Data Protection API

DPAPI (Data Protection Application Programming Interface) is a simple cryptographic application programming interface available as a built-in component in Windows 2000 and later versions of Microsoft Windows operating systems. In theory the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy.

For nearly all cryptosystems, one of the most difficult challenges is "key management" - in part, how to securely store the decryption key. If the key is stored in plain text, then any user that can access the key can access the encrypted data. If the key is to be encrypted, another key is needed, and so on. DPAPI allows developers to encrypt keys using a symmetric key derived from the user's logon secrets, or in the case of system encryption, using the system's domain authentication secrets.

The DPAPI keys used for encrypting the user's RSA keys are stored under %APPDATA%\Microsoft\Protect\{SID} directory, where {SID} is the Security Identifier of that user. The DPAPI key is stored in the same file as the master key that protects the users private keys. It usually is 64 bytes of random data.

In 2010 Elie Bursztein and Jean-Michel Picod presented an analysis of the protocol titled Reversing DPAPI and Stealing Windows Secrets Offline at Black Hat DC 2010. In addition to their briefing, Bursztein and Picod released DPAPIck which allows offline decryption of data encrypted with DPAPI. In 2012 Passcape Software published in their blog more detailed article on DPAPI internal logic and presented a tool for fully offline DPAPI decryption and analysis. Unlike previous one, the tool utilizes some old Windows bugs (for example, you can decrypt Windows 2000 DPAPI blobs without knowing the owner logon password) and is fully compatible with Windows 8 DPAPI data structure. In Windows 8 Microsoft changed the way the DPAPI logic works. Now multiple user keys can be used to derive an encryption key to decrypt the user masterkey which is used then to decode a single DPAPI blob.

Security properties

DPAPI doesn't store any persistent data for itself; instead, it simply receives plaintext and returns ciphertext (or vice versa).

DPAPI security relies upon the Windows operating system's ability to protect the Master Key and RSA private keys from compromise, which in most attack scenarios is most highly reliant on the security of the end user's credentials. A main encryption/decryption key is derived from user's password by PBKDF2 function.^[1] Particular data binary large objects can be encrypted in a way that salt is added and/or an external user-prompted password (aka "Strong Key Protection") is required. The use of a salt is a per-implementation option - i.e. under the control of the application developer - and is not controllable by the end user or system administrator.

Delegated access can be given to keys through the use of a COM+ object. This enables IIS web servers to use DPAPI.

Use of DPAPI by Microsoft software

While not universally implemented in all Microsoft products, the use of DPAPI by Microsoft products has increased with each successive version of Windows. However, many applications from Microsoft and third-party developers still prefer to use their own protection approach or have only recently switched to use DPAPI. For example, Internet Explorer versions 4.0-6.0, Outlook Express and MSN Explorer used the older Protected Storage (PStore) API to store saved credentials such as passwords etc. Internet Explorer 7 now protects stored user credentials using DPAPI.^[2]

Picture password, PIN and fingerprint in Windows 8
Encrypting File System in Windows 2000 and later
SQL Server Transparent Data Encryption (TDE) Service Master Key encryption^[3]
Internet Explorer 7, both in the standalone version available for Windows XP and in the integrated versions available in Windows Vista and Windows Server 2008
Windows Mail and Windows Live Mail
Outlook for S/MIME
Internet Information Services for SSL/TLS
Windows Rights Management Services client v1.1 and later
Windows 2000 and later for EAP/TLS (VPN authentication) and 802.1x (WiFi authentication)
Windows XP and later for Stored User Names and Passwords (aka Credential Manager)
.NET Framework 2.0 and later for System.Security.Cryptography.ProtectedData
Microsoft.Owin (Katana) cookie authentication (when self hosting)^[4]

References

↑ "Windows Password Recovery - DPAPI Master Key analysis". Retrieved 2013-05-06.
↑ Mikhael Felker (December 8, 2006). "Password Management Concerns with IE and Firefox, part one". SecurityFocus.com, Symantec.com. Retrieved 2010-03-28.
↑ https://msdn.microsoft.com/en-us/library/ms189586(v=sql.110).aspx
↑ "CookieAuthenticationOptions.TicketDataFormat Property (Microsoft.Owin.Security.Cookies)". Retrieved 2015-01-15.

External links

Microsoft APIs and frameworks

Graphics	Desktop Window Manager Direct2D Direct3D D3D (extensions) GDI / GDI+ WPF Silverlight WinRT XAML Windows Color System Windows Image Acquisition Windows Imaging Component DirectX Graphics Infrastructure (DXGI) Windows Advanced Rasterization Platform WinG

Audio	DirectMusic DirectSound DirectX plugin XACT Speech API XAudio2

Multimedia	DirectX Media Objects Video Acceleration Xinput DirectInput DirectShow Image Mastering API Managed DirectX Media Foundation XNA Windows Media Video for Windows

Web	MSHTML RSS Platform JScript VBScript BHO XDR SideBar Gadgets TypeScript

Data access	Data Access Components (MDAC) ADO ADO.NET ODBC OLE DB Extensible Storage Engine Entity Framework Sync Framework Jet Engine MSXML OPC

Networking	Winsock LSP Winsock Kernel Filtering Platform NDIS Windows Rally BITS P2P API MSMQ MS MPI DirectPlay

Communication	Messaging API Telephony API WCF

Administration and management	Win32 console Windows Script Host WMI (extensions) PowerShell Task Scheduler Offline Files Shadow Copy Windows Installer Error Reporting Event Log Common Log File System

Component model	COM COM+ ActiveX Distributed Component Object Model .NET Framework

Libraries	Framework Class Library Microsoft Foundation Classes (MFC) Active Template Library (ATL) Windows Template Library (WTL)

Device drivers	WDM WDF KMDF UMDF WDDM NDIS UAA BDA VxD

Security	Crypto API CAPICOM Windows CardSpace Data Protection API Security Support Provider Interface (SSPI)

.NET	ASP.NET ADO.NET Remoting Silverlight TPL WCF WCS WPF WF

Software factories	EFx Factory Enterprise Library Composite UI CCF CSF

IPC	MSRPC Dynamic Data Exchange (DDE) Remoting WCF

Accessibility	Active Accessibility UI Automation

Text and multilingual support	DirectWrite Text Services Framework Text Object Model Input method editor Language Interface Pack Multilingual User Interface Uniscribe

This article is issued from Wikipedia - version of the 10/1/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.