我的 Windows 域管理员可以解密我的 DPAPI 加密文件吗?

发布于 2024-10-13 18:42:19 字数 437 浏览 8 评论 0原文

我想像这样使用 DPAPI 加密密码

ProtectedData.Protect(plain, optionalEntropy, DataProtectionScope.CurrentUser);

,并想知道域管理员是否可以解密生成的 blob,如 有效使用密码指出:

但是,在域环境中 域管理员可以安全地更改 您的密码,您仍然可以拥有 访问您的加密文件。

域管理员似乎必须首先解密数据(或者更确切地说,加密的主密钥),以便能够使用不同的密码重新加密它。

I want to encrypt passwords using the DPAPI like this

ProtectedData.Protect(plain, optionalEntropy, DataProtectionScope.CurrentUser);

and wonder if the domain administrator could decrypt the generated blob, as
Using Passwords Effectively states:

However, in a domain environment a
domain administrator can safely change
your password, and you'll still have
access to your encrypted files.

It seems like the domain administrator would have to decrypt the data (or rather, the encrypted master keys) first, in order to be able to re-encrypt it using a different password.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

再见回来 2024-10-20 18:42:19

答案是,前提是他还可以访问密钥(如果已创建),或者如果他愿意并且有足够的能力侵入blob(请参阅链接如下)。

对于 DPAPI 中的主密钥(CurrentUser 模式),使用 Windows 登录用户名和密码来生成主密钥。
如果管理员更新用户的域密码,DPAPI 将重新编码该用户的主密钥。如果用户由于以下原因更新密码,情况也是如此。每月更改密码政策。

但是,如果他无权访问可选的熵密钥或组成该密钥的数据,则该文件将保持加密状态,并且他将获得的只是无效数据。

如果在 CurrentMachine 模式下使用 DPAPI,则该文件只能在加密该文件的计算机上解密,但该计算机上的所有帐户都可以读取该文件,再次提供他们还可以收集熵密钥的内容。

一个很好的信息存储库是 DPAPI Secrets以及 这篇关于逆向工程 DPAPI 的论文 + 链接可以从 DPAPI blob 恢复数据的工具

The answer is yes, provided he also has acces to the entropy key(if one is created), or if he is willing and capable enough to hack into the blobs (see links below).

For the Master key in DPAPI (in CurrentUser mode), the windows login username and password are used to generate the master key.
If the administrator updates the user's domain password, DPAPI wil reencode the master key for that user. The same goes if the user updates his password due to eg. a monthly password change policy.

However, if he doesn't have access to the optional entropy key or the data that composes that key, the file will remain encrypted and all he will get is invalid data.

If DPAPI is used in CurrentMachine mode, the file can only be decrypted on the computer that encrypted it, however the file will be readable to all accounts on that computer, again provided they can also muster the content of the entropy key.

A good repository for information is DPAPI Secrets and this paper on reverse-enginerring DPAPI + link to a tool that can recover data from DPAPI blobs

过度放纵 2024-10-20 18:42:19

简短的回答:他可能无法开箱即用,但域管理员功能强大。如果他们确实想要的话,可以通过多种方式获取您的钥匙。

长答案:DPAPI 使用密钥加密您的数据。 IIRC,它使用 AES 和每 90 天更改一次的密钥。密钥存储在您的计算机上,并使用您的密码进行加密。这是默认设置,它会将您的密钥保存在除您以外的任何人都无法访问的地方。

除非您的域管理员远程安装键盘记录器,窃取您的密码,冒充您并窃取您的密钥(或者直接查看他现在以纯文本形式看到的数据)。

另一个鲜为人知的事实是,当在 Active Directory 上启用凭据漫游时,它会向您发送服务器的加密密钥。域管理员可以使用该副本进行离线攻击。但这很难,除非你的数据非常有价值,否则我不会担心。

Short answer : he probably can't right out of the box, but Domain Admin is powerfull. There are many ways they can get to your key if they really want it.

Long answer : DPAPI encrypts your data with a key. IIRC, it uses AES with a key that changes every 90 days. The key is stored on your computer, encrypted with your password. That's the default and it saves your key out of reach of anyone but you.

Unless your domain admin remotely installs a key logger, steals your password, impersonnate you and steal your key (or go straight to the data which he now sees in plain text).

Another somewhat less known fact is that when Credential Roaming is enabled on Active Directory, it will send your encrypted keys to a server. A domain admin could use that copy for an offline attack. But it is hard and unless your data is very valuable, I woulnd't worry about it.

握住我的手 2024-10-20 18:42:19

答案是肯定的。 PoC 实用程序及其描述:Win2K 中的 DPAPI 数据保护漏洞、Win2K3、Windows Server 2008 和 Windows Server 2012
也适用于 Win Server 2016/2019。

The answer is yes. PoC utility with description: Vulnerability of DPAPI data protection in Win2K, Win2K3, Windows Server 2008, and Windows Server 2012
Works in Win Server 2016/2019 as well.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文