Your SlideShare is downloading. ×
0
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Reverse of DPAPI - BlackHat DC 2010
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Reverse of DPAPI - BlackHat DC 2010

3,673

Published on

Talk I did for BlackHat DC 2010 with DPAPI reverse engineering and a tool to decrypt things related to DPAPI

Talk I did for BlackHat DC 2010 with DPAPI reverse engineering and a tool to decrypt things related to DPAPI

Published in: Software
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
3,673
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
48
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Decrypting DPAPI data Jean-Michel Picod, Elie Bursztein EADS, Stanford University Wednesday, February 3, 2010 1
  • 2. Data Protection API • Introduced in Windows 2000 • Aim to be an easy way for application to store safely data on disk • Tie encryption key to user password and the account SID Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 2
  • 3. Developer point of view DPAPI Application Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 3
  • 4. GTalk Wednesday, February 3, 2010 4
  • 5. DPAPI is a simple API* *http://msdn.microsoft.com/en-us/library/ms995355.aspx Wednesday, February 3, 2010 5
  • 6. Why digging deeper ? • Offline forensic • EFS on Linux • Security / cool things ? Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 6
  • 7. Previous work • Multiples attempts to analyze DPAPI • Some incomplete (Wine) • Some close source (Nir Sofer - NirSoft) Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 7
  • 8. Take away • Decrypt offline sensitive data • Recover user previous passwords (Yes all of them) • Do a key escrow attack Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 8
  • 9. Outline Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 9
  • 10. Outline • DPAPI overview Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 9
  • 11. Outline • DPAPI overview • Decryption process Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 9
  • 12. Outline • DPAPI overview • Decryption process • Security design implications Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 9
  • 13. Outline • DPAPI overview • Decryption process • Security design implications • DPAPIck demo Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 9
  • 14. Crypto 911 HMAC • HMAC (Message authentication code) • Usually used to detect data tampering • Used here to derive encrypt key and IV ipad = 0x36 xor key opad = 0x5c xor key HMAC= (opad . SHA1(ipad.data)) Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 10
  • 15. Crypto 911: PBKDF2 • PBKDF2 = Password based key derivation function • Basically it is a hash function (SHA1 for us) applied n times to slow down the computation. • Used to defend against brute-force • Salt is used against rainbow tables attacks. Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 11
  • 16. Crypto 911 : 3DES • 3DES : Triple DES encryption • Encrypt, Decrypt, Encrypt • Exist in two flavor : 2 keys or 3 keys (64 bits each) • Windows use the strong version with 3 keys Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 12
  • 17. How the system interacts with DPAPI Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 13
  • 18. How the system interacts with DPAPI DPAPI cryptoAPI crypt32.dll Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 13
  • 19. How the system interacts with DPAPI DPAPI cryptoAPI crypt32.dll Local Security Authority cryptoAPI crypt32.dll Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 13
  • 20. How the system interacts with DPAPI EFS Encrypted file DPAPI cryptoAPI crypt32.dll Local Security Authority cryptoAPI crypt32.dll Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 13
  • 21. How the system interacts with DPAPI EFS Encrypted file DPAPI cryptoAPI EFS crypt32.dll Local Security Authority cryptoAPI crypt32.dll Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 13
  • 22. How the system interacts with DPAPI EFS EFS user private Encrypted file key DPAPI cryptoAPI EFS crypt32.dll Local Security Authority cryptoAPI crypt32.dll Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 13
