reverse of dpapi - blackhat dc 2010

of 119 /119
Decrypting DPAPI data Jean-Michel Picod, Elie Bursztein EADS, Stanford University 1 Wednesday, February 3, 2010

Author: jmichelp

Post on 01-Sep-2014

3.844 views

Category:

Software


3 download

Embed Size (px)

DESCRIPTION

Talk I did for BlackHat DC 2010 with DPAPI reverse engineering and a tool to decrypt things related to DPAPI

TRANSCRIPT

  • Decrypting DPAPI data Jean-Michel Picod, Elie Bursztein EADS, Stanford University Wednesday, February 3, 2010 1
  • Data Protection API Introduced in Windows 2000 Aim to be an easy way for application to store safely data on disk Tie encryption key to user password and the account SID Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 2
  • Developer point of view DPAPI Application Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 3
  • GTalk Wednesday, February 3, 2010 4
  • DPAPI is a simple API* *http://msdn.microsoft.com/en-us/library/ms995355.aspx Wednesday, February 3, 2010 5
  • Why digging deeper ? Ofine forensic EFS on Linux Security / cool things ? Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 6
  • Previous work Multiples attempts to analyze DPAPI Some incomplete (Wine) Some close source (Nir Sofer - NirSoft) Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 7
  • Take away Decrypt ofine sensitive data Recover user previous passwords (Yes all of them) Do a key escrow attack Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 8
  • Outline Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 9
  • Outline DPAPI overview Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 9
  • Outline DPAPI overview Decryption process Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 9
  • Outline DPAPI overview Decryption process Security design implications Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 9
  • Outline DPAPI overview Decryption process Security design implications DPAPIck demo Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 9
  • Crypto 911 HMAC HMAC (Message authentication code) Usually used to detect data tampering Used here to derive encrypt key and IV ipad = 0x36 xor key opad = 0x5c xor key HMAC= (opad . SHA1(ipad.data)) Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 10
  • Crypto 911: PBKDF2 PBKDF2 = Password based key derivation function Basically it is a hash function (SHA1 for us) applied n times to slow down the computation. Used to defend against brute-force Salt is used against rainbow tables attacks. Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 11
  • Crypto 911 : 3DES 3DES : Triple DES encryption Encrypt, Decrypt, Encrypt Exist in two avor : 2 keys or 3 keys (64 bits each) Windows use the strong version with 3 keys Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 12
  • How the system interacts with DPAPI Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 13
  • How the system interacts with DPAPI DPAPI cryptoAPI crypt32.dll Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 13
  • How the system interacts with DPAPI DPAPI cryptoAPI crypt32.dll Local Security Authority cryptoAPI crypt32.dll Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 13
  • How the system interacts with DPAPI EFS Encrypted le DPAPI cryptoAPI crypt32.dll Local Security Authority cryptoAPI crypt32.dll Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 13
  • How the system interacts with DPAPI EFS Encrypted le DPAPI cryptoAPI EFS crypt32.dll Local Security Authority cryptoAPI crypt32.dll Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 13
  • How the system interacts with DPAPI EFS EFS user private Encrypted le key DPAPI cryptoAPI EFS crypt32.dll Local Security Authority cryptoAPI crypt32.dll Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 13
  • How the system interacts with DPAPI EFS EFS user private Encrypted le key DPAPI cryptoAPI EFS crypt32.dll Local Security Authority cryptoAPI crypt32.dll Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 13
  • DPAPI CryptUnprotecData Function BOOL WINAPI CryptUnprotectData ( *pDataIn, *ppszDataDescr, *pOptionalEntropy, pvReserved, *pPromptStruct, dwFlags, *pDataOut Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 14
  • DPAPI CryptUnprotecData Function BOOL WINAPI CryptUnprotectData ( *pDataIn, Encrypted data aka data blob *ppszDataDescr, *pOptionalEntropy, pvReserved, *pPromptStruct, dwFlags, *pDataOut Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 14
  • DPAPI CryptUnprotecData Function BOOL WINAPI CryptUnprotectData ( *pDataIn, *ppszDataDescr, Optional description *pOptionalEntropy, pvReserved, *pPromptStruct, dwFlags, *pDataOut Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 14
  • DPAPI CryptUnprotecData Function BOOL WINAPI CryptUnprotectData ( *pDataIn, *ppszDataDescr, *pOptionalEntropy, Optional entropy (salt) pvReserved, *pPromptStruct, dwFlags, *pDataOut Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 14
