Data protection API

Data protection API

DPAPI (Data Protection Application Programming Interface) is a simple cryptographic application programming interface available as a built-in component in Windows 2000 and later versions of Microsoft Windows operating systems. In theory the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy.

For nearly all cryptosystems, one of the most difficult challenges is "key management" - in part, how to securely store the decryption key. If the key is stored in "plain text", then any user that can access the key can access the encrypted data. If the key is to be encrypted, another key is needed, and so on ad infinitum. DPAPI allows developers to encrypt keys using a symmetric key derived from the user's logon secrets, or in the case of system encryption, using the system's domain authentication secrets.

The DPAPI keys used for encrypting the user's RSA keys are stored under "%USERPROFILE%Application DataMicrosoftProtect{SID}", where {SID} is the security identifier of that user. The DPAPI key is stored in the same file as the master key that protects the users private keys. It usually is 40 bytes of random data.

ecurity properties

DPAPI doesn't store any persistent data for itself; instead, it simply receives plaintext and returns cryptext (or vice-versa).

DPAPI security relies upon the Windows operating system's ability to protect the Master Key and RSA private keys from compromise, which in most attack scenarios is most highly reliant on the security of the end user's credentials. Particular data binary large objects can be encrypted in a way that salt is added and/or an external user-prompted password (aka "Strong Key Protection") is required. The use of a salt is a per-implementation option - i.e. under the control of the application developer - and is not controllable by the end user or system administrator.

Delegated access can be given to keys through the use of a COM+ object. This enables IIS web servers to use DPAPI.

Use of DPAPI by Microsoft Products

While not universally implemented in all Microsoft products, the use of DPAPI by Microsoft products has increased with each successive version of Windows. However, many applications from Microsoft and third-party developers still prefer to roll their own protection approach or have only recently switched to use DPAPI. For example, Internet Explorer versions 4.0-6.0, Outlook Express and MSN Explorer used the older Protected Storage (PStore) API to store saved credentials such as passwords etc. Internet Explorer 7 now protects stored user credentials using DPAPI. [cite web
url=http://www.securityfocus.com/infocus/1882/2
title=Password Management Concerns with IE and Firefox, part one
author=Mikhael Felker
date=December 8 2006
accessdate=2007-06-02
publisher=SecurityFocus.com]

* Encrypting File System in Windows 2000 and later
* Internet Explorer 7, both in the standalone version available for Windows XP and in the integrated versions available in Windows Vista and Windows Server 2008
* Windows Mail and Windows Live Mail
* Outlook for S/MIME
* Internet Information Services for SSL/TLS
* Windows Rights Management Services client v1.1 and later
* Windows 2000 and later for EAP/TLS (VPN authentication) and 802.1x (WiFi authentication)
* Windows XP and later for [http://technet.microsoft.com/en-us/library/bb457059.aspx Stored User Names and Passwords] (aka Credential Manager)
* .NET Framework 2.0 and later for [http://msdn2.microsoft.com/en-us/library/system.security.cryptography.protecteddata.aspx System.Security.Cryptography.ProtectedData]

References

External links

* [http://go.microsoft.com/fwlink/?LinkId=89993 Windows Data Protection API (DPAPI) white paper by NAI Labs]
* [http://www.codeproject.com/KB/system/protected_data.aspx Data encryption with DPAPI]
* [http://www.obviex.com/samples/dpapi.aspx Use DPAPI to encrypt and decrypt data]
* [http://msdn.microsoft.com/library/aa302404.aspx How To: Use DPAPI (User Store) from ASP.NET 1.1 with Enterprise Services]
* [http://msdn.microsoft.com/library/system.security.cryptography.protecteddata.aspx System.Security.Cryptography.ProtectedData in .NET Framework 2.0 and later]
* [http://msdn.microsoft.com/library/cc201324.aspx Discussion of the use of MS BackupKey Remote Protocol by DPAPI to protect user secrets]
* [http://msdn.microsoft.com/library/bb432403.aspx The Windows PStore]


Wikimedia Foundation. 2010.

Игры ⚽ Нужно решить контрольную?

Look at other dictionaries:

  • Data Protection API — (DPAPI) криптографический интерфейс программирования приложений в ОС семейства Windows, обеспечивающий защиту (конфиденциальность) данных путём их шифрования. Архитектура DPAPI включает в себя функции: шифрования и расшифровки данных, а также… …   Википедия

  • Data Protection API — DPAPI (Data Protection Application Programming Interface) is a simple cryptographic application programming interface available as a built in component in Windows 2000 and later versions of Microsoft Windows operating systems. In theory the Data… …   Wikipedia

  • Data classification (data management) — In the field of data management, data classification as a part of Information Lifecycle Management (ILM) process can be defined as tool for categorization of data to enable/help organization to effectively answer following questions: What data… …   Wikipedia

  • Windows API — (англ. application programming interfaces)  общее наименование целого набора базовых функций интерфейсов программирования приложений операционных систем семейств Microsoft Windows корпорации «Майкрософт» и совместимой с ними свободной… …   Википедия

  • Win32 API — Windows API (application programming interfaces) общее наименование целого набора базовых функций интерфейсов программирования приложений операционных систем семейств Windows и Windows NT корпорации «Майкрософт». Является самым прямым способом… …   Википедия

  • Microsoft Data Access Components — MDAC redirects here. For other uses, see MDAC (disambiguation). MDAC (Microsoft Data Access Components) Microsoft Corporation s MDAC provides a uniform framework for accessing a variety of data sources on their Windows platform. Developer(s)… …   Wikipedia

  • Dynamic Data Exchange — (DDE) механизм взаимодействия приложений в операционных системах Microsoft Windows и OS/2. Хотя этот механизм до сих пор поддерживается в последних версиях Windows, в основном он заменён на более мощные механизмы OLE, COM и Microsoft OLE… …   Википедия

  • Microsoft Speech API — This article is about the Speech API. For other uses, see SAPI (disambiguation). The Speech Application Programming Interface or SAPI is an API developed by Microsoft to allow the use of speech recognition and speech synthesis within Windows… …   Wikipedia

  • Windows API — The Windows API, informally WinAPI, is Microsoft s core set of application programming interfaces (APIs) available in the Microsoft Windows operating systems. It was formerly called the Win32 API; however, the name Windows API more accurately… …   Wikipedia

  • ActiveX Data Objects — Microsoft s ActiveX Data Objects (ADO) is a set of Component Object Model (COM) objects for accessing data sources. A part of MDAC, it provides a middleware layer between programming languages and OLE DB (a means of accessing data stores, whether …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”