您的位置：首页 > 其它

不得不看：Windows Data Protection

2010-01-07 17:46 423 查看

WindowsDataProtectionNAILabs,NetworkAssociates,Inc.October2001Summary:ThisarticlediscusseshowtouseDataProtectionapplicationprogramminginterface(DPAPI)andhowDPAPIoperatesinMicrosoftWindowsXP.(18printedpages)

IntroductionDPAPIArchitectureUsingDPAPIDPAPISecurityContributorsReferences

Introduction

StartingwithMicrosoft®Windows®2000,theoperatingsystembegantoprovideadataprotectionapplication-programminginterface(API).ThisDataProtectionAPI(DPAPI)isapairoffunctioncallsthatprovideOS-leveldataprotectionservicestouserandsystemprocesses.ByOS-level,wemeanaservicethatisprovidedbytheoperatingsystemitselfanddoesnotrequireanyadditionallibraries.Bydataprotection,wemeanaservicethatprovidesconfidentialityofdatathroughencryption.SincethedataprotectionispartoftheOS,everyapplicationcannowsecuredatawithoutneedinganyspecificcryptographiccodeotherthanthenecessaryfunctioncallstoDPAPI.ThesecallsaretwosimplefunctionswithvariousoptionstomodifyDPAPIbehavior.Overall,DPAPIisaveryeasy-to-useservicethatwillbenefitdevelopersthatmustprovideprotectionforsensitiveapplicationdata,suchaspasswordsandprivatekeys.DPAPIisapassword-baseddataprotectionservice:itrequiresapasswordtoprovideprotection.Thedrawback,ofcourse,isthatallprotectionprovidedbyDPAPIrestsonthepasswordprovided.ThisisoffsetbyDPAPIusingprovencryptographicroutines,specificallythestrongTriple-DESalgorithm,andstrongkeys,whichwe'llcoverinmoredetaillater.SinceDPAPIisfocusedonprovidingprotectionforusersandrequiresapasswordtoprovidethisprotection,itlogicallyusestheuser'slogonpasswordforprotection.TofamiliarizeyouwithDPAPI,thisarticlewillfirstdiscusshowDPAPIworks,includinginteractionsbetweenapplications,DPAPI,andothersystemcomponents.ItwillalsodetailhowtouseDPAPI,specificallyforuserapplications.Finally,itwilldiscussthesecurityofDPAPI,payingparticularattentiontohowDPAPIgeneratesandusescryptographickeys.WhileDPAPIappearedinWindows2000,thisarticlewillonlydiscusshowtouseDPAPIandhowDPAPIoperatesinWindowsXP.

DPAPIArchitecture

ThepublicDPAPIinterfacesarepartofcrypt32.dllandareavailableforanyuserprocessthathasloadedit.ThisDLLispartofCryptoAPI;applicationdeveloperscanassumethatallWindowssystemshavethisDLLavailable.ApplicationseitherpassplaintextdatatoDPAPIandreceiveanopaqueprotecteddatablobback,orpasstheprotecteddatablobtoDPAPIandreceivetheplaintextdataback.Figure1,below,showsthesetwooperations.Figure1.DPAPIisasimpleAPITheprotecteddatablobisanopaquestructure,becauseinadditiontotheencrypteddata,italsocontainsdatatoallowDPAPItounprotectit.Beingopaque,applicationdevelopersdonotneedtoparseorunderstandtheformatatall.AnimportantpointtorememberisthatDPAPImerelyappliescryptographicprotectiontothedata.Itdoesnotstoreanyoftheprotecteddata;thereforeapplicationscallingDPAPImustimplementtheirownstorageoftheprotecteddata.WhenanapplicationcallsoneoftheDPAPIfunctions,thefunctionsmakealocalRPCcalltotheLocalSecurityAuthority(LSA).TheLSAisasystemprocessthatstartsonbootandrunsuntilthecomputerisshutdown.TheselocalRPCcallsnevertraversethenetwork,soalldataremainsonthelocalmachine.TheendpointsoftheseRPCcallsthencallDPAPIprivatefunctionstoprotectorunprotectthedata.ThesefunctionsthencallbackintoCryptoAPI,viacrypt32.dll,fortheactualencryptionordecryptionofthedatainthesecuritycontextoftheLSA.ThefunctionsruninthesecuritycontextoftheLSAsothatsecurityauditscanbegenerated.TheLSAalsocontainssystem-levelfunctionsforusingDPAPI.ThesefunctionsareavailabletoanythreadrunninginsidetheLSAandonlytothosethreads.ThisisbecausethefunctionsprovideadditionaloptionsforLSAthreads,specificallytoallowLSAthreadstoprotectuserdatathatcannotbeunprotectedbynon-LSAthreadsusingDPAPIsuchasuserapplications.

