged on with a password or with a smartcard.
>
> When a user logs on with a smartcard, the NTOWF value is obtained from the
> user's domain controller as part of the Kerberos authentication, and
stored
> in the user's logon session. When a user logs on with a password, the
NTOWF
> is computed directly from the entered password.
>
> Regards,
> John Banes
> [Microsoft Security Developer]
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Please do not send email directly to this alias. This alias is for
newsgroup
> purposes only.
>
> "Lars Olaussen" <Isolauss@hotmail.com> wrote in message
> news:e6%236F0xQEHA.1392@TK2MSFTNGP09.phx.gbl...
> > Cut from the Windows Data Protection document on MSDN:
> >
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/windataprotection-dpapi.asp
> >
> > ----
> > Keys and Passwords in DPAPI
> > DPAPI is focused on providing data protection for users. Since it
> > requires a password to provide protection, the logical step is for DPAPI
> > to use a user's logon password, which it does, in a way. DPAPI actually
> > uses the user's logon credential. In a typical system, in which the user
> > logs on with a password, the logon credential is simply a hash of the
> > user's password. In a system in which the user logs on with a smart
> > card, however, the credential would be different. To keep matters
> > simple, we'll use the terms user password, logon password, or just
> > password to refer to this credential.
> > ---
> >
> > When using smartcards for logon, what credentials are used to provide
> > the DPAPI protection? Would this be some sort of derived hash based on
> > the Kerberos ticket?
> >
> >
> > Regards,
> > Lars Olaussen
> > Isolauss@hotmail.com
> >
> >
>
>
- Next message: Roelof: "Re: Filecertstore private key"
- Previous message: Alon Bar-Lev: "Re: How to renew a certificate programmicaly"
- In reply to: John Banes [MS]: "Re: DPAPI protection credentials used with smartcard logons"
- Next in thread: Amit Rahul [MS]: "Re: DPAPI protection credentials used with smartcard logons"
- Reply: Amit Rahul [MS]: "Re: DPAPI protection credentials used with smartcard logons"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
