Click here to get back home

Data Protection API Machine Key Security on Windows Mobile
 HomeNewsGroups | Search | About
Login Password
Register Now! Lost Password?
 microsoft.public.smartphone.developer    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Data Protection API Machine Key Security on Windows Mobile percussionplayer 02-12-2007
Get Chitika Premium
Posted by percussionplayer on February 12, 2007, 5:29 pm
Please log in for more thread options
 Hi,

I am wondering if anyone knows how the DPAPI key management on
Windows
Mobile works with the CRYPTPROTECT_LOCAL_MACHINE flag. How is the key
material is generated and stored?


The problem I'm trying to solve requires that I encrypt some data in
a
file on a Windows Mobile 5 device, but the device may or may not be
password protected, so I'd like to use CryptProtectData with the
CRYPTPROTECT_LOCAL_MACHINE flag, but I can't find out anything about
how the machine key is derived, stored, etc.


It's OK if other processes running on the device are able to see and
decrypt the data, but we'd like to protect against forensic attacks.
For example, if a device were to be lost or stolen, would it be
possible for a hacker to remove the flash drive and retrieve enough
information from the physical device to decrypt the file?


Thanks,
Frank


Posted by Scott Yost [MSFT] on February 12, 2007, 6:28 pm
Please log in for more thread options
> For example, if a device were to be lost or stolen, would it be
> possible for a hacker to remove the flash drive and retrieve enough
> information from the physical device to decrypt the file?


Yes. Using DPAPI with CRYPTPROTECT_LOCAL_MACHINE won't protect against this
threat.

--
Scott Yost
Software Development Engineer/Test
Microsoft Corp.

This posting is provided "AS IS" with no warranties, and confers no rights.




Posted by percussionplayer on February 13, 2007, 1:34 pm
Please log in for more thread options
Thanks, Scott. I appreciate the fast response.

Since my proposed solution won't work to solve this problem, do you
have any ideas for me? Is there any kind of unique information that is
available programmatically from the Windows Mobile device that is not
available forensically from the hardware?

Thanks, Frank


Posted by Scott Yost [MSFT] on February 16, 2007, 1:00 pm
Please log in for more thread options
It all depends on how the OEM manufactures the device, but in general the
answer is no. You'd want some sort of tamper-resistant part or a TPM module.
For your application I'd suggest you look at something like using a
smartcard to protect the keys that you encrypt the data with.
--
Scott Yost
Software Development Engineer/Test
Microsoft Corp.

This posting is provided "AS IS" with no warranties, and confers no rights.

> Thanks, Scott. I appreciate the fast response.
>
> Since my proposed solution won't work to solve this problem, do you
> have any ideas for me? Is there any kind of unique information that is
> available programmatically from the Windows Mobile device that is not
> available forensically from the hardware?
>
> Thanks, Frank
>



Similar ThreadsPosted
Windows Mobile 5.0 Security Flaw? January 9, 2007, 6:45 am
Provisioning cpf files and security on Windows Mobile 2005 May 4, 2006, 11:32 am
Change security profile on Windows Mobile 5.0 device September 2, 2006, 4:01 pm
Windows Mobile 5.0 Messaging and Security Feature Pack Emulator January 17, 2006, 12:26 pm
Send Data to Windows Mobile Device? March 20, 2008, 3:23 pm
Installing embedded Visual C++ 3.0 on Windows Visa machine? April 18, 2007, 1:53 pm
Windows Smartphone Security Prompt March 14, 2006, 12:12 am
disable phone lock with password protection May 31, 2005, 4:34 pm
How to make a Windows Media Player Plugin for Windows Mobile ? January 4, 2008, 7:17 am
How to detect codepage in windows mobile/windows CE? September 1, 2008, 11:42 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap