Decrypting DPAPI data
                              Jean-Michel Picod, Elie Bursztein
                                 EAD...
Data Protection API




            • Introduced in Windows 2000
            • Aim to be an easy way for application to st...
Developer point of view




                                         DPAPI


                       Application




     J...
GTalk
Wednesday, February 3, 2010           4
DPAPI is a simple API*


                                 *http://msdn.microsoft.com/en-us/library/ms995355.aspx


Wednesd...
Why digging deeper ?




            • Offline forensic
            • EFS on Linux
            • Security / cool things ?

...
Previous work




            • Multiples attempts to analyze DPAPI
             • Some incomplete (Wine)
             • S...
Take away




            • Decrypt offline sensitive data
            • Recover user previous passwords (Yes all of them)
...
Outline




         Jean-Michel Picod, Elie Bursztein   http://www.dpapick.com
Wednesday, February 3, 2010               ...
Outline




            • DPAPI overview




         Jean-Michel Picod, Elie Bursztein   http://www.dpapick.com
Wednesday...
Outline




            • DPAPI overview
            • Decryption process



         Jean-Michel Picod, Elie Bursztein   ...
Outline




            • DPAPI overview
            • Decryption process
            • Security design implications


   ...
Outline




            • DPAPI overview
            • Decryption process
            • Security design implications
     ...
Crypto 911 HMAC



            • HMAC (Message authentication code)
               • Usually used to detect data tampering...
Crypto 911: PBKDF2




            • PBKDF2 = Password based key derivation function
            • Basically it is a hash ...
Crypto 911 : 3DES




            • 3DES : Triple DES encryption
             • Encrypt, Decrypt, Encrypt
             • E...
How the system interacts with DPAPI




     Jean-Michel Picod, Elie Bursztein   http://www.dpapick.com
Wednesday, Februar...
How the system interacts with DPAPI




                                      DPAPI
                                    cr...
How the system interacts with DPAPI




                                      DPAPI
                                    cr...
How the system interacts with DPAPI


                                                       EFS
                         ...
How the system interacts with DPAPI


                                                       EFS
                         ...
How the system interacts with DPAPI


                                                                      EFS
          ...
How the system interacts with DPAPI


                                                                      EFS
          ...
DPAPI CryptUnprotecData Function



                BOOL WINAPI CryptUnprotectData (

                  *pDataIn,

       ...
DPAPI CryptUnprotecData Function



                BOOL WINAPI CryptUnprotectData (

                  *pDataIn,         ...
DPAPI CryptUnprotecData Function



                BOOL WINAPI CryptUnprotectData (

                  *pDataIn,

       ...
DPAPI CryptUnprotecData Function



                BOOL WINAPI CryptUnprotectData (

                  *pDataIn,

       ...
DPAPI CryptUnprotecData Function



                BOOL WINAPI CryptUnprotectData (

                  *pDataIn,

       ...
DPAPI CryptUnprotecData Function



                BOOL WINAPI CryptUnprotectData (

                  *pDataIn,

       ...
Derivation scheme


                              User




     Jean-Michel Picod, Elie Bursztein   http://www.dpapick.com...
Derivation scheme

                                         SHA1(password)
                                               ...
Derivation scheme

                                         SHA1(password)
                                               ...
Derivation scheme

                                         SHA1(password)
                                               ...
Derivation scheme

                                         SHA1(password)
                                               ...
Blob structure




            • Returned to the application (opaque structure)
            • Store user encrypted data
  ...
key subtleties




            • SHA1 password are in UTF-16LE
            • SID for HMAC are also in UTF-16LE (don’t forg...
data blob structure key fields

               DWORD	

         cbProviders;	


               GUID	

         *arrProvide...
data blob structure key fields

               DWORD	

         cbProviders;	

               Nb of crypto providers
     ...
data blob structure key fields

               DWORD	

         cbProviders;	


               GUID	

         *arrProvide...
data blob structure key fields

               DWORD	

         cbProviders;	


               GUID	

         *arrProvide...
data blob structure key fields

               DWORD	

         cbProviders;	


               GUID	

         *arrProvide...
data blob structure key fields

               DWORD	

         cbProviders;	


               GUID	

         *arrProvide...
data blob structure key fields

               DWORD	

         cbProviders;	


               GUID	

         *arrProvide...
data blob structure key fields

               DWORD	

         cbProviders;	


