RE: Password Hiding

From: Andrew van der Stock (avanderstock@b-sec.com)
Date: Wed Jul 30 2003 - 00:46:49 PDT

Next message: Larry Reedy: "RE: Password Hiding"

Previous message: Dimitris Petropoulos: "RE: Password Hiding"
In reply to: pablo gietz: "Password Hiding"
Next in thread: Calderon, Juan C (EM, DDEMESIS): "RE: Password Hiding"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Cryptographically, storing the secret and the key to the secret on the same
box violates the basic idea of encrypting the information in the first
place. Effectively, it is security through obscurity. 

Saying that you still have a problem to solve, so please buy yourself a copy
of Howard and LeBlanc's excellent book "Writing Secure Code", 2nd ed. It has
exactly this problem covered off. 

http://www.microsoft.com/mspress/books/index/5957.asp

You don't say which flavor of Windows, but as you're doing security and you
mention "service", I'm assuming that you mean something that is securable
without a lot of work, i.e. not Win9x/ME or NT 4.0. 

There are several methods. I like the DPAPI approach, but it is decryptable
if they get LOCALSYSTEM or Admin access (or your service account for that
matter), but fairly obscure to the average script kiddie. Plus, if they have
that level of access, you're hosed anyway. 

LSA secrets are nearly as good, but you shouldn't use them as you will need
to run your service as LOCALSYSTEM, a security no-no (violates principle of
least privilege). 

And finally, there's the hand-rolled approach where you use an algorithm
like RC4 or Blowfish out of Applied Crypto and try to store the key
yourself. Don't. You (and me, and pretty much everyone) suck at
cryptography, and you'll get it wrong. Guaranteed. 

Using DPAPI (win2k and later):
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html
/secure06112002.asp

LSA Secrets:
http://www.insecure.org/sploits/NT.LSA.secrets.html

Cryptography, and why we all suck at it

Go to Bruce's website, and read these papers. If everyone did this, I'd earn
a lot less money. :)

http://www.counterpane.com/whycrypto.html
http://www.counterpane.com/pitfalls.html

Thanks,
Andrew

-----Original Message-----
From: pablo gietz [mailto:pablo.gietzat_private] 
Sent: Wednesday, 30 July 2003 4:14 AM
To: secprog
Subject: Password Hiding

Hi all
This is my first post,
What can I do to hide a password that is used to encrypt-decrypt a
config.file?

Next message: Larry Reedy: "RE: Password Hiding"
Previous message: Dimitris Petropoulos: "RE: Password Hiding"
In reply to: pablo gietz: "Password Hiding"
Next in thread: Calderon, Juan C (EM, DDEMESIS): "RE: Password Hiding"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 30 2003 - 08:02:10 PDT