Re: CryptAcquireContext with CRYPT_NEWKEYSET return Access Denied



You're right. I managed to write a test to know if DPAPI works or not.

See reference for the code.
In ms provider, it works while in my custom authentication package, it
didn't.
So I implemented the fully LsaApLogonUserEx2 and found that populating
the PSECPKG_PRIMARY_CRED struct
allows DPAPI to works again.

But I've another problem.
Without feeding the password field, if I create a certificate with
private key with MS authentication package(1),
I can export it.
If I do the same with my custom authentication package(2), I can
create and export another private key.
But I can't export the private key (created with 2) beeing logged with
(1) (2->1) and I can't do the reverse (1->2)
It's like I've two different accounts on the same computer !

Feeding the password field with my password in clear text make them
works. But I didn't write an authentication package
to still use my password !
I've tried a workaround : breaking into the sam and getting the NTHash
and using the PRIMARY_CRED_OWF_PASSWORD flag.
But lsa crash.
As seen in kernel debugger, msv1_0 returns my clear password with the
flag PRIMARY_CRED_CLEAR_PASSWORD.

Are there anyway to make my custom authentication package works ?
Anybody knows a way to update the DPAPI master key ?
(I've seen the flag CRYPTPROTECT_CRED_SYNC)
I've read in a post that when MS does smart card logon (and then
password logon are still allowed), the DPAPI master key are stored on
the disk encrypted with the certificate public key.
Any idea ?

Thanks in advance for your comments

Regards,
Vincent Le Toux

=================================================================
DATA_BLOB DataIn;
DATA_BLOB DataOut;
BYTE *pbDataInput =(BYTE *)"Hello world of data protection.";
DWORD cbDataInput = strlen((char *)pbDataInput)+1;
DataIn.pbData = pbDataInput;
DataIn.cbData = cbDataInput;

if(CryptProtectData( &DataIn,L"This is the description string.",
NULL, NULL, NULL, 0, &DataOut))
{
MessageBox(0,_T("Works", _T("Encryption"),0);
}
else
{
MessageBox(0,_T("Don't Works", _T("Encryption"),0);
}
.



Relevant Pages

  • Re: Manual import of pkcs12 file
    ... just a little clarification: the UI you see _is_ created by DPAPI. ... >> private key on his certificate. ... >> 2) Possibly, I could parse that PFX blob, and apply a DPAPI call to ...
    (microsoft.public.platformsdk.security)
  • Re: Whats the minimal value of policy "PrivKeyCachePurgeIntervalSeconds"
    ... Ryan Menezes ... "Mathew" wrote in message ... > interaction between that caching and the private key cache purge interval. ... DPAPI does no caching on its own. ...
    (microsoft.public.platformsdk.security)
  • Re: Accessing PUBLIC key of keycontainer without exposing handle keyco
    ... The key containers are encrypted at two levels. ... The private key and some properties are encrypted by DPAPI. ... Thus to get the public key, we have to at least do one decryption with user ...
    (microsoft.public.platformsdk.security)
  • Re: CryptAcquireContext returns NTE_BAD_KEY_STATE?
    ... There is also a routine to check whether there is a certificate in the ... > The Microsoft software CSPs encrypt the private keys using DPAPI ... >> that is supposed to create a new server certificate with a private key). ...
    (microsoft.public.platformsdk.security)