               GUID	

         *arrProvide...
data blob structure key fields

               DWORD	

         cbProviders;	


               GUID	

         *arrProvide...
data blob structure key fields

               DWORD	

         cbProviders;	


               GUID	

         *arrProvide...
data blob structure key fields

               DWORD	

         cbProviders;	


               GUID	

         *arrProvide...
data blob structure key fields

               DWORD	

         cbProviders;	


               GUID	

         *arrProvide...
Master key structure




            • Store the key used to decrypt blob
            • Encrypted with the user password
 ...
The master key file


                                         Header




     Jean-Michel Picod, Elie Bursztein          ...
The master key file


                                          Header

                                         Keys info...
The master key file


                                          Header

                                         Keys info...
The master key file


                                          Header

                                         Keys info...
The master key file


                                          Header

                                         Keys info...
Header structure




        Header
                                  dwVersion;
     Keys infos
                         ...
Header structure




        Header
                                  dwVersion;       File version
     Keys infos
      ...
Header structure




        Header
                                  dwVersion;
     Keys infos
                         ...
Key infos structure



                                  dwUnknown;
        Header

     Keys infos                   cbMa...
Key infos structure



                                  dwUnknown;
        Header

     Keys infos                   cbMa...
Key infos structure



                                  dwUnknown;
        Header

     Keys infos                   cbMa...
Key infos structure



                                  dwUnknown;
        Header

     Keys infos                   cbMa...
Master key structure


                                  dwMagic;
        Header
                                  pbSalt[...
Master key structure


                                  dwMagic;
        Header
                                  pbSalt[...
Master key structure


                                  dwMagic;
        Header
                                  pbSalt[...
Master key structure


                                  dwMagic;
        Header
                                  pbSalt[...
Master key structure


                                  dwMagic;
        Header
                                  pbSalt[...
Master key structure


                                  dwMagic;
        Header
                                  pbSalt[...
Decrypting the Master key

               DPAPIDecryptKey(sha1, encKey) {
                         tmp-key = HMAC(sha1, SI...
key structure




        Header
                              •   Seems to have the same structure than
     Keys infos
 ...
Possible explanation



                                  • The documentation state a compatibility
        Header        ...
Possible explanation continued




        Header

     Keys infos
                                  • We know that RC4 ha...
Header structure




        Header

     Keys infos
                                  dwMagic;
    Master key

         K...
Header structure




        Header

     Keys infos
                                  dwMagic;
    Master key

         K...
Differences between windows version



                                         XP     Vista    Seven

               PBKD...
Decrypting a blob

                    Data blob




     Jean-Michel Picod, Elie Bursztein   http://www.dpapick.com
Wedne...
Decrypting a blob

                                   Master key GUID
                    Data blob                       ...
Decrypting a blob

                                   Master key GUID
                    Data blob                       ...
Decrypting a blob

                                   Master key GUID
                    Data blob                       ...
Decrypting a blob

                                   Master key GUID
                    Data blob                       ...
Decrypting a blob

                                   Master key GUID
                    Data blob                       ...
Decrypting a blob

                                   Master key GUID
                    Data blob                       ...
Decrypting a blob

                                   Master key GUID
                    Data blob                       ...
Decrypting a blob

                                   Master key GUID
                    Data blob                       ...
Decrypting a blob

                                   Master key GUID
                    Data blob                       ...
Decrypt blob aka the strange HMAC

               DecryptBlob() {
               kt = SHA1(masterkey)
               opad ...
Did I miss something ?




         Jean-Michel Picod, Elie Bursztein   http://www.dpapick.com
Wednesday, February 3, 2010...
Did I miss something ?




            • How the OS knows the current master key ?




         Jean-Michel Picod, Elie Bu...
Did I miss something ?




            • How the OS knows the current master key ?
            • How the OS decides to ren...
Did I miss something ?