KeysandPasswordsinDPAPI

DPAPIisfocusedonprovidingdataprotectionforusers.Sinceitrequiresapasswordtoprovideprotection,thelogicalstepisforDPAPItouseauser'slogonpassword,whichitdoes,inaway.DPAPIactuallyusestheuser'slogoncredential.Inatypicalsystem,inwhichtheuserlogsonwithapassword,thelogoncredentialissimplyahashoftheuser'spassword.Inasysteminwhichtheuserlogsonwithasmartcard,however,thecredentialwouldbedifferent.Tokeepmatterssimple,we'llusethetermsuserpassword,logonpassword,orjustpasswordtorefertothiscredential.Asmalldrawbacktousingthelogonpasswordisthatallapplicationsrunningunderthesameusercanaccessanyprotecteddatathattheyknowabout.Ofcourse,sinceapplicationsmuststoretheirownprotecteddata,gainingaccesstothedatacouldbesomewhatdifficultforotherapplications,butcertainlynotimpossible.Tocounteractthis,DPAPIallowsanapplicationtouseanadditionalsecretwhenprotectingdata.Thisadditionalsecretisthenrequiredtounprotectthedata.Technically,this"secret"shouldbecalledsecondaryentropy.Itissecondary,because,whileitdoesn'tstrengthenthekeyusedtoencryptthedata,itdoesincreasethedifficultyofoneapplication,runningunderthesameuser,tocompromiseanotherapplication'sencryptionkey.Applicationsshouldbecarefulabouthowtheyuseandstorethisentropy.Ifitissimplysavedtoafile,unprotected,thenadversariescouldaccesstheentropyanduseittounprotectanapplication'sdata.AdditionallytheapplicationcanpassinadatastructurethatwillbeusedbyDPAPItoprompttheuser.This"promptstructure"allowstheusertospecifyanadditionalpasswordforthisparticulardata.WediscussthisstructurefurtherintheUsingDPAPIsection.DPAPIinitiallygeneratesastrongkeycalledaMasterKey,whichisprotectedbytheuser'spassword.DPAPIusesastandardcryptographicprocesscalledPassword-BasedKeyDerivation,describedinPKCS#5,togenerateakeyfromthepassword.Thispassword-derivedkeyisthenusedwithTriple-DEStoencrypttheMasterKey,whichisfinallystoredintheuser'sprofiledirectory.TheMasterKey,however,isnotusedexplicitlytoprotectthedata.Instead,asymmetricsessionkeyisgeneratedbasedontheMasterKey,somerandomdata,andanyadditionalentropy,ifanapplicationchoosestosupplyit.Itisthissessionkeythatisusedtoprotectthedata.Thesessionkeyisneverstored.Instead,DPAPIstorestherandomdataitusedtogeneratethekeyintheopaquedatablob.WhenthedatablobispassedbackintoDPAPI,therandomdataisusedtore-derivethekeyandunprotectthedata.Forsecurityreasons,MasterKeyswillexpire,whichmeansthatafteraperiodoftime,thehard-codedvaluebeingthreemonths,anewMasterKeyisgeneratedandprotectedinthesamemanner.ThisexpirationpreventsanattackerfromcompromisingasingleMasterKeyandaccessingallofauser'sprotecteddata.YouareprobablywonderinghowanapplicationcanunprotectdatathatwasprotectedunderaMasterKeythathasexpired,sincethesessionkeyisderivedfromtheMasterKey,right?Welltheanswerinvolvesatwo-stepprocess.First,DPAPIdoesnotdeleteanyexpiredMasterKeys.Insteadtheyarekeptforeverintheuser'sprofiledirectory,protectedbytheuser'spassword.Second,itstorestheGloballyUniqueIdentifier(GUID)oftheMasterKeyusedtoprotectthedataintheopaquedatablobthatisreturnedtoapplications.WhenthedatablobispassedbackintoDPAPI,theMasterKeycorrespondingtotheGUIDisusedtounprotectthedata.TheotherquestionyoumighthaveishowdoesDPAPIaccessMasterKeysafterauserchangeshisorherpassword?Theanswerisagainatwo-stepprocess.First,DPAPIhooksintothepassword-changingmoduleandwhenauser'spasswordischanged,allMasterKeysarere-encryptedunderthenewpassword.Second,thesystemkeepsa"CredentialHistory"fileintheuser'sprofiledirectory.Whenauserchangeshisorherpassword,theoldpasswordisaddedtothetopofthisfileandthenthefileisencryptedbythenewpassword.Ifnecessary,DPAPIwillusethecurrentpasswordtodecryptthe"CredentialHistory"fileandtrytheoldpasswordtodecrypttheMasterKey.Ifthisfails,theoldpasswordisusedtoagaindecryptthe"CredentialHistory"fileandthenextpreviouspasswordisthentried.ThiscontinuesuntiltheMasterKeyissuccessfullydecrypted.

