crypt32: CryptProtectData/CryptUnprotectData
Michael Jung
mjung at iss.tu-darmstadt.de
Wed Apr 13 06:28:32 CDT 2005
On Wednesday 13 April 2005 12:16, Alexandre Julliard wrote:
> I don't understand while you come up with such an elaborate scheme of
> storing things in the registry when it's clearly not the way this
> thing is supposed to work. If you can't figure out what Windows does,
> then just xoring the data with 0xdeadbeef or something like this would
> be at least as secure as your solution, and would actually be much
> closer to the proper behavior.
What Windows does is described in detail at:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/windataprotection-dpapi.asp
Besides the complicated (and in my opinion braindead) procedure for key backup
and restauration, it all basically melts down to the following (simplified):
When a user logs in to the system a hash of his password is computed. This
hash is kept in memory in a system service called "Local Security Authority".
CryptProtectData/CryptUnprotectData asks the LSA via RPC to en/de-crypt data
using this hash as a symmetric key on behalf of the user.
Since the unix/linux login process doesn't provide such a functionality, this
is not easy to replicate. I like Mike McCormacks' idea to apply "ssh-agent",
but I didn't look into it in detail.
Bye,
--
Michael Jung
mjung at iss.tu-darmstadt.de
More information about the wine-devel
mailing list