            • How the OS knows the current master key ?
            • How the OS decides to ren...
Key renewal process



            • Renewed every 3 months automatically
             • Passive process: executed when Cr...
Master key selection




            • All master keys are kept because Windows can’t
                   tell if a key is ...
The Preferred file


       • Simply contains :
                                   “GUID master key” . “timestamp”
       ...
The Preferred file


       • Simply contains :
                                   “GUID master key” . “timestamp”
       ...
User password renewal




            • Master keys are re-encrypted when the password
                   change
         ...
Decrypting a blob

                                   Master key GUID
                    Data blob                       ...
Decrypting a blob

                                   Master key GUID                            CREDHIST GUID
           ...
CREDHIST overview




                                         SHA1(password)




     Jean-Michel Picod, Elie Bursztein  ...
CREDHIST overview




                                         Structure   Decrypt
                                       ...
CREDHIST overview




                                         Structure
                                         pass n-2...
CREDHIST overview




                                         Structure
                                         pass n- ...
CREDHIST overview
                                         Structure
                                          pass 1

   ...
CREDHIST entry structure main fields



               idHashAlgo;

               dwRounds;

               dwCipherAlgo;...
CREDHIST entry structure main fields



               idHashAlgo;               Hash algo ID
               dwRounds;

  ...
CREDHIST entry structure main fields



               idHashAlgo;

               dwRounds;                 Nb rounds
   ...
CREDHIST entry structure main fields



               idHashAlgo;

               dwRounds;

               dwCipherAlgo;...
CREDHIST entry structure main fields



               idHashAlgo;

               dwRounds;

               dwCipherAlgo;...
CREDHIST entry structure main fields



               idHashAlgo;

               dwRounds;

               dwCipherAlgo;...
CREDHIST entry structure main fields



               idHashAlgo;

               dwRounds;

               dwCipherAlgo;...
CREDHIST entry structure main fields



               idHashAlgo;

               dwRounds;

               dwCipherAlgo;...
CREDHIST entry structure main fields



               idHashAlgo;

               dwRounds;

               dwCipherAlgo;...
Decryption algorithm overview

               DecryptCredhist{
                         SID = (USID-ComputerID-AccountID)
...
DPAPIck demo




Wednesday, February 3, 2010                  41
Warning

            • DPAPIck is in ALPHA stage. Use it at your own
                   risk ! You have been warned. It is...
DPAPIck future



            • We made the choice to release early so you know
                   we are telling the trut...
LSA



            • LSASS secret contains a DPAPI_SYSTEM value
            • Length == 2 * SHA1
            • Usage are u...
EFS


            • Certificate private key is encrypted with DPAPI
            • Key are stored in

            • To read ...
What is next



            • Can we build a rogue crypto provider ?
            • What are the two SHA1 stored in the LSA...
Conclusion




            • Open the door to offline forensic
            • First step toward EFS on alternative systems
 ...
Questions ?
                              Thanks to the nightingale team




Wednesday, February 3, 2010                  ...
Upcoming SlideShare
Loading in …5
×

Reverse of DPAPI - BlackHat DC 2010

4,055
-1

Published on

Talk I did for BlackHat DC 2010 with DPAPI reverse engineering and a tool to decrypt things related to DPAPI

Published in: Software
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
4,055
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
53
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Reverse of DPAPI - BlackHat DC 2010

