crypt32: CryptProtectData/CryptUnprotectData
Michael Jung
mjung at iss.tu-darmstadt.de
Wed May 4 06:54:03 CDT 2005
Hi Kees,
On Wednesday 04 May 2005 12:43, Alexandre Julliard wrote:
> Of course it
> would be even better to do true encryption with a hardcoded key; it
> still doesn't provide any security, but it's much closer to the
> desired end result, which makes it more likely that someone will be
> able to plug in the missing step.
Ok, I see.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/example_c_program_deriving_a_session_key_from_a_password.asp
gives a pretty good introduction on how to derive a key from a password using
CryptoAPI. You should hash the following: 1.) A placeholder for the user's
login password, 2.) the pszDescription parameter (if present) and 3.) the
pEntropy (if present).
If you apply the user's login name as the placeholder for 1.) you are even
closer to Windows in the sense that one user can't decrypt another users
DATA_BLOB's. (Well, he can of course. But only with some hacking involved.)
Bye,
--
Michael Jung
mjung at iss.tu-darmstadt.de
More information about the wine-devel
mailing list