RE: Password Hiding

Cryptographically, storing the secret and the key to the secret on the same box violates the basic idea of encrypting the information in the first place. Effectively, it is security through obscurity.

Saying that you still have a problem to solve, so please buy yourself a copy of Howard and LeBlanc's excellent book "Writing Secure Code", 2nd ed. It has exactly this problem covered off.

http://www.microsoft.com/mspress/books/index/5957.asp

You don't say which flavor of Windows, but as you're doing security and you mention "service", I'm assuming that you mean something that is securable without a lot of work, i.e. not Win9x/ME or NT 4.0.

There are several methods. I like the DPAPI approach, but it is decryptable if they get LOCALSYSTEM or Admin access (or your service account for that matter), but fairly obscure to the average script kiddie. Plus, if they have that level of access, you're hosed anyway.

LSA secrets are nearly as good, but you shouldn't use them as you will need to run your service as LOCALSYSTEM, a security no-no (violates principle of least privilege).

And finally, there's the hand-rolled approach where you use an algorithm like RC4 or Blowfish out of Applied Crypto and try to store the key yourself. Don't. You (and me, and pretty much everyone) suck at cryptography, and you'll get it wrong. Guaranteed.

Using DPAPI (win2k and later):
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html /secure06112002.asp

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

LSA Secrets:
http://www.insecure.org/sploits/NT.LSA.secrets.html

Cryptography, and why we all suck at it

Go to Bruce's website, and read these papers. If everyone did this, I'd earn a lot less money. :)

http://www.counterpane.com/whycrypto.html http://www.counterpane.com/pitfalls.html

Thanks,
Andrew

-----Original Message-----
From: pablo gietz [mailto:pablo.gietz@nuevobersa.com.ar] Sent: Wednesday, 30 July 2003 4:14 AM
To: secprog
Subject: Password Hiding

Hi all
This is my first post,
What can I do to hide a password that is used to encrypt-decrypt a config.file? Received on Wed Jul 30 11:03:14 2003