  1. 1. Decrypting DPAPI data Jean-Michel Picod, Elie Bursztein EADS, Stanford University Wednesday, February 3, 2010 1
  2. 2. Data Protection API • Introduced in Windows 2000 • Aim to be an easy way for application to store safely data on disk • Tie encryption key to user password and the account SID Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 2
  3. 3. Developer point of view DPAPI Application Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 3
  4. 4. GTalk Wednesday, February 3, 2010 4
  5. 5. DPAPI is a simple API* *http://msdn.microsoft.com/en-us/library/ms995355.aspx Wednesday, February 3, 2010 5
  6. 6. Why digging deeper ? • Offline forensic • EFS on Linux • Security / cool things ? Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 6
  7. 7. Previous work • Multiples attempts to analyze DPAPI • Some incomplete (Wine) • Some close source (Nir Sofer - NirSoft) Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 7
  8. 8. Take away • Decrypt offline sensitive data • Recover user previous passwords (Yes all of them) • Do a key escrow attack Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 8
  9. 9. Outline Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 9
  10. 10. Outline • DPAPI overview Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 9
  11. 11. Outline • DPAPI overview • Decryption process Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 9
  12. 12. Outline • DPAPI overview • Decryption process • Security design implications Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 9
  13. 13. Outline • DPAPI overview • Decryption process • Security design implications • DPAPIck demo Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 9
  14. 14. Crypto 911 HMAC • HMAC (Message authentication code) • Usually used to detect data tampering • Used here to derive encrypt key and IV ipad = 0x36 xor key opad = 0x5c xor key HMAC= (opad . SHA1(ipad.data)) Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 10
  15. 15. Crypto 911: PBKDF2 • PBKDF2 = Password based key derivation function • Basically it is a hash function (SHA1 for us) applied n times to slow down the computation. • Used to defend against brute-force • Salt is used against rainbow tables attacks. Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 11
  16. 16. Crypto 911 : 3DES • 3DES : Triple DES encryption • Encrypt, Decrypt, Encrypt • Exist in two flavor : 2 keys or 3 keys (64 bits each) • Windows use the strong version with 3 keys Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 12
  17. 17. How the system interacts with DPAPI Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 13
  18. 18. How the system interacts with DPAPI DPAPI cryptoAPI crypt32.dll Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 13
  19. 19. How the system interacts with DPAPI DPAPI cryptoAPI crypt32.dll Local Security Authority cryptoAPI crypt32.dll Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 13
  20. 20. How the system interacts with DPAPI EFS Encrypted file DPAPI cryptoAPI crypt32.dll Local Security Authority cryptoAPI crypt32.dll Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 13
  21. 21. How the system interacts with DPAPI EFS Encrypted file DPAPI cryptoAPI EFS crypt32.dll Local Security Authority cryptoAPI crypt32.dll Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 13
  22. 22. How the system interacts with DPAPI EFS EFS user private Encrypted file key DPAPI cryptoAPI EFS crypt32.dll Local Security Authority cryptoAPI crypt32.dll Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 13
  23. 23. How the system interacts with DPAPI EFS EFS user private Encrypted file key DPAPI cryptoAPI EFS crypt32.dll Local Security Authority cryptoAPI crypt32.dll Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 13
  24. 24. DPAPI CryptUnprotecData Function BOOL WINAPI CryptUnprotectData ( *pDataIn, *ppszDataDescr, *pOptionalEntropy, pvReserved, *pPromptStruct, dwFlags, *pDataOut Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 14
  25. 25. DPAPI CryptUnprotecData Function BOOL WINAPI CryptUnprotectData ( *pDataIn, Encrypted data aka data blob *ppszDataDescr, *pOptionalEntropy, pvReserved, *pPromptStruct, dwFlags, *pDataOut Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 14
  26. 26. DPAPI CryptUnprotecData Function BOOL WINAPI CryptUnprotectData ( *pDataIn, *ppszDataDescr, Optional description *pOptionalEntropy, pvReserved, *pPromptStruct, dwFlags, *pDataOut Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 14
  27. 27. DPAPI CryptUnprotecData Function BOOL WINAPI CryptUnprotectData ( *pDataIn, *ppszDataDescr, *pOptionalEntropy, Optional entropy (salt) pvReserved, *pPromptStruct, dwFlags, *pDataOut Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 14
  28. 28. DPAPI CryptUnprotecData Function BOOL WINAPI CryptUnprotectData ( *pDataIn, *ppszDataDescr, *pOptionalEntropy, pvReserved, *pPromptStruct, Optional password dwFlags, *pDataOut Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 14
