crypt32: CryptProtectData/CryptUnprotectData

Michael Jung mjung at iss.tu-darmstadt.de
Wed Apr 13 06:28:32 CDT 2005


On Wednesday 13 April 2005 12:16, Alexandre Julliard wrote:
> I don't understand while you come up with such an elaborate scheme of
> storing things in the registry when it's clearly not the way this
> thing is supposed to work. If you can't figure out what Windows does,
> then just xoring the data with 0xdeadbeef or something like this would
> be at least as secure as your solution, and would actually be much
> closer to the proper behavior.

What Windows does is described in detail at:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/windataprotection-dpapi.asp

Besides the complicated (and in my opinion braindead) procedure for key backup 
and restauration, it all basically melts down to the following (simplified):

When a user logs in to the system a hash of his password is computed. This 
hash is kept in memory in a system service called "Local Security Authority". 
CryptProtectData/CryptUnprotectData asks the LSA via RPC to en/de-crypt data 
using this hash as a symmetric key on behalf of the user.

Since the unix/linux login process doesn't provide such a functionality, this 
is not easy to replicate. I like Mike McCormacks' idea to apply "ssh-agent", 
but I didn't look into it in detail.

Bye,
--
Michael Jung
mjung at iss.tu-darmstadt.de



More information about the wine-devel mailing list