HOME

TheInfoList



Click Here for Items Related To - DPAPI
OR:
DPAPI on:   [Wikipedia]   [Google]   [Amazon]

Data Protection Application Programming Interface (DPAPI) is a simple cryptographic
application programming interface An application programming interface (API) is a connection between computers or between computer programs. It is a type of software Interface (computing), interface, offering a service to other pieces of software. A document or standard that des ...
available as a built-in component in
Windows 2000 Windows 2000 is a major release of the Windows NT operating system developed by Microsoft, targeting the server and business markets. It is the direct successor to Windows NT 4.0, and was Software release life cycle#Release to manufacturing (RT ...
and later versions of
Microsoft Windows Windows is a Product lining, product line of Proprietary software, proprietary graphical user interface, graphical operating systems developed and marketed by Microsoft. It is grouped into families and subfamilies that cater to particular sec ...
operating system An operating system (OS) is system software that manages computer hardware and software resources, and provides common daemon (computing), services for computer programs. Time-sharing operating systems scheduler (computing), schedule tasks for ...
s. In theory, the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy. A detailed analysis of DPAPI inner-workings was published in 2011 by Bursztein et al. For nearly all
cryptosystem In cryptography, a cryptosystem is a suite of cryptographic algorithms needed to implement a particular security service, such as confidentiality (encryption). Typically, a cryptosystem consists of three algorithms: one for key generation, one ...
s, one of the most difficult challenges is " key management" in part, how to securely store the decryption key. If the key is stored in ''
plain text In computing, plain text is a loose term for data (e.g. file contents) that represent only characters of readable material but not its graphical representation nor other objects ( floating-point numbers, images, etc.). It may also include a lim ...
'', then any user that can access the key can access the encrypted data. If the key is to be encrypted, another key is needed, and so on. DPAPI allows developers to encrypt keys using a symmetric key derived from the user's logon secrets, or in the case of system encryption, using the system's domain authentication secrets. The DPAPI keys used for encrypting the user's RSA keys are stored under %APPDATA%\Microsoft\Protect\ directory, where is the Security Identifier of that user. The DPAPI key is stored in the same file as the master key that protects the users private keys. It usually is 64 bytes of random data.


Security properties

DPAPI doesn't store any persistent data for itself; instead, it simply receives plaintext and returns
ciphertext In cryptography, ciphertext or cyphertext is the result of encryption performed on plaintext using an algorithm, called a cipher. Ciphertext is also known as encrypted or encoded information because it contains a form of the original plaintext ...
(or conversely). DPAPI security relies upon the Windows operating system's ability to protect the master key and RSA private keys from compromise, which in most attack scenarios is most highly reliant on the security of the end user's credentials. A main encryption/decryption key is derived from user's password by PBKDF2 function. Particular data binary large objects can be encrypted in a way that
salt In common usage, salt is a mineral composed primarily of sodium chloride (NaCl). When used in food, especially in granulated form, it is more formally called table salt. In the form of a natural crystalline mineral, salt is also known as r ...
is added and/or an external user-prompted password (aka "Strong Key Protection") is required. The use of a salt is a per-implementation option i.e. under the control of the application developer and is not controllable by the end user or system administrator. Delegated access can be given to keys through the use of a COM+ object. This enables IIS web servers to use DPAPI.


Active Directory backup keys

When a computer is a member of a domain, DPAPI has a backup mechanism to allow data deprotection in case the user's password is lost, which is named "Credential Roaming". When installing a new domain on a domain controller, a public and private key pair is generated, associated with DPAPI. When a master key is generated on a client workstation, the client communicates through an authenticated RPC call with a domain controller to retrieve a copy of the domain's public key. The client encrypts the master key with the domain controller's public key. Finally, it stores this new backup master key in its AppData directory, just like traditional master key storage.


Use of DPAPI by Microsoft software

While not universally implemented in all Microsoft products, the use of DPAPI by Microsoft products has increased with each successive version of Windows. However, many applications from Microsoft and third-party developers still prefer to use their own protection approach or have only recently switched to use DPAPI. For example,
Internet Explorer Internet Explorer (formerly Microsoft Internet Explorer and Windows Internet Explorer, commonly abbreviated as IE or MSIE) is a deprecation, retired series of graphical user interface, graphical web browsers developed by Microsoft that were u ...
versions 4.0–6.0, Outlook Express and MSN Explorer used the older Protected Storage (PStore) API to store saved credentials such as passwords etc. Internet Explorer 7 now protects stored user credentials using DPAPI. * Picture password, PIN and fingerprint in
Windows 8 Windows 8 is a major release of the Windows NT operating system developed by Microsoft. It was Software release life cycle#Release to manufacturing (RTM), released to manufacturing on August 1, 2012, made available for download via Microsoft ...
* Encrypting File System in Windows 2000 and later * SQL Server Transparent Data Encryption (TDE) Service Master Key encryption *
Internet Explorer 7 Windows Internet Explorer 7 (IE7) (codenamed Rincon) is a version of Internet Explorer, a web browser for Windows. It was released by Microsoft on October 18, 2006. It was the first major update to the browser since 2001. It does not support ve ...
, both in the standalone version available for Windows XP and in the integrated versions available in
Windows Vista Windows Vista is a major release of the Windows NT operating system developed by Microsoft. It was the direct successor to Windows XP, released five years earlier, which was then the longest time span between successive releases of Microsoft W ...
and Windows Server 2008 *
Microsoft Edge Microsoft Edge is a Proprietary Software, proprietary cross-platform software, cross-platform web browser created by Microsoft and based on the Chromium (web browser), Chromium open-source project, superseding Edge Legacy. In Windows 11, Edge ...
* Windows Mail and Windows Live Mail * Outlook for S/MIME *
Internet Information Services Microsoft IIS (Internet Information Services, IIS, 2S) is an extensible web server created by Microsoft for use with the Windows NT family. IIS supports HTTP, HTTP/2, HTTP/3, HTTPS, FTP, FTPS, SMTP and NNTP. It has been an integral part o ...
for SSL/TLS * Windows Rights Management Services client v1.1 and later *
Windows 2000 Windows 2000 is a major release of the Windows NT operating system developed by Microsoft, targeting the server and business markets. It is the direct successor to Windows NT 4.0, and was Software release life cycle#Release to manufacturing (RT ...
and later for EAP/TLS ( VPN authentication) and 802.1x ( WiFi authentication) * Windows XP and later for stored user names and passwords (aka Credential Manager) * .NET Framework 2.0 and later for System.Security.Cryptography.ProtectedData * Microsoft.Owin (Katana) authentication by default when self-hosting (including cookie authentication and OAuth tokens)


References


External links


Le fonctionnement de DPAPI par Processus Thief (FR)

Windows Data Protection API (DPAPI) white paper by NAI Labs

Data encryption with DPAPI

How To: Use DPAPI (User Store) from ASP.NET 1.1 with Enterprise Services

System.Security.Cryptography.ProtectedData in .NET Framework 2.0 and later

Discussion of the use of MS BackupKey Remote Protocol by DPAPI to protect user secrets

The Windows PStore
{{DEFAULTSORT:DPAPI Microsoft application programming interfaces Cryptographic software Microsoft Windows security technology Windows 2000