KeyBackupandRestorationinDPAPI

Whenacomputerisamemberofadomain,DPAPIhasabackupmechanismtoallowunprotectionofthedata.WhenaMasterKeyisgenerated,DPAPItalkstoaDomainController.DomainControllershaveadomain-widepublic/privatekeypair,associatedsolelywithDPAPI.ThelocalDPAPIclientgetstheDomainControllerpublickeyfromaDomainControllerviaamutuallyauthenticatedandprivacyprotectedRPCcall.TheclientencryptstheMasterKeywiththeDomainControllerpublickey.ItthenstoresthisbackupMasterKeyalongwiththeMasterKeyprotectedbytheuser'spassword.Whileunprotectingdata,ifDPAPIcannotusetheMasterKeyprotectedbytheuser'spassword,itsendsthebackupMasterKeytoaDomainControllerviaamutuallyauthenticatedandprivacyprotectedRPCcall.TheDomainControllerthendecryptstheMasterKeywithitsprivatekeyandsendsitbacktotheclientviathesameprotectedRPCcall.ThisprotectedRPCcallisusedtoensurethatnoonelisteningonthenetworkcangettheMasterKey.Nowyou'reprobablythinkingthatthisbackupworksgreatwithdomainclients,butyou'realsowonderingwhataboutallthehomeuserswhorunstand-aloneorworkgroupsystems.Well,WindowsXPhasanewfeature:thePasswordResetDisk(PRD).AusercancreateaPRDfromtheControlPanelatanytime,anditthenallowstheusertoresettheirpasswordwhentheyforgetit.WhenthepasswordisresetbythePRD,alloftheuser'sMasterKeysarere-encryptedunderthenewpassword.

UsingDPAPI

TherearetwosetsofinterfacestoDPAPI,theuserinterfacesandthesysteminterfaces.Thesearediscussedbelow,followedbytwodatastructures,the

CRYPTPROTECT_PROMPTSTRUCT

,whichisthe"promptstructure"mentionedearlier,andtheprotecteddatablobthatholdstheprotecteddata.TheuserinterfacescontaintheonlytwofunctionsapplicationdevelopersneedtoknowtouseDPAPI.Theprotectfunction:

CryptProtectData()

andtheunprotectfunction:

CryptUnprotectData()

.Theonlyrequirementforapplicationstousethesefunctionsistoeitherlinkwithcrypt32.libordynamicallyloadcrypt32.dll.Theprotectfunctiontakesaplaintextdataasinputandreturnsanopaqueprotecteddatablob.Theunprotectfunctiontakesthisopaquedatablobandreturnstheplaintextdata.ThesysteminterfacesarepartoftheLSA.Theseinterfacesaredescribedbelowforcompleteness,buttheycannotbecalledbyauserapplication.TheyexistsothatLSAthreadscanuseDPAPIandspecifythe

CRYPTPROTECT_SYSTEM

flagtoprotectdatathatcannotbeunprotectedoutsidetheLSA.

UserInterfaces

CryptProtectData

Definition[align=center][/align]CopyCode

BOOLWINAPICryptProtectData(
DATA_BLOB*pDataIn,
LPCWSTRszDataDescr,
DATA_BLOB*pOptionalEntropy,
PVOIDpvReserved,
CRYPTPROTECT_PROMPTSTRUCT*pPromptStruct,
DWORDdwFlags,
DATA_BLOB*pDataOut)

ParameterspDataIn

Pointertoa

DATA_BLOB

containingtheplaintextdatatobeprotected.The

cbData

memberholdsthelengthofthe

pbData

member'sbytestringthatcontainsthedatatobeprotected.szDataDescrStringwithareadabledescriptionofthedatatobeencrypted.Thisdescriptionstringisincludedwiththeprotecteddata.ThisparameterisoptionalandcanbeNULL.pOptionalEntropy

Pointertoa

DATA_BLOB

containingadditionalentropyusedtoprotectthedata.The

cbData

memberholdsthelengthofthe

pbData

member'sbytestringthatcontainstheoptionalentropy.The

DATA_BLOB

usedintheprotectioncallmustalsobeusedintheunprotectioncall.Thisistheapplicationspecific"secret"mentionedearlier.ThisparameterisoptionalandcanbeNULL.pvReservedReservedforfutureuseandmustbeNULL.pPromptStructPointertoa

CRYPTPROTECT_PROMPTSTRUCT

thatprovidesinformationaboutwhereandwhenpromptsaredisplayedandwhatthecontentofthosepromptsshouldbe.Thisstructureisdefinedbelow,afterthefunctiondefinitions.ThisparameterisoptionalandcanbeNULL.dwFlagsThefollowingtableliststhedefinedflagsvalues:

