7

For password encryption I want to use ProtectedData.

As far as I found out, this is a wrapper for CryptProtectData.

The MSDN only states something vague about encryption based on user credentials and that decryption usually must be done on the same machine, if user has no roaming profile.

Which encryption algorithm does it use?

Is there any analysis that states whether this encryption is suiting for password storage?

How else to implement a local password storage?

Mare Infinitus
  • 8,024
  • 8
  • 64
  • 113

1 Answers1

7

This MSDN article has more information about CryptProtectData and DPAPI, and should contain the information you need. In particular:

DPAPI initially generates a strong key called a MasterKey, which is protected by the user's password. DPAPI uses a standard cryptographic process called Password-Based Key Derivation, described in PKCS #5, to generate a key from the password. This password-derived key is then used with Triple-DES to encrypt the MasterKey, which is finally stored in the user's profile directory.

The article applies to an older version of Windows, so depending on your Windows version, these algorithms might change, but they are probably not going to be less secure than the ones mentioned here.

Whether or not this is suitable for "password storage", depends a bit on what exactly you mean by this and what passwords you're storing I would say.

Marcus
  • 5,987
  • 3
  • 27
  • 40
  • Thank you! This is very helpful indeed. Do you know about any research how strong the encryption is? Will it be strong enough to save database credentials? – Mare Infinitus Apr 08 '13 at 10:12
  • I don't no, but according to Wikipedia (http://en.wikipedia.org/wiki/Data_Protection_API) some Microsoft products themselves use the API to store saved credentials. It also refers to a Symantec document which may be of interest (http://www.symantec.com/connect/articles/password-management-concerns-ie-and-firefox-part-one). – Marcus Apr 08 '13 at 11:54