Reversing DPAPI and Stealing Windows Secrets Offline
https://www.elie.net/publication/reversing-dpapi-and-stealing-windows-secrets-offline
http://dpapick.com/

On Sun, Aug 23, 2015 at 3:19 AM, James Starkey <j...@jimstarkey.net> wrote:

> One of the tenants of moderm cryptology is that algorithms and mechanisms
> have to be published for analysis and review.  The basic idea is that
> security is based on a mathematical impossibility that a cryptosystem cabe
> be broken within the time remaining in the universe.  The once dominant
> idea was that a system sufficiently obscure was good enough.  I dare say
> that the experiece of the third reich demonstrated the weakness of the
> latter argument.
>
> Microsoft is assuming a position that is theoretically impossible and
> refuses to publish their system's algorithms for legititate analysis.  It
> is hard to argue that their system is anything but garbage top to bottom,
> waiting only for a disgruntled employee to blw the whole thing sky high.
>
> It is well understood that security by obscurity is no security at all.
> If Microsoft actually believed they had a robus system, they wouldn't
> hesitate to publish -- and patent -- their system.
>
> Possibly it is fairly secure.  More likely, it's bullshit.  If they
> published the details, we would all know.  But they won't.
>
> Once it was belived that nobody could get fired for going IBM (SNA
> anyone?  Anyone?).  Then it was Microsoft instead of IBM.  But that was
> then abd this is now.
>
> Are you really going to trust a company that staked their future on
> Windiws RT tablets and Windows phones?
>
> To paraphrase Yoda, break me a frigging give.
>
> On Saturday, August 22, 2015, Brian Vraamark <brian.vraam...@plandent.dk>
> wrote:
>
>> > I have a strong preference for portable, transparent solutions.
>>
>> That I can understand and would always be the best solution, but not
>> always possible.
>>
>>
>> > There is also the small point that it has been broken (see Wikipedia).
>>
>> As I read it, it was mostly before Windows XP. Since Windows Server
>> 2003/Windows 7, a lot of changes in DPAPI has made it more secure. The
>> security analysis from Passcape concludes:
>>
>> "DPAPI deserves such close attention at least for the fact that it's the
>> only password-based system that provides appropriate and thoroughly thought
>> out protection of user's personal data. None of the operating systems has a
>> more viable alternative to DPAPI!
>>
>> We should, perhaps, mention that the first implementation of DPAPI had a
>> number of serious flaws, which could enable a potential malefactor to
>> easily compromise user's data protected by DPAPI.
>>
>> The first pancake is known to be always lumpy. In all the sequel
>> operating systems, beginning with Windows XP, those vulnerabilities have
>> not merely been eliminated; the entire DPAPI system has undergone a major
>> revision. In particular, it has adopted new encryption algorithms; that has
>> made the Master Key password lookup speed about 1000 (!) times slower.
>> Master Key encryption errors that potentially allowed any user to gain
>> access to any files encrypted by EFS were fixed. The local Master Key
>> backup system has been replaced with the password reset disk, etc.
>>
>> Overall, the DPAPI encryption system has become more robust, powerful,
>> meeting the stringent requirements of password security."
>>
>>
>> Brian Vraamark
>>
>>
>> ------------------------------------------------------------------------------
>> Firebird-Devel mailing list, web interface at
>> https://lists.sourceforge.net/lists/listinfo/firebird-devel
>>
>
>
> --
> Jim Starkey
>
>
> ------------------------------------------------------------------------------
>
> Firebird-Devel mailing list, web interface at
> https://lists.sourceforge.net/lists/listinfo/firebird-devel
>
>
------------------------------------------------------------------------------
Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel

Reply via email to