  • DPAPI CryptUnprotecData Function BOOL WINAPI CryptUnprotectData ( *pDataIn, *ppszDataDescr, *pOptionalEntropy, pvReserved, *pPromptStruct, Optional password dwFlags, *pDataOut Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 14
  • DPAPI CryptUnprotecData Function BOOL WINAPI CryptUnprotectData ( *pDataIn, *ppszDataDescr, *pOptionalEntropy, pvReserved, *pPromptStruct, dwFlags, *pDataOut Decrypted data Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 14
  • Derivation scheme User Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 15
  • Derivation scheme SHA1(password) Pre key User Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 15
  • Derivation scheme SHA1(password) Pre key User Master Key Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 15
  • Derivation scheme SHA1(password) Pre key User Master Key Blob key Blob key Blob key Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 15
  • Derivation scheme SHA1(password) Pre key User Master Key Blob key Blob key Blob key Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 15
  • Blob structure Returned to the application (opaque structure) Store user encrypted data Contains decryption parameters Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 16
  • key subtleties SHA1 password are in UTF-16LE SID for HMAC are also in UTF-16LE (dont forget the 0 !) Windows 2000 do not use SHA1/3DES. We think it uses SHA1/RC4 (Anyone want to try ?). Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 17
  • data blob structure key fields DWORD cbProviders; GUID *arrProviders; DWORD cbKeys; GUID *arrKeys; WCHAR *ppszDataDescr; DWORD idCipherAlgo; BYTE *pbSalt; DWORD idHashAlgo; BYTE *pbUnknown; BYTE *pbCipher; BYTE *pbHMAC; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 18
  • data blob structure key fields DWORD cbProviders; Nb of crypto providers GUID *arrProviders; DWORD cbKeys; GUID *arrKeys; WCHAR *ppszDataDescr; DWORD idCipherAlgo; BYTE *pbSalt; DWORD idHashAlgo; BYTE *pbUnknown; BYTE *pbCipher; BYTE *pbHMAC; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 18
  • data blob structure key fields DWORD cbProviders; GUID *arrProviders; Crypto providers GUID DWORD cbKeys; GUID *arrKeys; WCHAR *ppszDataDescr; DWORD idCipherAlgo; BYTE *pbSalt; DWORD idHashAlgo; BYTE *pbUnknown; BYTE *pbCipher; BYTE *pbHMAC; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 18
  • data blob structure key fields DWORD cbProviders; GUID *arrProviders; DWORD cbKeys; Nb of masters keys GUID *arrKeys; WCHAR *ppszDataDescr; DWORD idCipherAlgo; BYTE *pbSalt; DWORD idHashAlgo; BYTE *pbUnknown; BYTE *pbCipher; BYTE *pbHMAC; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 18
  • data blob structure key fields DWORD cbProviders; GUID *arrProviders; DWORD cbKeys; GUID *arrKeys; Masters keys GUID WCHAR *ppszDataDescr; DWORD idCipherAlgo; BYTE *pbSalt; DWORD idHashAlgo; BYTE *pbUnknown; BYTE *pbCipher; BYTE *pbHMAC; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 18
  • data blob structure key fields DWORD cbProviders; GUID *arrProviders; DWORD cbKeys; GUID *arrKeys; WCHAR *ppszDataDescr; Optional description DWORD idCipherAlgo; BYTE *pbSalt; DWORD idHashAlgo; BYTE *pbUnknown; BYTE *pbCipher; BYTE *pbHMAC; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 18
  • data blob structure key fields DWORD cbProviders; GUID *arrProviders; DWORD cbKeys; GUID *arrKeys; WCHAR *ppszDataDescr; DWORD idCipherAlgo; Encryption algorithm ID BYTE *pbSalt; DWORD idHashAlgo; BYTE *pbUnknown; BYTE *pbCipher; BYTE *pbHMAC; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 18
  • data blob structure key fields DWORD cbProviders; GUID *arrProviders; DWORD cbKeys; GUID *arrKeys; WCHAR *ppszDataDescr; DWORD idCipherAlgo; BYTE *pbSalt; Salt generated by DPAPI DWORD idHashAlgo; BYTE *pbUnknown; BYTE *pbCipher; BYTE *pbHMAC; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 18
  • data blob structure key fields DWORD cbProviders; GUID *arrProviders; DWORD cbKeys; GUID *arrKeys; WCHAR *ppszDataDescr; DWORD idCipherAlgo; BYTE *pbSalt; DWORD idHashAlgo; Hash algorithm ID BYTE *pbUnknown; BYTE *pbCipher; BYTE *pbHMAC; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 18
  • data blob structure key fields DWORD cbProviders; GUID *arrProviders; DWORD cbKeys; GUID *arrKeys; WCHAR *ppszDataDescr; DWORD idCipherAlgo; BYTE *pbSalt; DWORD idHashAlgo; BYTE *pbUnknown; Unknown data BYTE *pbCipher; BYTE *pbHMAC; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 18
  • data blob structure key fields DWORD cbProviders; GUID *arrProviders; DWORD cbKeys; GUID *arrKeys; WCHAR *ppszDataDescr; DWORD idCipherAlgo; BYTE *pbSalt; DWORD idHashAlgo; BYTE *pbUnknown; BYTE *pbCipher; Encrypted data BYTE *pbHMAC; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 18