CRYPTPROTECT_LOCAL_MACHINE	Whenthisflagisset,itassociatesthedataprotectedwiththecurrentcomputerinsteadofwithanindividualuser.Anyuseronthecomputeronwhich CryptProtectData() iscalledwiththisflagcanuse CryptUnprotectData() tounprotectthedata.Applicationdevelopersshouldunderstandthatbyusingthisflagno"real"protectionisprovidedbyDPAPI.By"real"wemeanthatanyprocessrunningonthesystemcanunprotectanydataprotectedwiththisflag.Wehighlyrecommendedthatthisflagnotbeusedonworkstationstoprotectuser'sdata.Itdoesmakesense,however,foraserverprocesstousetheflagonaserverwhereuntrustedusersarenotallowedtologon.Italsomakessenseforalocalmachineprocesstousetheflagtoprotectdatatobestoredoffthemachineoronashareddrive.
CRYPTPROTECT_UI_FORBIDDEN	Thisflagisusedforremotesituationswherepresentingauserinterface(UI)isnotanoption.WhenthisflagissetandaUIisspecifiedforeitherprotectionorunprotection,thecallfailsand GetLastError() returnsthe ERROR_PASSWORD_RESTRICTION statuscode.
CRYPTPROTECT_AUDIT	ThisflagcausesDPAPItogenerateanauditwhenthisdataisprotectedorunprotected.
CRYPTPROTECT_CRED_SYNC	Whenthisflagisused,nodataisactuallyprotected.InsteadallMasterKeysarequeriedfromdisk,whichwillcausere-encryptioninmemory,presumablyunderachangedpassword.
CRYPTPROTECT_SYSTEM	Causesfailureofthecall.

pDataOutPointertoa

DATA_BLOB

thatreceivestheprotecteddata.Thisbufferisallocatedby

CryptProtectData()

anditistheresponsibilityofthecallingapplicationtofreeitwithacallto

LocalFree()

.ReturnvaluesIfthefunctionsucceeds,thereturnvalueis

TRUE

.Ifthefunctionfails,thereturnvalueis

FALSE

.Forextendederrorinformation,call

GetLastError()

.ReferenceFormoreinformationandexamplesourcecode,pleaseseeCryptProtectData.

CryptUnprotectData

Definition[align=center][/align]CopyCode

BOOLWINAPICryptUnprotectData(DATA_BLOB*pDataIn,LPCWSTR*ppszDataDescr,DATA_BLOB*pOptionalEntropy,PVOIDpvReserved,CRYPTPROTECT_PROMPTSTRUCT*pPromptStruct,DWORDdwFlags,DATA_BLOB*pDataOut)

ParameterspDataInPointertoa

DATA_BLOB

containingtheprotecteddata.The

cbData

memberholdsthelengthofthe

pbData

member'sbytestringthatcontainsthedatatobeunprotected.ppszDataDescrPointertoastringwherethereadabledescriptionincludedwiththeprotecteddataisplaced.Thisbufferisallocatedby

CryptUnprotectData()

,anditistheresponsibilityofthecallingapplicationtofreeitwithacallto

LocalFree()

.ThisparameterisoptionalandcanbeNULL.pOptionalEntropyPointertoa

DATA_BLOB

containingadditionalentropyusedwhenthedatawasprotected.The

cbData

memberholdsthelengthofthe

pbData

member'sbytestringthatcontainstheoptionalentropy.Thisistheapplicationspecific"secret"mentionedearlier.ThisparameterisoptionalandcanbeNULL.However,iftheoptionalentropywasusedintheprotectioncall,thatsameentropymustbeusedintheunprotectioncall.pvReservedReservedforfutureuseandmustbeNULL.pPromptStructPointertoa

CRYPTPROTECT_PROMPTSTRUCT

thatprovidesinformationaboutwhereandwhenpromptsaredisplayedandwhatthecontentofthosepromptsshouldbe.Thisstructureisdefinedbelow,afterthefunctiondefinitions.Whilethisparameterisoptionalfortheprotectioncall,itisrecommendedthatthecallingapplicationprovideavalidpointerhere;ifa

pPromptStruct

wasprovidedtothe

CryptProtectData()

call,thispointerwillberequired.dwFlagsThefollowingtableliststhedefinedflagsvalues:

CRYPTPROTECT_UI_FORBIDDEN

Thisflagisusedforremotesituationswherepresentingauserinterface(UI)isnotanoption.WhenthisflagissetandaUIisspecifiedforeitherprotectionorunprotection,thecallfailsand

GetLastError()

returnsthe

ERROR_PASSWORD_RESTRICTION

statuscode.

CRYPTPROTECT_VERIFY_PROTECTION

Iftheprotecteddatablobwouldbebetterprotectedunderanewcallto

CryptProtectData()

andthiscallsucceeds,thenGetLastErrorwillreturna

CRYPT_I_NEW_PROTECTION_REQUIRED

statuscode.

CRYPTPROTECT_SYSTEM

Causesfailureofthecall.

pDataOutPointertoa

DATA_BLOB

thatreceivestheplaintextdata.Thisbufferisallocatedby

CryptUnprotectData()

anditistheresponsibilityofthecallingapplicationtofreeitwithacallto

LocalFree()

.ReturnvaluesIfthefunctionsucceeds,thereturnvalueis

TRUE

.Ifthefunctionfails,thereturnvalueis

FALSE

.Forextendederrorinformation,call

GetLastError()

.ReferenceFormoreinformationandexamplesourcecode,pleaseseeCryptUnprotectData.

