ProtectData class 使用哪种加密算法?
Which encryption algorithm does the ProtectData class use?
我知道 ProtectedData class ends up calling Windows's Data Protection API (DPAPI). The documentation on the DPAPI function 提供了详细信息,例如密钥的存储位置、谁可以解密数据等。但是,我无法找到任何有关实际基础的文档加密算法是。 (我需要了解安全文档保护方法的详细信息,以便进行即将进行的审计)。这只是使用 AES 还是类似的东西?这有多安全?
DPAPI 使用 Triple-DES。
- It uses proven cryptographic routines, such as the strong Triple-DES algorithm in CBC mode, the strong SHA-1 algorithm, and the PBKDF2 password-based key derivation routine.
- It uses proven cryptographic constructs to protect data. All critical data is cryptographically integrity protected, and secret data is wrapped by using standard methods.
- It uses large secret sizes to greatly reduce the possibility of brute-force attacks to compromise the secrets.
- It uses PBKDF2 with 4000 iterations to increase the work factor of an adversary trying to compromise the password.
- It sanity checks MasterKey expiration dates.
- It protects all required network communication with Domain Controllers by using mutually authenticated and privacy protected RPC channels.
- It minimizes the risk of exposing any secrets, by never writing them to disk and minimizing their exposure in swappable RAM.
- It requires Administrator privileges to make any modifications to the DPAPI parameters in the registry.
- It uses Windows File Protection to help protect all critical DLLs from online changes even by processes with Administrator privileges.
DPAPI initially generates a strong key called a MasterKey, which is
protected by the user's password. DPAPI uses a standard cryptographic
process called Password-Based Key Derivation, described in PKCS #5, to
generate a key from the password. This password-derived key is then
used with Triple-DES to encrypt the MasterKey, which is finally stored
in the user's profile directory.
然而,根据 Passcape,DPAPI 使用 AES256。至少 Windows 7.
- DPAPI uses proven cryptographic algorithms. For example, Windows 7 by default uses the AES256 encryption in the CBC mode, SHA512 for hashing and PBKDF2 as password-based key derivation routine.
我知道 ProtectedData class ends up calling Windows's Data Protection API (DPAPI). The documentation on the DPAPI function 提供了详细信息,例如密钥的存储位置、谁可以解密数据等。但是,我无法找到任何有关实际基础的文档加密算法是。 (我需要了解安全文档保护方法的详细信息,以便进行即将进行的审计)。这只是使用 AES 还是类似的东西?这有多安全?
DPAPI 使用 Triple-DES。
- It uses proven cryptographic routines, such as the strong Triple-DES algorithm in CBC mode, the strong SHA-1 algorithm, and the PBKDF2 password-based key derivation routine.
- It uses proven cryptographic constructs to protect data. All critical data is cryptographically integrity protected, and secret data is wrapped by using standard methods.
- It uses large secret sizes to greatly reduce the possibility of brute-force attacks to compromise the secrets.
- It uses PBKDF2 with 4000 iterations to increase the work factor of an adversary trying to compromise the password.
- It sanity checks MasterKey expiration dates.
- It protects all required network communication with Domain Controllers by using mutually authenticated and privacy protected RPC channels.
- It minimizes the risk of exposing any secrets, by never writing them to disk and minimizing their exposure in swappable RAM.
- It requires Administrator privileges to make any modifications to the DPAPI parameters in the registry.
- It uses Windows File Protection to help protect all critical DLLs from online changes even by processes with Administrator privileges.
DPAPI initially generates a strong key called a MasterKey, which is protected by the user's password. DPAPI uses a standard cryptographic process called Password-Based Key Derivation, described in PKCS #5, to generate a key from the password. This password-derived key is then used with Triple-DES to encrypt the MasterKey, which is finally stored in the user's profile directory.
然而,根据 Passcape,DPAPI 使用 AES256。至少 Windows 7.
- DPAPI uses proven cryptographic algorithms. For example, Windows 7 by default uses the AES256 encryption in the CBC mode, SHA512 for hashing and PBKDF2 as password-based key derivation routine.