  29. 29. DPAPI CryptUnprotecData Function BOOL WINAPI CryptUnprotectData ( *pDataIn, *ppszDataDescr, *pOptionalEntropy, pvReserved, *pPromptStruct, dwFlags, *pDataOut Decrypted data Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 14
  30. 30. Derivation scheme User Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 15
  31. 31. Derivation scheme SHA1(password) Pre key User Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 15
  32. 32. Derivation scheme SHA1(password) Pre key User Master Key Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 15
  33. 33. Derivation scheme SHA1(password) Pre key User Master Key Blob key Blob key Blob key Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 15
  34. 34. Derivation scheme SHA1(password) Pre key User Master Key Blob key Blob key Blob key Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 15
  35. 35. Blob structure • Returned to the application (opaque structure) • Store user encrypted data • Contains decryption parameters Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 16
  36. 36. key subtleties • SHA1 password are in UTF-16LE • SID for HMAC are also in UTF-16LE (don’t forget the 0 !) • Windows 2000 do not use SHA1/3DES. We think it uses SHA1/RC4 (Anyone want to try ?). Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 17
  37. 37. data blob structure key fields DWORD cbProviders; GUID *arrProviders; DWORD cbKeys; GUID *arrKeys; WCHAR *ppszDataDescr; DWORD idCipherAlgo; BYTE *pbSalt; DWORD idHashAlgo; BYTE *pbUnknown; BYTE *pbCipher; BYTE *pbHMAC; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 18
  38. 38. data blob structure key fields DWORD cbProviders; Nb of crypto providers GUID *arrProviders; DWORD cbKeys; GUID *arrKeys; WCHAR *ppszDataDescr; DWORD idCipherAlgo; BYTE *pbSalt; DWORD idHashAlgo; BYTE *pbUnknown; BYTE *pbCipher; BYTE *pbHMAC; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 18
  39. 39. data blob structure key fields DWORD cbProviders; GUID *arrProviders; Crypto providers GUID DWORD cbKeys; GUID *arrKeys; WCHAR *ppszDataDescr; DWORD idCipherAlgo; BYTE *pbSalt; DWORD idHashAlgo; BYTE *pbUnknown; BYTE *pbCipher; BYTE *pbHMAC; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 18
  40. 40. data blob structure key fields DWORD cbProviders; GUID *arrProviders; DWORD cbKeys; Nb of masters keys GUID *arrKeys; WCHAR *ppszDataDescr; DWORD idCipherAlgo; BYTE *pbSalt; DWORD idHashAlgo; BYTE *pbUnknown; BYTE *pbCipher; BYTE *pbHMAC; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 18
  41. 41. data blob structure key fields DWORD cbProviders; GUID *arrProviders; DWORD cbKeys; GUID *arrKeys; Masters keys GUID WCHAR *ppszDataDescr; DWORD idCipherAlgo; BYTE *pbSalt; DWORD idHashAlgo; BYTE *pbUnknown; BYTE *pbCipher; BYTE *pbHMAC; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 18
  42. 42. data blob structure key fields DWORD cbProviders; GUID *arrProviders; DWORD cbKeys; GUID *arrKeys; WCHAR *ppszDataDescr; Optional description DWORD idCipherAlgo; BYTE *pbSalt; DWORD idHashAlgo; BYTE *pbUnknown; BYTE *pbCipher; BYTE *pbHMAC; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 18
  43. 43. data blob structure key fields DWORD cbProviders; GUID *arrProviders; DWORD cbKeys; GUID *arrKeys; WCHAR *ppszDataDescr; DWORD idCipherAlgo; Encryption algorithm ID BYTE *pbSalt; DWORD idHashAlgo; BYTE *pbUnknown; BYTE *pbCipher; BYTE *pbHMAC; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 18
  44. 44. data blob structure key fields DWORD cbProviders; GUID *arrProviders; DWORD cbKeys; GUID *arrKeys; WCHAR *ppszDataDescr; DWORD idCipherAlgo; BYTE *pbSalt; Salt generated by DPAPI DWORD idHashAlgo; BYTE *pbUnknown; BYTE *pbCipher; BYTE *pbHMAC; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 18
  45. 45. data blob structure key fields DWORD cbProviders; GUID *arrProviders; DWORD cbKeys; GUID *arrKeys; WCHAR *ppszDataDescr; DWORD idCipherAlgo; BYTE *pbSalt; DWORD idHashAlgo; Hash algorithm ID BYTE *pbUnknown; BYTE *pbCipher; BYTE *pbHMAC; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 18
  46. 46. data blob structure key fields DWORD cbProviders; GUID *arrProviders; DWORD cbKeys; GUID *arrKeys; WCHAR *ppszDataDescr; DWORD idCipherAlgo; BYTE *pbSalt; DWORD idHashAlgo; BYTE *pbUnknown; Unknown data BYTE *pbCipher; BYTE *pbHMAC; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 18
  47. 47. data blob structure key fields DWORD cbProviders; GUID *arrProviders; DWORD cbKeys; GUID *arrKeys; WCHAR *ppszDataDescr; DWORD idCipherAlgo; BYTE *pbSalt; DWORD idHashAlgo; BYTE *pbUnknown; BYTE *pbCipher; Encrypted data BYTE *pbHMAC; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 18
  48. 48. data blob structure key fields DWORD cbProviders; GUID *arrProviders; DWORD cbKeys; GUID *arrKeys; WCHAR *ppszDataDescr; DWORD idCipherAlgo; BYTE *pbSalt; DWORD idHashAlgo; BYTE *pbUnknown; BYTE *pbCipher; BYTE *pbHMAC; Blob HMAC Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 18