SystemInterfaces

InternalProtectFunction

Definition[align=center][/align]CopyCode

BOOLWINAPIInternalProtectFunction(DATA_BLOB*pDataIn,LPCWSTRszDataDescr,DATA_BLOB*pOptionalEntropy,PVOIDpvReserved,CRYPTPROTECT_PROMPTSTRUCT*pPromptStruct,DWORDdwFlags,DATA_BLOB*pDataOut)

ParameterspDataInPointertoa

DATA_BLOB

containingtheplaintextdatatobeprotected.The

cbData

memberholdsthelengthofthe

pbData

DATA_BLOB

containingadditionalentropyusedtoprotectthedata.The

cbData

memberholdsthelengthofthe

pbData

member'sbytestringthatcontainstheoptionalentropy.The

DATA_BLOB

CRYPTPROTECT_PROMPTSTRUCT

CRYPTPROTECT_LOCAL_MACHINE	Whenthisflagisset,itassociatesthedataprotectedwiththecurrentcomputerinsteadofwithanindividualuser.Anyuseronthecomputeronwhichtheinternalprotectfunctioniscalledwiththisflagcanusetheinternalunprotectfunctiontounprotectthedata.Applicationdevelopersshouldunderstandthatbyusingthisflagno"real"protectionisprovidedbyDPAPI.By"real"wemeanthatanyprocessrunningonthesystemcanunprotectanydataprotectedwiththisflag.Wehighlyrecommendedthatthisflagnotbeusedonworkstationstoprotectuser'sdata.Itdoesmakesense,however,foraserverprocesstousetheflagonaserverwhereuntrustedusersarenotallowedtologon.Italsomakessenseforalocalmachineprocesstousetheflagtoprotectdatatobestoredoffthemachineoronashareddrive.
CRYPTPROTECT_UI_FORBIDDEN	Thisflagisusedforremotesituationswherepresentingauserinterface(UI)isnotanoption.WhenthisflagissetandaUIisspecifiedforeitherprotectionorunprotection,thecallfailsand GetLastError() returnsthe ERROR_PASSWORD_RESTRICTION statuscode.
CRYPTPROTECT_AUDIT	ThisflagcausesDPAPItogenerateanauditwhenthisdataisprotectedorunprotected.
CRYPTPROTECT_CRED_SYNC	Whenthisflagisused,nodataisactuallyprotected.InsteadallMasterKeysarequeriedfromdisk,whichwillcausere-encryptioninmemory,presumablyunderachangedpassword.
CRYPTPROTECT_SYSTEM	Dataprotectedwiththisflagsetcanonlybeunprotectedwiththisflagset.

pDataOutPointertoa

DATA_BLOB

thatreceivestheprotecteddata.Thisbufferisallocatedbytheinternalprotectfunctionanditistheresponsibilityofthecallingapplicationtofreeitwithacallto

LocalFree()

.ReturnvaluesIfthefunctionsucceeds,thereturnvalueis

TRUE

.Ifthefunctionfails,thereturnvalueis

FALSE

.Forextendederrorinformation,call

GetLastError()

InternalUnprotectFunction

Definition[align=center][/align]CopyCode

BOOLWINAPIInternalUnprotectFunction(DATA_BLOB*pDataIn,LPCWSTR*ppszDataDescr,DATA_BLOB*pOptionalEntropy,PVOIDpvReserved,CRYPTPROTECT_PROMPTSTRUCT*pPromptStruct,DWORDdwFlags,DATA_BLOB*pDataOut)

ParameterspDataInPointertoa

DATA_BLOB

containingtheprotecteddata.The

cbData

memberholdsthelengthofthe

pbData

member'sbytestringthatcontainsthedatatobeunprotected.ppszDataDescrPointertoastringwherethereadabledescriptionincludedwiththeprotecteddataisplaced.Thisbufferisallocatedbytheinternalunprotectfunctionanditistheresponsibilityofthecallingapplicationtofreeitwithacallto

LocalFree()

.ThisparameterisoptionalandcanbeNULL.pOptionalEntropyPointertoa

DATA_BLOB

containingadditionalentropyusedwhenthedatawasprotected.The

cbData

memberholdsthelengthofthe

pbData

CRYPTPROTECT_PROMPTSTRUCT

thatprovidesinformationaboutwhereandwhenpromptsaredisplayedandwhatthecontentofthosepromptsshouldbe.Thisstructureisdefinedbelow,afterthefunctiondefinitions.Whilethisparameterisoptionalfortheprotectioncall,itisrecommendedthatthecallingapplicationprovideavalidpointerhere,becauseifa

pPromptStruct

wasprovidedtotheinternalprotectfunction,thispointerwillberequired.dwFlagsThefollowingtableliststhedefinedflagsvalues:

CRYPTPROTECT_UI_FORBIDDEN

Thisflagisusedforremotesituationswherepresentingauserinterface(UI)isnotanoption.WhenthisflagissetandaUIisspecifiedforeitherprotectionorunprotection,thecallfailsand

GetLastError()

returnsthe

ERROR_PASSWORD_RESTRICTION

statuscode.

