dpapi: wtf?
Aug. 28th, 2008 03:54 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
109читаю про windows data protection:
DPAPI initially generates a strong key called a MasterKey, which is protected by the user's password. DPAPI uses a standard cryptographic process called Password-Based Key Derivation, described in PKCS #5, to generate a key from the password. This password-derived key is then used with Triple-DES to encrypt the MasterKey, which is finally stored in the user's profile directory.
The MasterKey, however, is not used explicitly to protect the data. Instead, a symmetric session key is generated based on the MasterKey, some random data, and any additional entropy, if an application chooses to supply it. It is this session key that is used to protect the data. The session key is never stored. Instead, DPAPI stores the random data it used to generate the key in the opaque data blob. When the data blob is passed back in to DPAPI, the random data is used to re-derive the key and unprotect the data.
http://msdn.microsoft.com/en-us/library/ms995355.aspx
перевожу вкратце: из user credentials генерируется симметричный ключ, которым кодируются данные. использованный ключ сохраняется в файловой системе (но не весь целиком в одном месте, а по частям).
это только мне кажется, что это лажа какая-то? в смысле - не особенно секьюрно.
DPAPI initially generates a strong key called a MasterKey, which is protected by the user's password. DPAPI uses a standard cryptographic process called Password-Based Key Derivation, described in PKCS #5, to generate a key from the password. This password-derived key is then used with Triple-DES to encrypt the MasterKey, which is finally stored in the user's profile directory.
The MasterKey, however, is not used explicitly to protect the data. Instead, a symmetric session key is generated based on the MasterKey, some random data, and any additional entropy, if an application chooses to supply it. It is this session key that is used to protect the data. The session key is never stored. Instead, DPAPI stores the random data it used to generate the key in the opaque data blob. When the data blob is passed back in to DPAPI, the random data is used to re-derive the key and unprotect the data.
http://msdn.microsoft.com/en-us/library/ms995355.aspx
перевожу вкратце: из user credentials генерируется симметричный ключ, которым кодируются данные. использованный ключ сохраняется в файловой системе (но не весь целиком в одном месте, а по частям).
это только мне кажется, что это лажа какая-то? в смысле - не особенно секьюрно.