  • 23. How the system interacts with DPAPI EFS EFS user private Encrypted file key DPAPI cryptoAPI EFS crypt32.dll Local Security Authority cryptoAPI crypt32.dll Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 13
  • 24. DPAPI CryptUnprotecData Function BOOL WINAPI CryptUnprotectData ( *pDataIn, *ppszDataDescr, *pOptionalEntropy, pvReserved, *pPromptStruct, dwFlags, *pDataOut Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 14
  • 25. DPAPI CryptUnprotecData Function BOOL WINAPI CryptUnprotectData ( *pDataIn, Encrypted data aka data blob *ppszDataDescr, *pOptionalEntropy, pvReserved, *pPromptStruct, dwFlags, *pDataOut Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 14
  • 26. DPAPI CryptUnprotecData Function BOOL WINAPI CryptUnprotectData ( *pDataIn, *ppszDataDescr, Optional description *pOptionalEntropy, pvReserved, *pPromptStruct, dwFlags, *pDataOut Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 14
  • 27. DPAPI CryptUnprotecData Function BOOL WINAPI CryptUnprotectData ( *pDataIn, *ppszDataDescr, *pOptionalEntropy, Optional entropy (salt) pvReserved, *pPromptStruct, dwFlags, *pDataOut Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 14
  • 28. DPAPI CryptUnprotecData Function BOOL WINAPI CryptUnprotectData ( *pDataIn, *ppszDataDescr, *pOptionalEntropy, pvReserved, *pPromptStruct, Optional password dwFlags, *pDataOut Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 14
  • 29. DPAPI CryptUnprotecData Function BOOL WINAPI CryptUnprotectData ( *pDataIn, *ppszDataDescr, *pOptionalEntropy, pvReserved, *pPromptStruct, dwFlags, *pDataOut Decrypted data Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 14
  • 30. Derivation scheme User Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 15
  • 31. Derivation scheme SHA1(password) Pre key User Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 15
  • 32. Derivation scheme SHA1(password) Pre key User Master Key Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 15
  • 33. Derivation scheme SHA1(password) Pre key User Master Key Blob key Blob key Blob key Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 15
  • 34. Derivation scheme SHA1(password) Pre key User Master Key Blob key Blob key Blob key Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 15
  • 35. Blob structure • Returned to the application (opaque structure) • Store user encrypted data • Contains decryption parameters Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 16
  • 36. key subtleties • SHA1 password are in UTF-16LE • SID for HMAC are also in UTF-16LE (don’t forget the 0 !) • Windows 2000 do not use SHA1/3DES. We think it uses SHA1/RC4 (Anyone want to try ?). Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 17
  • 37. data blob structure key fields DWORD cbProviders; GUID *arrProviders; DWORD cbKeys; GUID *arrKeys; WCHAR *ppszDataDescr; DWORD idCipherAlgo; BYTE *pbSalt; DWORD idHashAlgo; BYTE *pbUnknown; BYTE *pbCipher; BYTE *pbHMAC; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 18
  • 38. data blob structure key fields DWORD cbProviders; Nb of crypto providers GUID *arrProviders; DWORD cbKeys; GUID *arrKeys; WCHAR *ppszDataDescr; DWORD idCipherAlgo; BYTE *pbSalt; DWORD idHashAlgo; BYTE *pbUnknown; BYTE *pbCipher; BYTE *pbHMAC; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 18
  • 39. data blob structure key fields DWORD cbProviders; GUID *arrProviders; Crypto providers GUID DWORD cbKeys; GUID *arrKeys; WCHAR *ppszDataDescr; DWORD idCipherAlgo; BYTE *pbSalt; DWORD idHashAlgo; BYTE *pbUnknown; BYTE *pbCipher; BYTE *pbHMAC; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 18
  • 40. data blob structure key fields DWORD cbProviders; GUID *arrProviders; DWORD cbKeys; Nb of masters keys GUID *arrKeys; WCHAR *ppszDataDescr; DWORD idCipherAlgo; BYTE *pbSalt; DWORD idHashAlgo; BYTE *pbUnknown; BYTE *pbCipher; BYTE *pbHMAC; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 18
  • 41. data blob structure key fields DWORD cbProviders; GUID *arrProviders; DWORD cbKeys; GUID *arrKeys; Masters keys GUID WCHAR *ppszDataDescr; DWORD idCipherAlgo; BYTE *pbSalt; DWORD idHashAlgo; BYTE *pbUnknown; BYTE *pbCipher; BYTE *pbHMAC; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 18
