Data access protection in W2K and later

As I discussed a few weeks back, Microsoft has publicly gotten the security religion. No doubt, there is a new emphasis on security in its products, but the results have been mixed so far. Only time will tell if it is sufficient and whether they truly "get it."

A new set of features, introduced in Windows 2000 and enhanced in Windows XP, is data access protection through the Data Protection API (DPAPI). DPAPI is function calls that provide data protection services at the operating system level to user and system processes. The data protection is a service that provides confidentiality of data through encryption. What's nice about all this is that since the protection is part of the operating system, it is available to every application, letting it secure data without needing any specific cryptographic code other than the necessary function calls to DPAPI.

The DPAPI calls are two simple functions with various options to modify DPAPI behavior, CryptProtectData and CryptUnprotectData. Overall, DPAPI is a service easy to use that will benefit developers that must provide protection for sensitive application data, such as passwords and private keys. The public interfaces are part of crypt32.dll, part of the CryptoAPI, which is available on most recent versions of Windows.

Using DPAPI is quite simple. You either pass plaintext data to DPAPI and receive an opaque protected data blob back, or pass the protected data blob to DPAPI and receive the plaintext data back. When an application calls one of the DPAPI functions, the functions make a local remote procedure call (RPC) to the Local Security Authority (LSA). The LSA is a system process that starts on boot-up. These local RPC calls never traverse the network, so all data remains on the local machine. The endpoints of these RPC calls then call DPAPI private functions to protect or unprotect the data. These functions then call back into CryptoAPI for the actual encryption or decryption of the data in the security context of the LSA. The functions run in the security context of the LSA so that security audits can be generated.

DPAPI is a password-based data protection service, requiring a password to provide protection. This is a potential drawback, with risks similar to any other password-protected system. But the benefit that hopefully offsets the risk is that DPAPI uses the strong Triple-DES algorithm for encryption and strong keys. Since DPAPI is focused on providing protection for users and requires a password to provide this protection, it logically uses the user's logon password for protection.

Join the newsletter!

Error: Please check your email address.

More about EndPointsMicrosoft

Show Comments