You may have heard of the Windows Data Protection API, or DPAPI for short. Unfortunately, it doesn't protect much unless you're on a computer that people aren't using and don't have any access to, like a server.
The thing is, DPAPI encrypts the "protected" data with a per-user key that is kept secret by the OS kernel. This sounds really nice until you find out that every process running as the user can utilize DPAPI to encrypt and decrypt data belonging to that user. What's more, physical access to the computer can be exploited to get the machine key, which can be used to decrypt the user keys, which can be used to decrypt any data belonging to them. Data can also be DPAPI-encrypted with the system key, which allows any application running on the computer to decrypt it.
The situation is made slightly better by the possibility of adding "entropy" to the encryption. Of course, that must also be used to decrypt the data. What you then get is a chicken-and-egg problem: it's impossible to securely store the second key because you have no way of safely encrypting it.
So, DPAPI might be a tiny bit more secure than plain text - it might not be immediately obvious to an attacker that you're using it - but it's impossible to keep a secret inside one machine.
No comments:
Post a Comment