CRYPTPROTECT_VERIFY_PROTECTION

Iftheprotecteddatablobwouldbebetterprotectedunderanewcalltotheinternalprotectfunctionandthiscallsucceeds,thenGetLastErrorwillreturna

CRYPT_I_NEW_PROTECTION_REQUIRED

statuscode.

CRYPTPROTECT_SYSTEM

Ifdatawasprotectedwiththisflagset,thenthisflagmustbesettounprotectthedata.

pDataOutPointertoa

DATA_BLOB

thatreceivestheplaintextdata.Thisbufferisallocatedbytheinternalunprotectfunctionanditistheresponsibilityofthecallingapplicationtofreeitwithacallto

LocalFree()

.ReturnvaluesIfthefunctionsucceeds,thereturnvalueis

TRUE

.Ifthefunctionfails,thereturnvalueis

FALSE

.Forextendederrorinformation,adevelopershouldcall

GetLastError()

DataStructures

CRYPTPROTECT_PROMPTSTRUCT

TheCRYPTPROTECT_PROMPTSTRUCTisastructureprovidingapromptthatwillbedisplayedwhendataisprotectedorunprotected.Thisisthe"promptstructure"discussedearlierintheDPAPIArchitecturesection.Figure2.InitialdialogFigure2,above,showsthedialogwhichfirstaskstheusertospecifyeitherMediumorHighsecurityforthedata,withMediumbeingthedefaultselected.IfthesecuritylevelissettoHigh,thedialogthenpromptstheuserforanadditionalpassword,and,iftheapplicationhasn'tspecifiedone,adescriptionforthedata.ThisdialogisshownbelowinFigure3.Figure3.PasswordanddescriptiondialogWhencalling

CryptUnprotectData()

,werecommendthatanapplicationalwayspassinapointertoapromptstruct.Thisisbecauseifthedatawasprotectedwithapromptstruct,DPAPIwillrequireapromptstructtounprotectthedata,andthefunctionwillfailifoneisnotpassedin.Definition[align=center][/align]CopyCode

typedefstruct_CRYPTPROTECT_PROMPTSTRUCT{DWORDcbSize;DWORDdwPromptFlags;HWNDhwndApp;LPCWSTRszPrompt;}CRYPTPROTECT_PROMPTSTRUCT,*PCRYPTPROTECT_PROMTPSTRUCT;

ElementscbSize

Sizeofstructureinbytes.dwPromptFlagsWhenthe

CRYPTPROTECT_PROMPTSTRUCT

ispassedto

CryptProtectData()

ortheinternalprotectfunction,thetablebelowliststhedefinedflagvalues.Whenthe

CRYPTPROTECT_PROMPTSTRUCT

ispassedto

CryptUnprotectData()

ortheinternalunprotectfunction,noflagvaluesaredefined.

CRYPTPROTECT_PROMPT_ON_PROTECT	Promptonprotectandunprotect.
CRYPTPROTECT_PROMPT_ON_UNPROTECT	Promptonprotectandunprotect.
CRYPTPROTECT_STRONG	Setthedefaultusersecurityleveltostrong.

hwndAppWindowhandletoparentwindow.szPromptStringcontainingthetextfortheprompt.ReferenceFormoreinformationandexamplesourcecode,pleaseseeCRYPTPROTECT_PROMPTSTRUCT.

Protecteddatablob

Aswesaidbefore,DPAPIdoesnotactuallystoreanydata.Itsimplyprotectsdata.Itistheapplicationsresponsibilitytostoretheprotecteddata.

CryptProtectData()

returnsanopaquedatablob,anditissufficientforapplicationstostorethisblobinsomeway,theydonothavetoparsetheinternalsofitforanyreason.ToprotectagainsttamperingoftheDPAPIdataortheencrypteddata,theentireblobishashedwithaHashedMessageAuthenticationCode(HMAC),inthiscaseSHA-1.Forreferencepurposes,thesizeofthedatablobis708bitsplusthelengthofthedescriptiontext,encrypteddata,andMAC.Inaddition,ifDPAPIhastoprovideasaltvaluetotheCryptographicServiceProvider(CSP),thestructwillbealittlelargerinsize,butformostCSPs,thissaltisnotneeded.

