Data protection API

From Wikipedia, the free encyclopedia

DPAPI (Data Protection Application Programming Interface) is a relatively easy-to-use cryptography API available as a standard component in Microsoft Windows 2000 and later versions of Windows operating systems.

For almost all types of encryption, a cryptographic key is required. A key is a string of characters or bytes that is used to encrypt or decrypt the data. However, when developing secure systems, the question of how to store the encryption key often arises. If the key is stored in plain text, then any user that can access the key can access the encrypted data. If the key is to be encrypted, another key is needed, and so on ad infinitum. DPAPI allows developers to encrypt keys based on a particular user's profile or all the users of the local machine by the use of the system DPAPI key.

The keys used for encrypting the user's keys are stored under "%USERPROFILE%\Application Data\Microsoft\Protect\{SID}", where {SID} is the security identifier of that user. The DPAPI key is stored in the same file as the master key that protects the users private keys. It usually is 40 bytes of random data. DPAPI doesn't store any persistent data for itself; instead, it simply receives plaintext and returns cryptext (or vice-versa).

DPAPI security relies upon the system's ability to protect the Master Key and RSA private keys from compromise, which in most attack scenarios is most highly reliant on the security of the end user's credentials. Particular data binary large objects can be encrypted in a way that salt is added and/or an external user-provided password (aka "Strong Key Protection") is required. The use of a salt is a per-implementation option - i.e. under the control of the application developer - not controllable by the end user or IT professional.

Delegated access can be given to keys through the use of a COM+ object. This enables IIS web servers to use DPAPI.

While not universally implemented in all Microsoft products, DPAPI is gaining use over time. Many applications from Microsoft and third-party developers still prefer to roll their own protection approach or have only recently switched to use DPAPI. For example, Internet Explorer versions 4.0-6.0, Outlook Express and MSN Explorer used the older Protected Storage (PStore) API to store saved credentials such as passwords etc. Internet Explorer 7 now protects stored user credentials using DPAPI.^[1]

[edit] Use of DPAPI by Microsoft Products

Encrypting File System in Windows 2000 and later
Internet Explorer 7, both in the standalone version available for Windows XP and in the integrated versions available in Windows Vista and Windows Server 2008
Outlook for S/MIME
IIS for SSL/TLS
Windows Rights Management Services client v1.1 and later
Windows 2000 and later for EAP/TLS (VPN authentication) and 802.1x (WiFi authentication)
Windows XP and later for Stored User Names and Passwords (aka Credential Manager)
.NET Framework 2.0 and later for System.Security.Cryptography.ProtectedData

[edit] References

^ Mikhael Felker (December 8, 2006). Password Management Concerns with IE and Firefox, part one. SecurityFocus.com. Retrieved on 2007-06-02.

[edit] External links

v • d • e Microsoft APIs and frameworks

Graphics	Desktop Window Manager · DirectX · Direct3D · GDI · Windows Presentation Foundation · Windows Color System · Windows Image Acquisition · Windows Imaging Component

Audio	DirectSound · DirectMusic · DirectX plugin · XACT · Speech API

Multimedia	DirectShow · DirectX Media Objects · DirectX Video Acceleration · Windows Media · Media Foundation · Image Mastering API

Web	MSHTML · MSXML · RSS Platform · JScript · VBScript · BHO · XMLHttpRequest · SideBar Gadgets

Data access	Microsoft Data Access Components · Extensible Storage Engine · ADO.NET · ADO.NET Entity Framework · Sync Framework · Jet Engine

Networking	Winsock (LSP) · Winsock Kernel · Filtering Platform · Network Driver Interface Specification · Windows Rally · BITS · P2P API

Communication	Messaging API · Telephony API

Administration and management	Win32 console · Windows Script Host · Windows Management Instrumentation · Windows PowerShell · Task Scheduler · Offline Files · Shadow Copy · Windows Installer · Windows Error Reporting · Windows Event Log · Common Log File System

Component model	COM · COM+ · ActiveX · Distributed Component Object Model · .NET Framework

Libraries	Microsoft Foundation Class (MFC) · Active Template Library (ATL) · Windows Template Library (WTL)

Driver development	Windows Driver Model (Broadcast Driver Architecture) · Windows Driver Foundation (KMDF · UMDF)

Security	Crypto API (CAPICOM) · Windows CardSpace · Data protection API · Security Support Provider Interface

.NET	.NET Framework · ASP.NET · ADO.NET · Remoting · Windows Presentation Foundation · Windows Workflow Foundation · Windows Communication Foundation · Windows CardSpace · XNA · Silverlight · Task Parallel Library

Software factories	EFx Factory · Enterprise Library · Composite UI · CCF · CSF

IPC	MSRPC · Named pipes · Memory-mapped file · DDE · MailSlot

Accessibility	Active Accessibility · UI Automation

Text and multilingual support	Text Services Framework · Text Object Model · Input method editor · Language Interface Pack · Multilingual User Interface · Uniscribe

Games	Direct3D · D3DX · DirectSound · DirectInput · DirectPlay · DirectMusic · Managed DirectX · Microsoft XNA