Store passwords in SYS files

NTFSD
1

Dear All,

I am developing a security/recovery software (in MFC, Visual C++ for
Windows 2000/XP/NT).

Presently I am storing password for opening my application in Registry
key.
=>ie.HKEY_LOCAL_MACHINE\SOFTWARE\MyApplication\Settings.

But I feel that this key can easily be hacked. And anybody can easily
delete this key.

My question is:

  1. How can I change the security settings of my password registry key so
    that any user may not be

able to open or delete key ?

  1. Are there any other secure methods to store the passwords? Can we store
    password in .sys file

which are always in memory ???

Please give your useful suggestions.
Thanks in advance!

Rohit Dhamija

2

Hi Rohit,
.sys also can be opened for editing…I guess its ur encryption algorithm
that gives security and not the location of the passwords…Afterall
everything on the disk is accessible for an user with Admin account on a
system.

Giri.

Dear All,

I am developing a security/recovery software (in MFC, Visual C++ for
Windows 2000/XP/NT).

Presently I am storing password for opening my application in Registry
key.
=>ie.HKEY_LOCAL_MACHINE\SOFTWARE\MyApplication\Settings.

But I feel that this key can easily be hacked. And anybody can easily
delete this key.

My question is:

  1. How can I change the security settings of my password registry key so
    that any user may not be

able to open or delete key ?

  1. Are there any other secure methods to store the passwords? Can we store
    password in .sys file

which are always in memory ???

Please give your useful suggestions.
Thanks in advance!

Rohit Dhamija

3

There is a ‘secure password store’ in the NetXXX api family.

4

Hi,

I wouldn’t recommend storing the actual passwords anywhere! Highly
in-secure!
I would recommend storing a hash of the password or something similar.

Regards

Ben Curley
Software Engineer
Data Encryption Systems Ltd.

-----Original Message-----
From: Seshagiri Babu K V [mailto:xxxxx@sasken.com]
Sent: 23 May 2003 13:43
To: File Systems Developers
Subject: [ntfsd] Re: Store passwords in SYS files

Hi Rohit,
.sys also can be opened for editing…I guess its ur encryption algorithm
that gives security and not the location of the passwords…Afterall
everything on the disk is accessible for an user with Admin account on a
system.

Giri.

Dear All,

I am developing a security/recovery software (in MFC, Visual C++ for
Windows 2000/XP/NT).

Presently I am storing password for opening my application in Registry
key.
=>ie.HKEY_LOCAL_MACHINE\SOFTWARE\MyApplication\Settings.

But I feel that this key can easily be hacked. And anybody can easily
delete this key.

My question is:

  1. How can I change the security settings of my password registry key so
    that any user may not be

able to open or delete key ?

  1. Are there any other secure methods to store the passwords? Can we store
    password in .sys file

which are always in memory ???

Please give your useful suggestions.
Thanks in advance!

Rohit Dhamija

You are currently subscribed to ntfsd as: xxxxx@des.co.uk
To unsubscribe send a blank email to xxxxx@lists.osr.com

5

I agree, so long as the “one-way” hash is sufficient. If you need
credentials for authenticating with someone - it might not be. If you
“have to” store credentials, I do NOT recommend using the registry. You
can just as easily use a disk file and protect with a ACL that denies
access to everyone but your service. Also, use Triple-DES or high
strength security and ideally roll the crypto-keys periodically (this
can be a problem if you are storing tons of passwords that you need to
re-encrypt when the key rolls). Rolling keys prevents replays of the
encrypted credentials. Another technique that should be used is
separation of a user’s name and password - or encryption of both. Folks
trying to steal credentials look for patterns - and once they find a
user’s name - they start looking nearby the encrypted password for that
user. If you have hundreds a users and passwords, it will take a hacker
time to figure out which encrypted string goes with which user.

If you are talking about temporary storage for credentials (in memory),
using a driver and Windows privileges is a good technique - since it is
much harder to hack the kernel address space. Just make sure that the
IPC you use to get the credentials is protected with a privilege check
or an access check. Also, you should still encrypt - even when storing
in kernel mode. You have to consider the possibility of a memory.dmp or
something that could be inspected.