DPAPISecurity

DPAPIprovidesanessentialdataprotectioncapabilitythatensurestheconfidentialityofprotecteddatawhileallowingrecoveryoftheunderlyingdataintheeventoflostorchangedpasswords.Thepassword-basedprotectionprovidedbyDPAPIisexcellentforanumberofreasons.Itusesprovencryptographicroutines,suchasthestrongTriple-DESalgorithminCBCmode,thestrongSHA-1algorithm,andthePBKDF2password-basedkeyderivationroutine.Itusesprovencryptographicconstructstoprotectdata.Allcriticaldataiscryptographicallyintegrityprotected,andsecretdataiswrappedusingstandardmethods.Ituseslargesecretsizestogreatlyreducethepossibilityofbrute-forceattackstocompromisethesecrets.ItusesPBKDF2with4000iterationstoincreasetheworkfactorofanadversarytryingtocompromisethepassword.ItsanitychecksMasterKeyexpirationdates.ItprotectsallrequirednetworkcommunicationwithDomainControllersbyusingmutuallyauthenticatedandprivacyprotectedRPCchannels.Itminimizestheriskofexposinganysecrets,byneverwritingthemtodiskandminimizingtheirexposureinswappableRAM.ItrequiresAdministratorprivilegestomakeanymodificationstotheDPAPIparametersintheregistry.ItusesWindowsFileProtectiontohelpprotectallcriticalDLLsfromonlinechangesevenbyprocesseswithAdministratorprivileges.DPAPI,however,isnot100percentfoolproof.ThePasswordResetDiskcanbestolen,allowinganattackertoresetauser'spassword.DPAPIisalsosusceptible,asanypassword-basedsystemis,tosocialengineeringattacks,inwhichanadversarytricksauserintodisclosingapasswordortricksadomainadministratorintoresettingauser'spassword.Finally,whiletheCRYPTPROTECT_LOCAL_MACHINEflagcanprovideexcellentprotectionincertaincircumstances,itispossibletouseitinaninappropriatemannersuchthatnorealprotectionisprovided.OnefeaturewedonotdiscussisthatDPAPIcanbeconfiguredtooperatewithaWindows2000serverinalegacymode.Inthismode,itispossibletobackuptheMasterKeysunderalocalLSAsecret.TheMasterKeys,alongwiththeLSA,andanyprotecteddatacanthenbestolenbyanadversaryanddecryptedatwill.Forthistooccur,however,anAdministratormustmodifytheregistrytoconfigureDPAPIforthislegacymode.Othervulnerabilitiesalsorequiregreaterattackereffortandreducedpayoff.TheseincludeattackssuchasinsertingarogueCSPintotheoperatingsystemorforcinghibernationatacriticalmomentsothatin-usesecretsinRAMgetwrittentothehibernationfile.Overall,DPAPIprovidesverygoodsecurity,consideringtheprotectionisbasedonauser'spassword.BelowwediscussinmoredetailthesecurityofDPAPI,specificallyhowitgeneratesandusescryptographickeys.

KeyRelationships

Figure4,below,showshowallthedifferentkeysoperatetogethertoallowDPAPItoprovidedataprotection.Thekeysarediscussedfurtherinthefollowingsections.TheboldcircleindicatesthecenteroftheDPAPIkeyrelationships:theuserpassword.Onstandalonesystems,therecoverykeyprotectsthepasswordtoallowuserstoresettheirpasswordswiththePRD.TheuserpasswordisusedtoderivetheMasterKeyEncryptionKey,whichisusedtoprotecttheMasterKey.Finally,aderivationofthispassword,theusercredential,isstoredinthe"CredentialHistory"file,whichallowsDPAPItoaccessMasterKeysprotectedunderoldpasswords.Ondomainworkstations,aDomainControllerpublickeyalsoprotectstheMasterKey.ThisallowsDPAPItoaccessaDomainControllerandrestoretheMasterKey,ifitcannotusetheMasterKeyEncryptionKey.Finally,theMasterKeyisusedtoderivetheSymmetricSessionKey,whichthenprotectstheapplicationdata.Figure4.Keyrelationships

MasterKey

WesaidearlierthatDPAPIgeneratesastrongkeycalledtheMasterKey.CallingtheMasterKeyakeyisn'treallycorrect,asitisneverusedinanyexplicitencryptionordecryptionfunctions.TheMasterKeyismoreaccuratelyastrongsecret:strongbecauseitis512bitsofrandomdata,andsecretbecauseitisused,withsomeadditionaldata,togenerateanactualsymmetricsessionkey.Thissecret,however,needstobekeptsecurefromeveryonebuttheintendeduser.Toprotectthissecret,DPAPIusesthePassword-BasedKeyDerivationFunction,PBKDF2,describedinPKCS#5.First,DPAPItakestheuser'spasswordandpassesitthroughSHA-1togetapasswordhash.Thisisthelogoncredentialmentionedearlier.Next,thepasswordhashisprovidedtothePBKDF2function,alongwithsixteenrandombytesforasaltandaniterationcount.ThePBKDF2functioncallsanadditionalfunctionanumberoftimes,specifiedbytheiterationcount,toderiveakeyfromthegivendata.DPAPIusesSHA-1forthatunderlyingfunction.Thedefaultiterationcountis4000,whichincreasestheworkloadrequiredtobrute-forcecompromisethepasswordbyafactorof4000,withoutcreatingundueperformancerestrictionsinnormaloperations.Thereisaregistryvalue

