1

So I have a text encrypted with DPAPI and an unknown key, and I have the plaintext that the encrypted text represents. Can I derive the key used from this, and how?

Hackworth
  • 1,069
  • 2
  • 9
  • 23

2 Answers2

0

DPAPI is extremely secret and thus poorly documented, even WINE lacks proper support for this API to fully support applications like Internet Explorer, etc.

You have to know the key. DPAPI generates one unique MASTERKEY for each user, which is in turn retrieved with the user's current password. This key is typically stored in %APPDATA%\Microsoft\Protect**SID**

The Master Key is made up of 512 random bits. DPAPI retrieves the current MASTERKEY from the CREDHIST file. You can find enough information here: and here

user3462249
  • 21
  • 4
0

Can you derive the key from a plaintext and encrypted text sample? Only if you performed this encryption on a very old and outdated version of Windows with known vulnerabilities.

Otherwise, no... this is not (yet) possible.

Assuming you have a plaintext sample and the resulting ciphertext (encrypted text), you could try a brute force attack and try every permutation of the key until you get the expected ciphertext.

The number of possible keys used for encrypting the data is determined by the key length of the algorithm used... so if a sufficiently weak key was used to encrypt the data, a brute force attack is feasible.

However, Microsoft has periodically updated the underlying algorithm and key length used by DPAPI, so unless the data was encrypted on Windows Server 2000, the length of the key used would make a brute force attack unrealistic.

The question then becomes, is there another way that the plaintext and ciphertext could be used to perform a more efficient attack than simply trying every possible key until a match is found? This approach can be referred to as a "known plaintext attack."

Known plaintext attacks are a form of Differential cryptanalysis... a set of techniques that attempt to discover and exploit non-random behavior in the cipher in order to help determine the secret key.

Depending on your version of Windows, DPAPI uses either Triple-DES or AES encryption. Both algorithms are designed to be resistant to differential cryptanalysis... and given even a very large number of plaintext / ciphertext pairs, this approach is only marginally faster than a brute force attack, and therefore still not practical.

Additional info:

Windows Data Protection

DPAPI Secrets

Community
  • 1
  • 1
Michael Fredrickson
  • 36,839
  • 5
  • 92
  • 109