Reversing DPAPI and Stealing Windows Secrets Offline https://www.elie.net/publication/reversing-dpapi-and-stealing-windows-secrets-offline http://dpapick.com/
On Sun, Aug 23, 2015 at 3:19 AM, James Starkey <j...@jimstarkey.net> wrote: > One of the tenants of moderm cryptology is that algorithms and mechanisms > have to be published for analysis and review. The basic idea is that > security is based on a mathematical impossibility that a cryptosystem cabe > be broken within the time remaining in the universe. The once dominant > idea was that a system sufficiently obscure was good enough. I dare say > that the experiece of the third reich demonstrated the weakness of the > latter argument. > > Microsoft is assuming a position that is theoretically impossible and > refuses to publish their system's algorithms for legititate analysis. It > is hard to argue that their system is anything but garbage top to bottom, > waiting only for a disgruntled employee to blw the whole thing sky high. > > It is well understood that security by obscurity is no security at all. > If Microsoft actually believed they had a robus system, they wouldn't > hesitate to publish -- and patent -- their system. > > Possibly it is fairly secure. More likely, it's bullshit. If they > published the details, we would all know. But they won't. > > Once it was belived that nobody could get fired for going IBM (SNA > anyone? Anyone?). Then it was Microsoft instead of IBM. But that was > then abd this is now. > > Are you really going to trust a company that staked their future on > Windiws RT tablets and Windows phones? > > To paraphrase Yoda, break me a frigging give. > > On Saturday, August 22, 2015, Brian Vraamark <brian.vraam...@plandent.dk> > wrote: > >> > I have a strong preference for portable, transparent solutions. >> >> That I can understand and would always be the best solution, but not >> always possible. >> >> >> > There is also the small point that it has been broken (see Wikipedia). >> >> As I read it, it was mostly before Windows XP. Since Windows Server >> 2003/Windows 7, a lot of changes in DPAPI has made it more secure. The >> security analysis from Passcape concludes: >> >> "DPAPI deserves such close attention at least for the fact that it's the >> only password-based system that provides appropriate and thoroughly thought >> out protection of user's personal data. None of the operating systems has a >> more viable alternative to DPAPI! >> >> We should, perhaps, mention that the first implementation of DPAPI had a >> number of serious flaws, which could enable a potential malefactor to >> easily compromise user's data protected by DPAPI. >> >> The first pancake is known to be always lumpy. In all the sequel >> operating systems, beginning with Windows XP, those vulnerabilities have >> not merely been eliminated; the entire DPAPI system has undergone a major >> revision. In particular, it has adopted new encryption algorithms; that has >> made the Master Key password lookup speed about 1000 (!) times slower. >> Master Key encryption errors that potentially allowed any user to gain >> access to any files encrypted by EFS were fixed. The local Master Key >> backup system has been replaced with the password reset disk, etc. >> >> Overall, the DPAPI encryption system has become more robust, powerful, >> meeting the stringent requirements of password security." >> >> >> Brian Vraamark >> >> >> ------------------------------------------------------------------------------ >> Firebird-Devel mailing list, web interface at >> https://lists.sourceforge.net/lists/listinfo/firebird-devel >> > > > -- > Jim Starkey > > > ------------------------------------------------------------------------------ > > Firebird-Devel mailing list, web interface at > https://lists.sourceforge.net/lists/listinfo/firebird-devel > >
------------------------------------------------------------------------------
Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
