How DPAPI decrypts the protected data when master key is deleted from machine?
- From: brijesh mishra <mishra.brijesh@xxxxxxxxx>
- Date: Thu, 23 Aug 2007 21:37:55 -0000
I wonder how DPAPI finds the master key when you delete or rename
%USERPROFILE%\Application Data\Microsoft\Protect folder.
The master key is stored in User's profile along with Credential
History file at %USERPROFILE%\Application Data\Microsoft\Protect
folder. CredHist is located at the root of this folder and the master
key inside the subfolder names as the user's SID.
After renaming or deleting this ProtectFolder, CryptUnProtectData
method still decrypts your blob.
HOW IS THIS POSSIBLE? FROM WHERE MASTER KEY IS RETRIEVED for
decryption?
Also since Credential History is encrypted with password and contains
old password, it ought to be a big security hole in DPAPI
implementation unless the documentation is stating something that is
not TRUE.
DPAPI documentation says "the system keeps a "Credential History" file
in the user's profile directory. When a user changes his or her
password, the old password is added to the top of this file and then
the file is encrypted by the new password. If necessary, DPAPI will
use the current password to decrypt the "Credential History" file and
try the old password to decrypt the MasterKey. If this fails, the old
password is used to again decrypt the "Credential History" file and
the next previous password is then tried. This continues until the
MasterKey is successfully decrypted"
This means I simply have to hack into either SAM DB or PASSWORD cache
and I will be able to breach the MASTER key security.
Hello experts, can you please explain my concerns?
.
- Follow-Ups:
- Prev by Date: Re: capi to openssl
- Next by Date: How DPAPI decrypts the protected data when master key is deleted from machine?
- Previous by thread: RE: LogonUser sometimes returns error 1168 when incorrect password use
- Next by thread: Re: How DPAPI decrypts the protected data when master key is deleted from machine?
- Index(es):
Relevant Pages
|