  • data blob structure key fields DWORD cbProviders; GUID *arrProviders; DWORD cbKeys; GUID *arrKeys; WCHAR *ppszDataDescr; DWORD idCipherAlgo; BYTE *pbSalt; DWORD idHashAlgo; BYTE *pbUnknown; BYTE *pbCipher; BYTE *pbHMAC; Blob HMAC Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 18
  • Master key structure Store the key used to decrypt blob Encrypted with the user password Renewed every 3 months Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 19
  • The master key file Header Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 20
  • The master key file Header Keys infos Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 20
  • The master key file Header Keys infos Master key Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 20
  • The master key file Header Keys infos Master key Key ? Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 20
  • The master key file Header Keys infos Master key Key ? Footer Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 20
  • Header structure Header dwVersion; Keys infos nullPad1; Master key Key ? szKeyGUID[36]; Footer nullPad2; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 21
  • Header structure Header dwVersion; File version Keys infos nullPad1; Master key Key ? szKeyGUID[36]; Footer nullPad2; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 21
  • Header structure Header dwVersion; Keys infos nullPad1; Master key szKeyGUID[36]; Master key GUID Key ? Footer nullPad2; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 21
  • Key infos structure dwUnknown; Header Keys infos cbMasterKey; Master key cbMysteryKey; Key ? dwHMACLen; Footer nullPad3; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 22
  • Key infos structure dwUnknown; Header Keys infos cbMasterKey; Master Key struct length Master key cbMysteryKey; Key ? dwHMACLen; Footer nullPad3; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 22
  • Key infos structure dwUnknown; Header Keys infos cbMasterKey; Master key cbMysteryKey; Key ? struct length Key ? dwHMACLen; Footer nullPad3; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 22
  • Key infos structure dwUnknown; Header Keys infos cbMasterKey; Master key cbMysteryKey; Key ? dwHMACLen; HMAC length Footer nullPad3; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 22
  • Master key structure dwMagic; Header pbSalt[16]; Keys infos cbIteration; Master key Key ? idMACAlgo; Footer idCipherAlgo; pbCipheredKey[]; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 23
  • Master key structure dwMagic; Header pbSalt[16]; Key salt Keys infos cbIteration; Master key Key ? idMACAlgo; Footer idCipherAlgo; pbCipheredKey[]; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 23
  • Master key structure dwMagic; Header pbSalt[16]; Keys infos cbIteration; PBKDF2 nb rounds Master key Key ? idMACAlgo; Footer idCipherAlgo; pbCipheredKey[]; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 23
  • Master key structure dwMagic; Header pbSalt[16]; Keys infos cbIteration; Master key Key ? idMACAlgo; HMAC algorithm ID Footer idCipherAlgo; pbCipheredKey[]; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 23
  • Master key structure dwMagic; Header pbSalt[16]; Keys infos cbIteration; Master key Key ? idMACAlgo; Footer idCipherAlgo; Encryption Algo id pbCipheredKey[]; Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 23
  • Master key structure dwMagic; Header pbSalt[16]; Keys infos cbIteration; Master key Key ? idMACAlgo; Footer idCipherAlgo; pbCipheredKey[]; Encrypted key Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 23
  • Decrypting the Master key DPAPIDecryptKey(sha1, encKey) { tmp-key = HMAC(sha1, SID) pre-key = PBKDF2(decryptKey, Salt, ID_ALGO, nbIteration) 3desKey = pre-key[0 - 23] 3desIV = [24 - 31] (hmac[0-35], DWORD[36-39], master-key [40-104]) = 3des-cbc(3desKey, iv, encKey) } Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 24
  • key structure Header Seems to have the same structure than Keys infos the master key Master key One round of derivation (XP not Seven) Key ? Footer 256 bits (half size of the real master-key) Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 25
  • Possible explanation The documentation state a compatibility Header mode for windows 2000 exist. Keys infos The registry key to trigger it is unknown Master key If we are correct and W2k uses RC4 Key ? then the mystery key is possibly a RC4 Footer key (256bits is the correct size). PBKDF2 used to compute the IV ?? Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 26
  • Possible explanation continued Header Keys infos We know that RC4 have a weak key Master key scheduling algorithm (remember WEP ?) Key ? Might be a potential weakness (or not) Footer Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 27
  • Header structure Header Keys infos dwMagic; Master key Key ? credHist[16]; Footer Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 28