  49. 49. Master key structure • Store the key used to decrypt blob • Encrypted with the user password • Renewed every 3 months Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 19
  50. 50. The master key file Header Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 20
  51. 51. The master key file Header Keys infos Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 20
  52. 52. The master key file Header Keys infos Master key Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 20
  53. 53. The master key file Header Keys infos Master key Key ? Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 20
  54. 54. The master key file Header Keys infos Master key Key ? Footer Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 20
  55. 55. Header structure Header dwVersion; Keys infos nullPad1; Master key Key ? szKeyGUID[36]; Footer nullPad2; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 21
  56. 56. Header structure Header dwVersion; File version Keys infos nullPad1; Master key Key ? szKeyGUID[36]; Footer nullPad2; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 21
  57. 57. Header structure Header dwVersion; Keys infos nullPad1; Master key szKeyGUID[36]; Master key GUID Key ? Footer nullPad2; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 21
  58. 58. Key infos structure dwUnknown; Header Keys infos cbMasterKey; Master key cbMysteryKey; Key ? dwHMACLen; Footer nullPad3; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 22
  59. 59. Key infos structure dwUnknown; Header Keys infos cbMasterKey; Master Key struct length Master key cbMysteryKey; Key ? dwHMACLen; Footer nullPad3; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 22
  60. 60. Key infos structure dwUnknown; Header Keys infos cbMasterKey; Master key cbMysteryKey; Key ? struct length Key ? dwHMACLen; Footer nullPad3; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 22
  61. 61. Key infos structure dwUnknown; Header Keys infos cbMasterKey; Master key cbMysteryKey; Key ? dwHMACLen; HMAC length Footer nullPad3; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 22
  62. 62. Master key structure dwMagic; Header pbSalt[16]; Keys infos cbIteration; Master key Key ? idMACAlgo; Footer idCipherAlgo; pbCipheredKey[]; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 23
  63. 63. Master key structure dwMagic; Header pbSalt[16]; Key salt Keys infos cbIteration; Master key Key ? idMACAlgo; Footer idCipherAlgo; pbCipheredKey[]; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 23
  64. 64. Master key structure dwMagic; Header pbSalt[16]; Keys infos cbIteration; PBKDF2 nb rounds Master key Key ? idMACAlgo; Footer idCipherAlgo; pbCipheredKey[]; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 23
  65. 65. Master key structure dwMagic; Header pbSalt[16]; Keys infos cbIteration; Master key Key ? idMACAlgo; HMAC algorithm ID Footer idCipherAlgo; pbCipheredKey[]; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 23
  66. 66. Master key structure dwMagic; Header pbSalt[16]; Keys infos cbIteration; Master key Key ? idMACAlgo; Footer idCipherAlgo; Encryption Algo id pbCipheredKey[]; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 23
  67. 67. Master key structure dwMagic; Header pbSalt[16]; Keys infos cbIteration; Master key Key ? idMACAlgo; Footer idCipherAlgo; pbCipheredKey[]; Encrypted key Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 23
  68. 68. Decrypting the Master key DPAPIDecryptKey(sha1, encKey) { tmp-key = HMAC(sha1, SID) pre-key = PBKDF2(decryptKey, Salt, ID_ALGO, nbIteration) 3desKey = pre-key[0 - 23] 3desIV = [24 - 31] (hmac[0-35], DWORD[36-39], master-key [40-104]) = 3des-cbc(3desKey, iv, encKey) } Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 24
  69. 69. key structure Header • Seems to have the same structure than Keys infos the master key Master key • One round of derivation (XP not Seven) Key ? Footer • 256 bits (half size of the real master-key) Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 25
  70. 70. Possible explanation • The documentation state a compatibility Header mode for windows 2000 exist. Keys infos • The registry key to trigger it is unknown Master key • If we are correct and W2k uses RC4 Key ? then the mystery key is possibly a RC4 Footer key (256bits is the correct size). • PBKDF2 used to compute the IV ?? Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 26
  71. 71. Possible explanation continued Header Keys infos • We know that RC4 have a weak key Master key scheduling algorithm (remember WEP ?) Key ? • Might be a potential weakness (or not) Footer Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 27
  72. 72. Header structure Header Keys infos dwMagic; Master key Key ? credHist[16]; Footer Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 28
  73. 73. Header structure Header Keys infos dwMagic; Master key Key ? credHist[16]; Password GUID Footer Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 28
