I'm aware that the ProtectedData class ends up calling Windows's Data Protection API (DPAPI). The documentation on the DPAPI function provides details like where the key is stored, who can decrypt the data, etc. However, I haven't been able to find any documentation on what the actual underlying encryption algorithm is. (I need to know the details of the protection method for security documentation for an upcoming audit). Is this just using AES or something like that? How secure is this?
Asked
Active
Viewed 2,627 times
2
-
See the soureCode: https://github.com/dotnet/corefx/blob/master/src/System.Security.Cryptography.ProtectedData/src/System/Security/Cryptography/ProtectedData.cs – Felipe Oriani Aug 22 '18 at 16:50
-
@FelipeOriani: No such information in the source for ProtectData since it's calling CryptProtectData by interop. You'll need to look in the source of Crypt32 to determine the algorithm. However there is documentation that explains all without the need of looking in the source code. – Sani Huttunen Aug 22 '18 at 16:56
1 Answers
6
DPAPI uses Triple-DES.
- It uses proven cryptographic routines, such as the strong Triple-DES algorithm in CBC mode, the strong SHA-1 algorithm, and the PBKDF2 password-based key derivation routine.
- It uses proven cryptographic constructs to protect data. All critical data is cryptographically integrity protected, and secret data is wrapped by using standard methods.
- It uses large secret sizes to greatly reduce the possibility of brute-force attacks to compromise the secrets.
- It uses PBKDF2 with 4000 iterations to increase the work factor of an adversary trying to compromise the password.
- It sanity checks MasterKey expiration dates.
- It protects all required network communication with Domain Controllers by using mutually authenticated and privacy protected RPC channels.
- It minimizes the risk of exposing any secrets, by never writing them to disk and minimizing their exposure in swappable RAM.
- It requires Administrator privileges to make any modifications to the DPAPI parameters in the registry.
- It uses Windows File Protection to help protect all critical DLLs from online changes even by processes with Administrator privileges.
DPAPI initially generates a strong key called a MasterKey, which is protected by the user's password. DPAPI uses a standard cryptographic process called Password-Based Key Derivation, described in PKCS #5, to generate a key from the password. This password-derived key is then used with Triple-DES to encrypt the MasterKey, which is finally stored in the user's profile directory.
However, according to Passcape, DPAPI uses AES256. Atleast on Windows 7.
- DPAPI uses proven cryptographic algorithms. For example, Windows 7 by default uses the AES256 encryption in the CBC mode, SHA512 for hashing and PBKDF2 as password-based key derivation routine.

Sani Huttunen
- 23,620
- 6
- 72
- 79
-
-
1The only problem with this answer is the extraneous and possibly misleading adjectives "strong" and "proven". It makes it seem like a marketing blurb. – President James K. Polk Aug 22 '18 at 16:54
-
1SHA-1 is strong?? It's considered `broken` in cryptographic standards as of last year (2017) – Sten Petrov Aug 22 '18 at 16:55
-
Any text in the answer (except first line) is directly from the linked source. You'd see that if you'd bothered to read the linked article. Which by the way is from 2001. – Sani Huttunen Aug 22 '18 at 16:57
-
3@StenPetrov It seems unreasonable to me to criticize/downvote the answer because you disagree with Microsoft's implementation. The answer's summarizing the relevant parts of Microsoft's documentation on the topic (which is exactly what the question was asking for - this piece of documentation ended up being surprisingly hard to locate). – EJoshuaS - Stand with Ukraine Aug 22 '18 at 17:35
-
@EJoshuaS: Found some more information on DPAPI and updated the answer. – Sani Huttunen Aug 22 '18 at 18:24
-
-
1@EJoshuaS picking up any article about crypto that is more than a couple years old and citing it without thinking is downright irresponsible, making the OP and others (1) consider DPAPI secure because of marketing language from 2001 and (2) consider SHA-1 secure – Sten Petrov Aug 23 '18 at 02:07
-
1@StenPetrov: That wasn't the question at all. The question was for information on the inner workings of DPAPI. – Sani Huttunen Aug 23 '18 at 05:33