  • Header structure Header Keys infos dwMagic; Master key Key ? credHist[16]; Password GUID Footer Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 28
  • Differences between windows version XP Vista Seven PBKDF2 Variable 4000 24000 rounds (factor ?) Symmetric algorithm 3DES 3DES AES Hash SHA1 SHA1 SHA512 algorithm Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 29
  • Decrypting a blob Data blob Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 30
  • Decrypting a blob Master key GUID Data blob Master key le Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 30
  • Decrypting a blob Master key GUID Data blob Master key le Salt, Nb iterations Pre key Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 30
  • Decrypting a blob Master key GUID Data blob Master key le Salt, Nb iterations SHA1(password) Pre key User SID Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 30
  • Decrypting a blob Master key GUID Data blob Master key le Salt, Nb iterations SHA1(password) Pre key User SID Master key Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 30
  • Decrypting a blob Master key GUID Data blob Master key le Salt, Nb iterations Cipher + Key SHA1(password) Pre key User SID Master key Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 30
  • Decrypting a blob Master key GUID Data blob Master key le Salt, Nb iterations Cipher + Key SHA1(password) Pre key User SID Master key Blob key Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 30
  • Decrypting a blob Master key GUID Data blob Master key le Salt, Nb iterations Cipher + Key SHA1(password) Pre key User SID Sal t+ IV Master key Blob key Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 30
  • Decrypting a blob Master key GUID Data blob Master key le Salt, Nb iterations Cipher + Key SHA1(password) Pre key User SID Sal t+ IV d wor ss Master key l pa na i tio A dd Blob key Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 30
  • Decrypting a blob Master key GUID Data blob Master key le Salt, Nb iterations Cipher + Key SHA1(password) Pre key User SID Sal t+ IV d wor ss Master key l pa na i tio A dd Blob key Additional entropy Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 30
  • Decrypt blob aka the strange HMAC DecryptBlob() { kt = SHA1(masterkey) opad = 0x5c xor kt ipad = 0x36 xor kt i = SHA1(opad.SHA1(ipad . salt).entropyCond) kd = CryptDeriveKey(i) //not reversed (yet) CryptDecrypt(data, kd) } Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 31
  • Did I miss something ? Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 32
  • Did I miss something ? How the OS knows the current master key ? Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 32
  • Did I miss something ? How the OS knows the current master key ? How the OS decides to renew the master key ? Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 32
  • Did I miss something ? How the OS knows the current master key ? How the OS decides to renew the master key ? What happen when the user changes his password ? Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 32
  • Key renewal process Renewed every 3 months automatically Passive process: executed when CryptProtect called Hardcoded limit (location unknown) Possibly in psbase.dll (MS crypto provider) Can be reduced by using registry override Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 33
  • Master key selection All master keys are kept because Windows cant tell if a key is still used Keys are stored in %APPDATA%/Microsoft/Protect/[SID] Current master key is specied in the Preferred le Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 34
  • The Preferred file Simply contains : GUID master key . timestamp The key is renewed when current time > timestamp Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 35
  • The Preferred file Simply contains : GUID master key . timestamp The key is renewed when current time > timestamp Key escrow attack : Plant a key and update the Preferred le every 3 months (e.g using the task scheduler) Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 35
  • User password renewal Master keys are re-encrypted when the password change Experimentally not all of them, just the last few ones Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 36
  • Decrypting a blob Master key GUID Data blob Master key le Salt, Nb iterations Cipher + Key Pre key SHA1(password) Sal t+ IV d wor ss Master key l pa na i tio A dd Blob key Additional entropy Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 37
  • Decrypting a blob Master key GUID CREDHIST GUID Data blob Master key le CREDHIST Salt, Nb iterations Cipher + Key Pre key SHA1(password) Sal t+ IV d wor ss Master key l pa na i tio A dd Blob key Additional entropy Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 37
