Geek Answers Handbook

How do DPAPI and ProtectedData.Protect () process disk images / clones in .net 4?

I am testing the idea of ​​using the .net v4 System.Security.Cryptography.ProtectedData () and UnprotectData () methods with the DataProtectionScope.LocalMachine scope to ensure that a file can only be encrypted / decrypted on one machine. Here is a general idea of ​​what I'm doing ...

//Encrypt byte[] outBytes = ProtectedData.Protect(File.ReadAllBytes(fileIn), null, DataProtectionScope.LocalMachine); File.WriteAllBytes(fileOut, outBytes); //Decrypt byte[] outBytes = ProtectedData.Unprotect(File.ReadAllBytes(fileIn), null, DataProtectionScope.LocalMachine); File.WriteAllBytes(fileOut, outBytes);

I have done many tests to make sure I get the expected behavior with this, and it seems to work just fine in the sense that any user on one computer can encrypt / decrypt a file using the method calls listed above.

My question is what happens if someone makes a disk image or clones (using Acronis, Ghost, etc.) a system that contains a file encrypted using this mechanism and then restores this image to another computer? (One example is the IT department preloading one system, which then becomes the base image for an army of vehicles with identical equipment configurations). Will the recovered OS on other hardware decrypt the file that was encrypted in the "original" system? I hope that due to various equipment, decryption will fail, but it may make sense that if all the necessary information for cryptography exists in the registry or in the file system, it will work.

Obviously, I could check it out for myself, but I don’t have the resources to do it right now, and we have been searching endlessly to find out if anyone else can find out the answer. Any advice is greatly appreciated!

+7
source share
2 answers

My answer only applies to DataProtectionScope.LocalMachine , because obviously DataProtectionScope.CurrentUser uses keys stored in Active Directory or some other roaming source, and is clearly not individually tied to one physical key.

As for LocalMachine , the clone of the computer will be able to open the same files, since the machine key is stored on the computer’s hard drive and is generated using the “sysprep” installation step to install Windows (this is why corporate Windows deployment can use the same system image, but while they run sysprep, each system will have its own key).

The computer can re-create its machine key (and it can also store old keys, so the old data is still decrypted). However, I do not know how to make it recreate the key, and then delete the old ones.

Source: http://www.windows-server-answers.com/microsoft/Security-Cryptography/30350079/local-machine-masterkey-in-dpapi.aspx

+4
source

Good question - hunting around seems that the master key is automatically restored every ok. 90 days. There's a very good analysis at Passcape.com - the heart of DPAPI security is connected to the SYSKEY system, which is stored in the registry under the SYSTEM hive section.

Since it obviously uses the CryptProtectData () call with the CRYPT_PROTECT_REGENERATE flag to update the DPAPI master key on the cloned system, it seems like your use case for protecting DPAPI is a security risk.

My thing is that although DPAPI is great for security on the local computer (but see this post in Epyx Forensics for password recovery), you will probably have to take extra security measures when cloning, especially if you cannot control how systems will be cloned.

This question is likely to get the best answer at https://security.stackexchange.com/ , so you can also ask about it.

0
source

More articles:


All Articles