  • 42. data blob structure key fields DWORD cbProviders; GUID *arrProviders; DWORD cbKeys; GUID *arrKeys; WCHAR *ppszDataDescr; Optional description DWORD idCipherAlgo; BYTE *pbSalt; DWORD idHashAlgo; BYTE *pbUnknown; BYTE *pbCipher; BYTE *pbHMAC; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 18
  • 43. data blob structure key fields DWORD cbProviders; GUID *arrProviders; DWORD cbKeys; GUID *arrKeys; WCHAR *ppszDataDescr; DWORD idCipherAlgo; Encryption algorithm ID BYTE *pbSalt; DWORD idHashAlgo; BYTE *pbUnknown; BYTE *pbCipher; BYTE *pbHMAC; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 18
  • 44. data blob structure key fields DWORD cbProviders; GUID *arrProviders; DWORD cbKeys; GUID *arrKeys; WCHAR *ppszDataDescr; DWORD idCipherAlgo; BYTE *pbSalt; Salt generated by DPAPI DWORD idHashAlgo; BYTE *pbUnknown; BYTE *pbCipher; BYTE *pbHMAC; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 18
  • 45. data blob structure key fields DWORD cbProviders; GUID *arrProviders; DWORD cbKeys; GUID *arrKeys; WCHAR *ppszDataDescr; DWORD idCipherAlgo; BYTE *pbSalt; DWORD idHashAlgo; Hash algorithm ID BYTE *pbUnknown; BYTE *pbCipher; BYTE *pbHMAC; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 18
  • 46. data blob structure key fields DWORD cbProviders; GUID *arrProviders; DWORD cbKeys; GUID *arrKeys; WCHAR *ppszDataDescr; DWORD idCipherAlgo; BYTE *pbSalt; DWORD idHashAlgo; BYTE *pbUnknown; Unknown data BYTE *pbCipher; BYTE *pbHMAC; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 18
  • 47. data blob structure key fields DWORD cbProviders; GUID *arrProviders; DWORD cbKeys; GUID *arrKeys; WCHAR *ppszDataDescr; DWORD idCipherAlgo; BYTE *pbSalt; DWORD idHashAlgo; BYTE *pbUnknown; BYTE *pbCipher; Encrypted data BYTE *pbHMAC; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 18
  • 48. data blob structure key fields DWORD cbProviders; GUID *arrProviders; DWORD cbKeys; GUID *arrKeys; WCHAR *ppszDataDescr; DWORD idCipherAlgo; BYTE *pbSalt; DWORD idHashAlgo; BYTE *pbUnknown; BYTE *pbCipher; BYTE *pbHMAC; Blob HMAC Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 18
  • 49. Master key structure • Store the key used to decrypt blob • Encrypted with the user password • Renewed every 3 months Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 19
  • 50. The master key file Header Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 20
  • 51. The master key file Header Keys infos Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 20
  • 52. The master key file Header Keys infos Master key Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 20
  • 53. The master key file Header Keys infos Master key Key ? Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 20
  • 54. The master key file Header Keys infos Master key Key ? Footer Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 20
  • 55. Header structure Header dwVersion; Keys infos nullPad1; Master key Key ? szKeyGUID[36]; Footer nullPad2; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 21
  • 56. Header structure Header dwVersion; File version Keys infos nullPad1; Master key Key ? szKeyGUID[36]; Footer nullPad2; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 21
  • 57. Header structure Header dwVersion; Keys infos nullPad1; Master key szKeyGUID[36]; Master key GUID Key ? Footer nullPad2; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 21
  • 58. Key infos structure dwUnknown; Header Keys infos cbMasterKey; Master key cbMysteryKey; Key ? dwHMACLen; Footer nullPad3; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 22
  • 59. Key infos structure dwUnknown; Header Keys infos cbMasterKey; Master Key struct length Master key cbMysteryKey; Key ? dwHMACLen; Footer nullPad3; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 22
  • 60. Key infos structure dwUnknown; Header Keys infos cbMasterKey; Master key cbMysteryKey; Key ? struct length Key ? dwHMACLen; Footer nullPad3; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 22
  • 61. Key infos structure dwUnknown; Header Keys infos cbMasterKey; Master key cbMysteryKey; Key ? dwHMACLen; HMAC length Footer nullPad3; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 22