  74. 74. Differences between windows version XP Vista Seven PBKDF2 Variable 4000 24000 rounds (factor ?) Symmetric algorithm 3DES 3DES AES Hash SHA1 SHA1 SHA512 algorithm Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 29
  75. 75. Decrypting a blob Data blob Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 30
  76. 76. Decrypting a blob Master key GUID Data blob Master key file Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 30
  77. 77. Decrypting a blob Master key GUID Data blob Master key file Salt, Nb iterations Pre key Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 30
  78. 78. Decrypting a blob Master key GUID Data blob Master key file Salt, Nb iterations SHA1(password) Pre key User SID Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 30
  79. 79. Decrypting a blob Master key GUID Data blob Master key file Salt, Nb iterations SHA1(password) Pre key User SID Master key Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 30
  80. 80. Decrypting a blob Master key GUID Data blob Master key file Salt, Nb iterations Cipher + Key SHA1(password) Pre key User SID Master key Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 30
  81. 81. Decrypting a blob Master key GUID Data blob Master key file Salt, Nb iterations Cipher + Key SHA1(password) Pre key User SID Master key Blob key Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 30
  82. 82. Decrypting a blob Master key GUID Data blob Master key file Salt, Nb iterations Cipher + Key SHA1(password) Pre key User SID Sal t+ IV Master key Blob key Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 30
  83. 83. Decrypting a blob Master key GUID Data blob Master key file Salt, Nb iterations Cipher + Key SHA1(password) Pre key User SID Sal t+ IV d wor ss Master key l pa na i tio A dd Blob key Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 30
  84. 84. Decrypting a blob Master key GUID Data blob Master key file Salt, Nb iterations Cipher + Key SHA1(password) Pre key User SID Sal t+ IV d wor ss Master key l pa na i tio A dd Blob key Additional entropy Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 30
  85. 85. Decrypt blob aka the strange HMAC DecryptBlob() { kt = SHA1(masterkey) opad = 0x5c xor kt ipad = 0x36 xor kt i = SHA1(opad.SHA1(ipad . salt).entropyCond) kd = CryptDeriveKey(i) //not reversed (yet) CryptDecrypt(data, kd) } Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 31
  86. 86. Did I miss something ? Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 32
  87. 87. Did I miss something ? • How the OS knows the current master key ? Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 32
  88. 88. Did I miss something ? • How the OS knows the current master key ? • How the OS decides to renew the master key ? Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 32
  89. 89. Did I miss something ? • How the OS knows the current master key ? • How the OS decides to renew the master key ? • What happen when the user changes his password ? Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 32
  90. 90. Key renewal process • Renewed every 3 months automatically • Passive process: executed when CryptProtect called • Hardcoded limit (location unknown) • Possibly in psbase.dll (MS crypto provider) • Can be reduced by using registry override Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 33
  91. 91. Master key selection • All master keys are kept because Windows can’t tell if a key is still used • Keys are stored in %APPDATA%/Microsoft/Protect/[SID] • Current master key is specified in the Preferred file Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 34
  92. 92. The Preferred file • Simply contains : “GUID master key” . “timestamp” • The key is renewed when current time > timestamp Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 35
  93. 93. The Preferred file • Simply contains : “GUID master key” . “timestamp” • The key is renewed when current time > timestamp ➡Key escrow attack : Plant a key and update the Preferred file every 3 months (e.g using the task scheduler) Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 35
  94. 94. User password renewal • Master keys are re-encrypted when the password change • Experimentally not all of them, just the last few ones Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 36
  95. 95. Decrypting a blob Master key GUID Data blob Master key file Salt, Nb iterations Cipher + Key Pre key SHA1(password) Sal t+ IV d wor ss Master key l pa na i tio A dd Blob key Additional entropy Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 37
  96. 96. Decrypting a blob Master key GUID CREDHIST GUID Data blob Master key file CREDHIST Salt, Nb iterations Cipher + Key Pre key SHA1(password) Sal t+ IV d wor ss Master key l pa na i tio A dd Blob key Additional entropy Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 37
  97. 97. CREDHIST overview SHA1(password) Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 38
