Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
RE: Password Hiding
From: Andrew van der Stock (avanderstockb-sec.com)
Date: Wed Jul 30 2003 - 02:46:49 CDT
Cryptographically, storing the secret and the key to the secret on the same
box violates the basic idea of encrypting the information in the first
place. Effectively, it is security through obscurity.
Saying that you still have a problem to solve, so please buy yourself a copy
of Howard and LeBlanc's excellent book "Writing Secure Code", 2nd ed. It has
exactly this problem covered off.
You don't say which flavor of Windows, but as you're doing security and you
mention "service", I'm assuming that you mean something that is securable
without a lot of work, i.e. not Win9x/ME or NT 4.0.
There are several methods. I like the DPAPI approach, but it is decryptable
if they get LOCALSYSTEM or Admin access (or your service account for that
matter), but fairly obscure to the average script kiddie. Plus, if they have
that level of access, you're hosed anyway.
LSA secrets are nearly as good, but you shouldn't use them as you will need
to run your service as LOCALSYSTEM, a security no-no (violates principle of
And finally, there's the hand-rolled approach where you use an algorithm
like RC4 or Blowfish out of Applied Crypto and try to store the key
yourself. Don't. You (and me, and pretty much everyone) suck at
cryptography, and you'll get it wrong. Guaranteed.
Using DPAPI (win2k and later):
Cryptography, and why we all suck at it
Go to Bruce's website, and read these papers. If everyone did this, I'd earn
a lot less money. :)
From: pablo gietz [mailto:pablo.gietznuevobersa.com.ar]
Sent: Wednesday, 30 July 2003 4:14 AM
Subject: Password Hiding
This is my first post,
What can I do to hide a password that is used to encrypt-decrypt a