  • 62. Master key structure dwMagic; Header pbSalt[16]; Keys infos cbIteration; Master key Key ? idMACAlgo; Footer idCipherAlgo; pbCipheredKey[]; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 23
  • 63. Master key structure dwMagic; Header pbSalt[16]; Key salt Keys infos cbIteration; Master key Key ? idMACAlgo; Footer idCipherAlgo; pbCipheredKey[]; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 23
  • 64. Master key structure dwMagic; Header pbSalt[16]; Keys infos cbIteration; PBKDF2 nb rounds Master key Key ? idMACAlgo; Footer idCipherAlgo; pbCipheredKey[]; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 23
  • 65. Master key structure dwMagic; Header pbSalt[16]; Keys infos cbIteration; Master key Key ? idMACAlgo; HMAC algorithm ID Footer idCipherAlgo; pbCipheredKey[]; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 23
  • 66. Master key structure dwMagic; Header pbSalt[16]; Keys infos cbIteration; Master key Key ? idMACAlgo; Footer idCipherAlgo; Encryption Algo id pbCipheredKey[]; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 23
  • 67. Master key structure dwMagic; Header pbSalt[16]; Keys infos cbIteration; Master key Key ? idMACAlgo; Footer idCipherAlgo; pbCipheredKey[]; Encrypted key Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 23
  • 68. Decrypting the Master key DPAPIDecryptKey(sha1, encKey) { tmp-key = HMAC(sha1, SID) pre-key = PBKDF2(decryptKey, Salt, ID_ALGO, nbIteration) 3desKey = pre-key[0 - 23] 3desIV = [24 - 31] (hmac[0-35], DWORD[36-39], master-key [40-104]) = 3des-cbc(3desKey, iv, encKey) } Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 24
  • 69. key structure Header • Seems to have the same structure than Keys infos the master key Master key • One round of derivation (XP not Seven) Key ? Footer • 256 bits (half size of the real master-key) Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 25
  • 70. Possible explanation • The documentation state a compatibility Header mode for windows 2000 exist. Keys infos • The registry key to trigger it is unknown Master key • If we are correct and W2k uses RC4 Key ? then the mystery key is possibly a RC4 Footer key (256bits is the correct size). • PBKDF2 used to compute the IV ?? Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 26
  • 71. Possible explanation continued Header Keys infos • We know that RC4 have a weak key Master key scheduling algorithm (remember WEP ?) Key ? • Might be a potential weakness (or not) Footer Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 27
  • 72. Header structure Header Keys infos dwMagic; Master key Key ? credHist[16]; Footer Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 28
  • 73. Header structure Header Keys infos dwMagic; Master key Key ? credHist[16]; Password GUID Footer Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 28
  • 74. Differences between windows version XP Vista Seven PBKDF2 Variable 4000 24000 rounds (factor ?) Symmetric algorithm 3DES 3DES AES Hash SHA1 SHA1 SHA512 algorithm Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 29
  • 75. Decrypting a blob Data blob Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 30
  • 76. Decrypting a blob Master key GUID Data blob Master key file Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 30
  • 77. Decrypting a blob Master key GUID Data blob Master key file Salt, Nb iterations Pre key Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 30
  • 78. Decrypting a blob Master key GUID Data blob Master key file Salt, Nb iterations SHA1(password) Pre key User SID Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 30
  • 79. Decrypting a blob Master key GUID Data blob Master key file Salt, Nb iterations SHA1(password) Pre key User SID Master key Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 30
  • 80. Decrypting a blob Master key GUID Data blob Master key file Salt, Nb iterations Cipher + Key SHA1(password) Pre key User SID Master key Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 30
  • 81. Decrypting a blob Master key GUID Data blob Master key file Salt, Nb iterations Cipher + Key SHA1(password) Pre key User SID Master key Blob key Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 30
