|
Posted by Roger Abell [MVP] on March 4, 2008, 7:54 am
If you were Registered and logged in, you could reply and use other advanced thread options
Hi Steve,
There must be part of the use case you did not outline.
Also, although it depends on the network environment where
this would be running, in general the idea of using a pre-baked
challenge is asking for someone to mount replay attack on you.
Why is some use case missing? Well, why is there this planned
code in the middle? It needs to acquire process context of the
service ID in order to encrypt at that ID all so that something can
be stored for use by other codes running as that ID. That is what
I have taken as your stated use case. So why have this planned
code in the middle? Why not just a direct DPAPI call, either to
save it or access and use what was vaulted? I mean, your apps
would need to call your planned code, to store or access, right?
So why? I mean why not just have them use DPAPI?
Roger
> Hello all -
>
> I've been looking for a way to do this, and I'm hoping someone either can
> point me at the obvious API that does this that I somehow missed after
> searching long and hard, or else can comment on an idea I'll outline below
> that I think would get me there.
>
> First, here's what I'm trying to do: I want something similar to DPAPI,
> but with process identity granularity. I'm going to have an administrative
> UI that would take a service ID and password, call LogonUser, and then
> call my encryption API to encrypt data based on something unique to the
> security context created by LogonUser. Later, I want a process configured
> to run as that service ID / password identity - and *only* processes
> running with that identity - to be able to call a decryption API on that
> data. (As for why I want this, it's to provide a "vault" to applications
> in a shared environment, where I don't want to require that applications
> "trust" each other. Machine-level DPAPI is inadequate for this, since any
> application can decrypt another app's secrets.)
>
> So maybe I've missed an obvious way you do this in Windows, and someone
> can point me at the right API ... but if not, here's my idea:
>
> An obvious secret associated with the process' identity is the password
> hash, but how to get at it - there's no API that I can find that would let
> me do that. (Of course there are hacker tools that do this using kernel
> mode code, but I don't want anything so messy.) Now here's the idea: I do
> both client and server sides of the NTLM challenge / response using SSPI
> (I have code that does this already from something else), but I don't
> really do the server side that would be generating a random challenge.
> Instead I feed a constant pre-baked challenge packet to the second call to
> InitializeSecurityContext, so that I get the same challenge response
> packet every time, but one which still depends uniquely on the caller's
> security context. That challenge response could then be used in a
> CryptDeriveKey call to get the actual reversible encryption key.
>
> I'd appreciate any comments.
>
> Thanks,
> Steve Schuler
> Safeco Insurance
>
> Please reply to the group. If you also want to send private email, I can
> be
> reached at sjschu AT safeco DOT com
>
>
>
| 
XML site map