Why does DPAPI uses SHA1 in blob/key decryption?

Question

According to my knowledge, SHA1 is not considered as a secure cryptographic hash function. Despite that, it seems to be still used in DPAPI. This can be seen from pypykatz implementation that emulate what DPAPI does.

https://github.com/skelsec/pypykatz

For example, SHA1 is used for key derivation in blob decryption: https://github.com/skelsec/pypykatz/blob/master/pypykatz/dpapi/structures/blob.py

def decrypt(self, key, entropy = None):
        def fixparity(deskey):
            temp = b''
            for i in range(len(deskey)):
                t = (bin(deskey[i])[2:]).rjust(8,'0')
                if t[:7].count('1') %2 == 0:
                    temp+= int(t[:7]+'1',2).to_bytes(1, 'big')
                else:
                    temp+= int(t[:7]+'0',2).to_bytes(1, 'big')
            return temp
        
        key_hash = sha1(key).digest()
        session_key_ctx = hmac.new(key_hash, self.salt, ALGORITHMS_DATA[self.hash_algorithm][1])
        if entropy is not None:
            session_key_ctx.update(entropy)
        
        session_key = session_key_ctx.digest()

a) I wonder if there is a reason why they did not used more secure hash function like SHA2 or SHA3? b) Also, does it create a vulnerability that I should be concerned about?

I tried to find Windows DPAPI documentation, however it seems there is no such documentation publicly available.

According to your code snippet, more precisely HMAC/SHA1 is applied, see for this: [Why is HMAC-SHA1 still considered secure?](https://crypto.stackexchange.com/q/26510) — Topaco, Apr 13 '23 at 09:34

Why does DPAPI uses SHA1 in blob/key decryption?

0 Answers0