  • 82. Decrypting a blob Master key GUID Data blob Master key file Salt, Nb iterations Cipher + Key SHA1(password) Pre key User SID Sal t+ IV Master key Blob key Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 30
  • 83. Decrypting a blob Master key GUID Data blob Master key file Salt, Nb iterations Cipher + Key SHA1(password) Pre key User SID Sal t+ IV d wor ss Master key l pa na i tio A dd Blob key Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 30
  • 84. Decrypting a blob Master key GUID Data blob Master key file Salt, Nb iterations Cipher + Key SHA1(password) Pre key User SID Sal t+ IV d wor ss Master key l pa na i tio A dd Blob key Additional entropy Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 30
  • 85. Decrypt blob aka the strange HMAC DecryptBlob() { kt = SHA1(masterkey) opad = 0x5c xor kt ipad = 0x36 xor kt i = SHA1(opad.SHA1(ipad . salt).entropyCond) kd = CryptDeriveKey(i) //not reversed (yet) CryptDecrypt(data, kd) } Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 31
  • 86. Did I miss something ? Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 32
  • 87. Did I miss something ? • How the OS knows the current master key ? Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 32
  • 88. Did I miss something ? • How the OS knows the current master key ? • How the OS decides to renew the master key ? Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 32
  • 89. Did I miss something ? • How the OS knows the current master key ? • How the OS decides to renew the master key ? • What happen when the user changes his password ? Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 32
  • 90. Key renewal process • Renewed every 3 months automatically • Passive process: executed when CryptProtect called • Hardcoded limit (location unknown) • Possibly in psbase.dll (MS crypto provider) • Can be reduced by using registry override Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 33
  • 91. Master key selection • All master keys are kept because Windows can’t tell if a key is still used • Keys are stored in %APPDATA%/Microsoft/Protect/[SID] • Current master key is specified in the Preferred file Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 34
  • 92. The Preferred file • Simply contains : “GUID master key” . “timestamp” • The key is renewed when current time > timestamp Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 35
  • 93. The Preferred file • Simply contains : “GUID master key” . “timestamp” • The key is renewed when current time > timestamp ➡Key escrow attack : Plant a key and update the Preferred file every 3 months (e.g using the task scheduler) Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 35
  • 94. User password renewal • Master keys are re-encrypted when the password change • Experimentally not all of them, just the last few ones Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 36
  • 95. Decrypting a blob Master key GUID Data blob Master key file Salt, Nb iterations Cipher + Key Pre key SHA1(password) Sal t+ IV d wor ss Master key l pa na i tio A dd Blob key Additional entropy Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 37
  • 96. Decrypting a blob Master key GUID CREDHIST GUID Data blob Master key file CREDHIST Salt, Nb iterations Cipher + Key Pre key SHA1(password) Sal t+ IV d wor ss Master key l pa na i tio A dd Blob key Additional entropy Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 37
  • 97. CREDHIST overview SHA1(password) Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 38
  • 98. CREDHIST overview Structure Decrypt pass n-1 SHA1(password) Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 38
  • 99. CREDHIST overview Structure pass n-2 Decrypt Structure Decrypt pass n-1 SHA1(password) Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 38
  • 100. CREDHIST overview Structure pass n- 3 Decrypt Structure pass n-2 Decrypt Structure Decrypt pass n-1 SHA1(password) Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 38
  • 101. CREDHIST overview Structure pass 1 Structure pass 2 ... Decrypt Structure pass n- 3 Decrypt Structure pass n-2 Decrypt Structure Decrypt pass n-1 SHA1(password) Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 38