MasterKeyIterationCount

storedinthe

HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Protect\Providers\GUID

keythatallowsasystemadministratortoincreasethisiterationcount.Itcannot,however,bedecreasedbelow4000.TopreventtamperingoftheMasterKey,itishashedwithanHMAC.DPAPIagainusesSHA-1fortheHMACandtheuser'spasswordtoderivetheHMACkey.Thepassword-derivedencryptionkey,fromabove,isthenusedwithTriple-DEStoencrypttheMasterKeyandtheHMACoftheMasterKey.Thesaltanditerationcountarebothnon-secretvalues,andthereforearestoredalongwiththeencryptedMasterKey,butarenotencrypted.ThisallowsDPAPItoeasilydecrypttheMasterKey,giventheuser'spassword.Atthispoint,ifthecomputerisadomainmember,thebackupsteps,outlinedintheKeyBackupandRestorationinDPAPIsection,areperformed.Finally,theencryptedMasterKeyandHMAC,salt,iterationcount,andbackupMasterKeyareallstoredinaMasterKeyfile,whichresidesintheuser'sprofiledirectory.

SessionKey

Thesessionkeyistherealsymmetrickeythatisusedforencryptinganddecryptingtheapplicationdata.DPAPIusesasimpleprocesstoderivethesessionkey.First,16bytesofrandomdataaregeneratedandthenhashed,viaSHA-1,withtheMasterKey.Thishashisthenappendedwiththeoptionalentropyandoptionaluserpassword,mentionedearlier,via

CryptHashData()

,aCryptoAPIcall.Theresultisthenpassedto

CryptDeriveKey()

,anotherCryptoAPIcall,whichderivesandreturnsthesessionkey.Aswementionedearlier,thesessionkeyisneverstoredanywhere;itisderived,used,andthenremovedfrommemory.SothatDPAPIcanunprotectthedata,thegeneratedrandombytesarestoredintheprotecteddatablob.Whiletheserandombytesarestoredunprotected,sincetheMasterKeyisprotected,theyareauthenticatedwithanHMACtopreventtampering.

RecoveryKey

TherecoverykeyisgeneratedwhenauserchoosestocreateaPasswordResetDisk(PRD)fromtheUsersControlPanel.First,DPAPIgeneratesa2048bitRSApublic/privatekeypair,whichistherecoverykey.Thecurrentpasswordisthenencryptedwiththepublickeyandstoredintheuser'sprofile,whiletheprivatekeyisstoredtothePRD,whichcanactuallybeanyremovablemedia,andthenremovedfrommemory.TheprivatekeyisonlystoredonthePRD,andnowhereelse,soitisimportantforausertokeepthePRDinasafeplace.Ifusersenterthewrongpassword,WindowsasksthemwhethertheywouldliketousethePRDandresetthepassword.Iftheychooseto,awizardrunsthatpromptsforthenewpasswordandusestheprivatekeyonthePRDtodecrypttheoldpasswordandmakethechange.

Contributors

ThecontributorsofthisdocumentareWesleyGriffin,MichaelHeyman,DavidBalenson,andDavidCarman,membersoftheCryptographicTechnologiesGroupinNAILabs,theSecurityResearchDivisionofNetworkAssociates,Inc.NAILabsisamulti-disciplineresearchorganizationwithworld-renownedexpertiseintheareasofnetworksecurity,appliedcryptographictechnologies,secureexecutionenvironments,securityinfrastructure,adaptivenetworkdefenses,distributedsystemssecurity,andinformationassurance.NAILabswouldliketoacknowledgethehelpofPeterBrundrett,MikeLai,DavidHubbard,JohnBanes,ScottField,GeorgeMasters,andCraigDelthony,allatMicrosoft,forprovidinginformationonDPAPI.WewouldalsoliketothankDaveThompsonandDougBayerforcontributingMicrosoftresources.

References

CryptProtectData.CryptUnprotectData.CRYPTPROTECT_PROMPTSTRUCT.PKCS#5v2.0:Password-BasedCryptographyStandard.RSALaboratories.March25,1999.http://www.cnblogs.com/jjkv3/admin/ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-5v2/pkcs5v2-0.doc.RFC-2404:TheUseofHMAC-SHA-1-96withinESPandAH.C.Madson,R.Glenn.November1998.http://www.ietf.org/rfc/rfc2404.txt.

内容来自用户分享和网络整理，不保证内容的准确性，如有侵权内容，可联系管理员处理

标签：

相关文章推荐

新的分享

章节导航

不得不看：Windows Data Protection

Contents

Introduction

DPAPIArchitecture

KeysandPasswordsinDPAPI

KeyBackupandRestorationinDPAPI

UsingDPAPI

UserInterfaces

CryptProtectData

CryptUnprotectData

SystemInterfaces

InternalProtectFunction

InternalUnprotectFunction

DataStructures

CRYPTPROTECT_PROMPTSTRUCT

Protecteddatablob

DPAPISecurity

KeyRelationships

MasterKey

SessionKey

RecoveryKey

Contributors

References