  • CREDHIST overview SHA1(password) Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 38
  • CREDHIST overview Structure Decrypt pass n-1 SHA1(password) Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 38
  • CREDHIST overview Structure pass n-2 Decrypt Structure Decrypt pass n-1 SHA1(password) Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 38
  • CREDHIST overview Structure pass n- 3 Decrypt Structure pass n-2 Decrypt Structure Decrypt pass n-1 SHA1(password) Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 38
  • CREDHIST overview Structure pass 1 Structure pass 2 ... Decrypt Structure pass n- 3 Decrypt Structure pass n-2 Decrypt Structure Decrypt pass n-1 SHA1(password) Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 38
  • CREDHIST entry structure main fields idHashAlgo; dwRounds; dwCipherAlgo; bSID[12]; dwComputerSID[3]; dwAccountID; bData[28]; bPasswordID[16] Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 39
  • CREDHIST entry structure main fields idHashAlgo; Hash algo ID dwRounds; dwCipherAlgo; bSID[12]; dwComputerSID[3]; dwAccountID; bData[28]; bPasswordID[16] Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 39
  • CREDHIST entry structure main fields idHashAlgo; dwRounds; Nb rounds dwCipherAlgo; bSID[12]; dwComputerSID[3]; dwAccountID; bData[28]; bPasswordID[16] Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 39
  • CREDHIST entry structure main fields idHashAlgo; dwRounds; dwCipherAlgo; Encryption Algorithm ID bSID[12]; dwComputerSID[3]; dwAccountID; bData[28]; bPasswordID[16] Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 39
  • CREDHIST entry structure main fields idHashAlgo; dwRounds; dwCipherAlgo; bSID[12]; User USID dwComputerSID[3]; dwAccountID; bData[28]; bPasswordID[16] Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 39
  • CREDHIST entry structure main fields idHashAlgo; dwRounds; dwCipherAlgo; bSID[12]; dwComputerSID[3]; Computer SID dwAccountID; bData[28]; bPasswordID[16] Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 39
  • CREDHIST entry structure main fields idHashAlgo; dwRounds; dwCipherAlgo; bSID[12]; dwComputerSID[3]; dwAccountID; Account ID bData[28]; bPasswordID[16] Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 39
  • CREDHIST entry structure main fields idHashAlgo; dwRounds; dwCipherAlgo; bSID[12]; dwComputerSID[3]; dwAccountID; bData[28]; Encrypted password SHA1 bPasswordID[16] Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 39
  • CREDHIST entry structure main fields idHashAlgo; dwRounds; dwCipherAlgo; bSID[12]; dwComputerSID[3]; dwAccountID; bData[28]; bPasswordID[16] Password GUID Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 39
  • Decryption algorithm overview DecryptCredhist{ SID = (USID-ComputerID-AccountID) tmp-key = HMAC(sha1, SID) pre-key = PBKDF2(decryptKey, Salt, ID_ALGO, nbIteration) 3desKey = pre-key[0 - 23] 3desIV = [24 - 31] (SHA1[0-19], HMAC[20-39]) = 3des-cbc (3desKey, iv, encKey) Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 40
  • DPAPIck demo Wednesday, February 3, 2010 41
  • Warning DPAPIck is in ALPHA stage. Use it at your own risk ! You have been warned. It is just a POC Know bugs : No HMAC checks -> No key check. No Seven support, tested only on XP No conditional entropy / strong password in UI Dont choose the correct master key by itself Buffer overows :) Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 42
  • DPAPIck future We made the choice to release early so you know we are telling the truth and everyone can start playing. We will provide a more robust version and eventually open the source code so one day Linux will read EFS les :) It just too soon for this. Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 43
  • LSA LSASS secret contains a DPAPI_SYSTEM value Length == 2 * SHA1 Usage are unknown We think that 1 of them is used as a SYSTEM account password Need to be conrmed Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 44
  • EFS Certicate private key is encrypted with DPAPI Key are stored in To read EFS le ofine, we just need to import the user certicate and its private keys in our key store. Work in progress in DPAPIck Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 45
  • What is next Can we build a rogue crypto provider ? What are the two SHA1 stored in the LSA ? Where is stored the renewal hard lime ? CryptDeriveKey needed to be reversed to have a fully portable implementation (Everything else is already portable) Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 46
  • Conclusion Open the door to ofine forensic First step toward EFS on alternative systems CREDHIST allows to recover previous passwords DPAPIck : http://dpapick.com Some things remain unknown Jean-Michel Picod, Elie Bursztein http://www.dpapick.com Wednesday, February 3, 2010 47
  • Questions ? Thanks to the nightingale team Wednesday, February 3, 2010 48