  • 102. CREDHIST entry structure main fields idHashAlgo; dwRounds; dwCipherAlgo; bSID[12]; dwComputerSID[3]; dwAccountID; bData[28]; bPasswordID[16] Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 39
  • 103. CREDHIST entry structure main fields idHashAlgo; Hash algo ID dwRounds; dwCipherAlgo; bSID[12]; dwComputerSID[3]; dwAccountID; bData[28]; bPasswordID[16] Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 39
  • 104. CREDHIST entry structure main fields idHashAlgo; dwRounds; Nb rounds dwCipherAlgo; bSID[12]; dwComputerSID[3]; dwAccountID; bData[28]; bPasswordID[16] Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 39
  • 105. CREDHIST entry structure main fields idHashAlgo; dwRounds; dwCipherAlgo; Encryption Algorithm ID bSID[12]; dwComputerSID[3]; dwAccountID; bData[28]; bPasswordID[16] Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 39
  • 106. CREDHIST entry structure main fields idHashAlgo; dwRounds; dwCipherAlgo; bSID[12]; User USID dwComputerSID[3]; dwAccountID; bData[28]; bPasswordID[16] Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 39
  • 107. CREDHIST entry structure main fields idHashAlgo; dwRounds; dwCipherAlgo; bSID[12]; dwComputerSID[3]; Computer SID dwAccountID; bData[28]; bPasswordID[16] Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 39
  • 108. CREDHIST entry structure main fields idHashAlgo; dwRounds; dwCipherAlgo; bSID[12]; dwComputerSID[3]; dwAccountID; Account ID bData[28]; bPasswordID[16] Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 39
  • 109. CREDHIST entry structure main fields idHashAlgo; dwRounds; dwCipherAlgo; bSID[12]; dwComputerSID[3]; dwAccountID; bData[28]; Encrypted password SHA1 bPasswordID[16] Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 39
  • 110. CREDHIST entry structure main fields idHashAlgo; dwRounds; dwCipherAlgo; bSID[12]; dwComputerSID[3]; dwAccountID; bData[28]; bPasswordID[16] Password GUID Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 39
  • 111. Decryption algorithm overview DecryptCredhist{ SID = (USID-ComputerID-AccountID) tmp-key = HMAC(sha1, SID) pre-key = PBKDF2(decryptKey, Salt, ID_ALGO, nbIteration) 3desKey = pre-key[0 - 23] 3desIV = [24 - 31] (SHA1[0-19], HMAC[20-39]) = 3des-cbc (3desKey, iv, encKey) Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 40
  • 112. DPAPIck demo Wednesday, February 3, 2010 41
  • 113. Warning • DPAPIck is in ALPHA stage. Use it at your own risk ! You have been warned. It is just a POC • Know bugs : • No HMAC checks -> No key check. • No Seven support, tested only on XP • No conditional entropy / strong password in UI • Don’t choose the correct master key by itself • Buffer overflows :) Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 42
  • 114. DPAPIck future • We made the choice to release early so you know we are telling the truth and everyone can start playing. • We will provide a more robust version and eventually open the source code so one day Linux will read EFS files :) • It just too soon for this. Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 43
  • 115. LSA • LSASS secret contains a DPAPI_SYSTEM value • Length == 2 * SHA1 • Usage are unknown • We think that 1 of them is used as a SYSTEM account “password” • Need to be confirmed Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 44
  • 116. EFS • Certificate private key is encrypted with DPAPI • Key are stored in • To read EFS file offline, we just need to import the user certificate and its private keys in our key store. • Work in progress in DPAPIck Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 45
  • 117. What is next • Can we build a rogue crypto provider ? • What are the two SHA1 stored in the LSA ? • Where is stored the renewal hard lime ? • CryptDeriveKey needed to be reversed to have a fully portable implementation (Everything else is already portable) Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 46
  • 118. Conclusion • Open the door to offline forensic • First step toward EFS on alternative systems • CREDHIST allows to recover previous passwords • DPAPIck : http://dpapick.com • Some things remain unknown Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 47
  • 119. Questions ? Thanks to the nightingale team Wednesday, February 3, 2010 48

×