Re: DPAPI protection credentials used with smartcard logons

• Previous message: Paolo: "Re: Cryptoapi Add Signature CryptMsgControl (CMSG_CTRL_ADD_SIGNER) Windows 98"
• In reply to: Amit Rahul [MS]: "Re: DPAPI protection credentials used with smartcard logons"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 28 May 2004 12:30:40 +0200

Thank you Amit,

Some more questions...

Can I control the interval of the change in the master key? For example, can
I configure the DC to issue a new key once a week?
What happens if I have smartcard only environment with DPAPI resources at
two workstations, I use workstation A for 2*interval, then logon to
workstation B, will I be able to use DPAPI resources at workstation B? How
can it get the old-old master key to decrypt resources?

Best Regards,
Alon Bar-Lev.

"Amit Rahul [MS]" <arahul@online.microsoft.com> wrote in message
news:uXJDyxEREHA.132@TK2MSFTNGP09.phx.gbl...
> DPAPI actually uses a symmetric key derived from Master Key for
> encryption/decryption. This Master Key gets refreshed at certain interval
of
> time (typically 3 months) though we do store the old encrypted master keys
> as well for retrieving data encrypted with those. When User changes
password
> DPAPI refreshes in the sense that the master keys are re-encrypted with
the
> new credentials. If you don't change the password (smartcard only
> environment) you will still get new master keys after those interval of
> times.
>
>
> --
> Thanks,
> Amit Rahul [MS]
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> "Alon Bar-Lev" <alon@xor-t.com> wrote in message
> news:OesDVi9QEHA.3300@TK2MSFTNGP09.phx.gbl...
> > Hello,
> >
> > I want to add one more question...
> > If that is the case, how often this derivation is changed?
> > In the case of a password, every time the user changes his password, the
> > DPAPI refreshes.
> > Should we understand that in environment where only smartcards are being
> > used, this secret is never changed?
> >
> > This question is referring also to Kerberos tickets decryption... As I
> > understand it works the same.
> >
> > Best Regards,
> > Alon Bar-Lev
> >
> > "John Banes [MS]" <jbanes@online.microsoft.com> wrote in message
> > news:egYwKj2QEHA.3732@TK2MSFTNGP11.phx.gbl...
> > > DPAPI doesn't special case the smartcard case. It encrypts user data
> with
> > a
> > > derivation of the user password (the NTOWF) in the same way,
regardless
> of
> > > whether the user logged on with a password or with a smartcard.
> > >
> > > When a user logs on with a smartcard, the NTOWF value is obtained from
> the
> > > user's domain controller as part of the Kerberos authentication, and
> > stored
> > > in the user's logon session. When a user logs on with a password, the
> > NTOWF
> > > is computed directly from the entered password.
> > >
> > > Regards,
> > > John Banes
> > > [Microsoft Security Developer]
> > >
> > > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> > > Please do not send email directly to this alias. This alias is for
> > newsgroup
> > > purposes only.
> > >
> > > "Lars Olaussen" <Isolauss@hotmail.com> wrote in message
> > > news:e6%236F0xQEHA.1392@TK2MSFTNGP09.phx.gbl...
> > > > Cut from the Windows Data Protection document on MSDN:
> > > >
> > >
> >
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/windataprotection-dpapi.asp
> > > >
> > > > ----
> > > > Keys and Passwords in DPAPI
> > > > DPAPI is focused on providing data protection for users. Since it
> > > > requires a password to provide protection, the logical step is for
> DPAPI
> > > > to use a user's logon password, which it does, in a way. DPAPI
> actually
> > > > uses the user's logon credential. In a typical system, in which the
> user
> > > > logs on with a password, the logon credential is simply a hash of
the
> > > > user's password. In a system in which the user logs on with a smart
> > > > card, however, the credential would be different. To keep matters
> > > > simple, we'll use the terms user password, logon password, or just
> > > > password to refer to this credential.
> > > > ---
> > > >
> > > > When using smartcards for logon, what credentials are used to
provide
> > > > the DPAPI protection? Would this be some sort of derived hash based
on
> > > > the Kerberos ticket?
> > > >
> > > >
> > > > Regards,
> > > > Lars Olaussen
> > > > Isolauss@hotmail.com
> > > >
> > > >
> > >
> > >
> >
> >
>
>

• Previous message: Paolo: "Re: Cryptoapi Add Signature CryptMsgControl (CMSG_CTRL_ADD_SIGNER) Windows 98"
• In reply to: Amit Rahul [MS]: "Re: DPAPI protection credentials used with smartcard logons"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]