  98. 98. CREDHIST overview Structure Decrypt pass n-1 SHA1(password) Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 38
  99. 99. CREDHIST overview Structure pass n-2 Decrypt Structure Decrypt pass n-1 SHA1(password) Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 38
  100. 100. CREDHIST overview Structure pass n- 3 Decrypt Structure pass n-2 Decrypt Structure Decrypt pass n-1 SHA1(password) Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 38
  101. 101. CREDHIST overview Structure pass 1 Structure pass 2 ... Decrypt Structure pass n- 3 Decrypt Structure pass n-2 Decrypt Structure Decrypt pass n-1 SHA1(password) Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 38
  102. 102. CREDHIST entry structure main fields idHashAlgo; dwRounds; dwCipherAlgo; bSID[12]; dwComputerSID[3]; dwAccountID; bData[28]; bPasswordID[16] Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 39
  103. 103. CREDHIST entry structure main fields idHashAlgo; Hash algo ID dwRounds; dwCipherAlgo; bSID[12]; dwComputerSID[3]; dwAccountID; bData[28]; bPasswordID[16] Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 39
  104. 104. CREDHIST entry structure main fields idHashAlgo; dwRounds; Nb rounds dwCipherAlgo; bSID[12]; dwComputerSID[3]; dwAccountID; bData[28]; bPasswordID[16] Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 39
  105. 105. CREDHIST entry structure main fields idHashAlgo; dwRounds; dwCipherAlgo; Encryption Algorithm ID bSID[12]; dwComputerSID[3]; dwAccountID; bData[28]; bPasswordID[16] Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 39
  106. 106. CREDHIST entry structure main fields idHashAlgo; dwRounds; dwCipherAlgo; bSID[12]; User USID dwComputerSID[3]; dwAccountID; bData[28]; bPasswordID[16] Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 39
  107. 107. CREDHIST entry structure main fields idHashAlgo; dwRounds; dwCipherAlgo; bSID[12]; dwComputerSID[3]; Computer SID dwAccountID; bData[28]; bPasswordID[16] Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 39
  108. 108. CREDHIST entry structure main fields idHashAlgo; dwRounds; dwCipherAlgo; bSID[12]; dwComputerSID[3]; dwAccountID; Account ID bData[28]; bPasswordID[16] Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 39
  109. 109. CREDHIST entry structure main fields idHashAlgo; dwRounds; dwCipherAlgo; bSID[12]; dwComputerSID[3]; dwAccountID; bData[28]; Encrypted password SHA1 bPasswordID[16] Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 39
  110. 110. CREDHIST entry structure main fields idHashAlgo; dwRounds; dwCipherAlgo; bSID[12]; dwComputerSID[3]; dwAccountID; bData[28]; bPasswordID[16] Password GUID Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 39
  111. 111. Decryption algorithm overview DecryptCredhist{ SID = (USID-ComputerID-AccountID) tmp-key = HMAC(sha1, SID) pre-key = PBKDF2(decryptKey, Salt, ID_ALGO, nbIteration) 3desKey = pre-key[0 - 23] 3desIV = [24 - 31] (SHA1[0-19], HMAC[20-39]) = 3des-cbc (3desKey, iv, encKey) Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 40
  112. 112. DPAPIck demo Wednesday, February 3, 2010 41
  113. 113. Warning • DPAPIck is in ALPHA stage. Use it at your own risk ! You have been warned. It is just a POC • Know bugs : • No HMAC checks -> No key check. • No Seven support, tested only on XP • No conditional entropy / strong password in UI • Don’t choose the correct master key by itself • Buffer overflows :) Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 42
  114. 114. DPAPIck future • We made the choice to release early so you know we are telling the truth and everyone can start playing. • We will provide a more robust version and eventually open the source code so one day Linux will read EFS files :) • It just too soon for this. Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 43
  115. 115. LSA • LSASS secret contains a DPAPI_SYSTEM value • Length == 2 * SHA1 • Usage are unknown • We think that 1 of them is used as a SYSTEM account “password” • Need to be confirmed Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 44
  116. 116. EFS • Certificate private key is encrypted with DPAPI • Key are stored in • To read EFS file offline, we just need to import the user certificate and its private keys in our key store. • Work in progress in DPAPIck Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 45
  117. 117. What is next • Can we build a rogue crypto provider ? • What are the two SHA1 stored in the LSA ? • Where is stored the renewal hard lime ? • CryptDeriveKey needed to be reversed to have a fully portable implementation (Everything else is already portable) Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 46
  118. 118. Conclusion • Open the door to offline forensic • First step toward EFS on alternative systems • CREDHIST allows to recover previous passwords • DPAPIck : http://dpapick.com • Some things remain unknown Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 47
  119. 119. Questions ? Thanks to the nightingale team Wednesday, February 3, 2010 48

×