/TomH

-----Original Message-----
From: xxxxx@des.co.uk [mailto:xxxxx@des.co.uk]
Sent: Friday, May 23, 2003 9:09 AM
To: File Systems Developers
Subject: [ntfsd] Re: Store passwords in SYS files

Hi,

I wouldn’t recommend storing the actual passwords anywhere! Highly
in-secure!
I would recommend storing a hash of the password or something similar.

Regards

Ben Curley
Software Engineer
Data Encryption Systems Ltd.

-----Original Message-----
From: Seshagiri Babu K V [mailto:xxxxx@sasken.com]
Sent: 23 May 2003 13:43
To: File Systems Developers
Subject: [ntfsd] Re: Store passwords in SYS files

Hi Rohit,
.sys also can be opened for editing…I guess its ur encryption algorithm
that gives security and not the location of the passwords…Afterall
everything on the disk is accessible for an user with Admin account on a
system.

Giri.

Dear All,

I am developing a security/recovery software (in MFC, Visual C++ for
Windows 2000/XP/NT).

Presently I am storing password for opening my application in
Registry
key.
=>ie.HKEY_LOCAL_MACHINE\SOFTWARE\MyApplication\Settings.

But I feel that this key can easily be hacked. And anybody can easily
delete this key.

My question is:

  1. How can I change the security settings of my password registry key
    so
    that any user may not be

able to open or delete key ?

  1. Are there any other secure methods to store the passwords? Can we
    store
    password in .sys file

which are always in memory ???

Please give your useful suggestions.
Thanks in advance!

Rohit Dhamija

You are currently subscribed to ntfsd as: xxxxx@des.co.uk
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntfsd as: xxxxx@inflectionsystems.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

6

> Presently I am storing password for opening my application in
Registry

key.
=>ie.HKEY_LOCAL_MACHINE\SOFTWARE\MyApplication\Settings.

But I feel that this key can easily be hacked. And anybody can
easily

Can you rely on current NT’s password?

Max

7

IIRC this is in Win9x/Me only.

----- Original Message -----
From: “Benson Margulies”
To: “File Systems Developers”
Sent: Friday, May 23, 2003 4:59 PM
Subject: [ntfsd] Re: Store passwords in SYS files

> There is a ‘secure password store’ in the NetXXX api family.
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

8

Look into CryptProtectData/CryptUnprotectData. These functions will
encrypt an arbitrary block of data with the user’s logon credentials
(generated off of his password).

  • Nick Ryan

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Rohit
Sent: Friday, May 23, 2003 5:18 AM
To: File Systems Developers
Subject: [ntfsd] Store passwords in SYS files

Dear All,

I am developing a security/recovery software (in MFC, Visual
C++ for Windows 2000/XP/NT).

Presently I am storing password for opening my application
in Registry key.
=>ie.HKEY_LOCAL_MACHINE\SOFTWARE\MyApplication\Settings.

But I feel that this key can easily be hacked. And anybody
can easily delete this key.

My question is:

  1. How can I change the security settings of my password
    registry key so that any user may not be

able to open or delete key ?

  1. Are there any other secure methods to store the passwords?
    Can we store password in .sys file

which are always in memory ???

Please give your useful suggestions.
Thanks in advance!

Rohit Dhamija

You are currently subscribed to ntfsd as: xxxxx@nryan.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

9

Dear All,
Thanks a lot for providing such an invaluable information.
I tried hack a security/recovery software (DeepFreeze) and found that it
stores its password information in a .sys file (ie. Persi.sys). And this
file is always in memory. ie. cannot be accessed.
Is this a secure way to store password ? Or it can also be hacked in any
case?? Please Comment!

Thanks in advance…
Rohit

10

SoftICE, WinDbg…

Rohit wrote:

Dear All,
Thanks a lot for providing such an invaluable information.
I tried hack a security/recovery software (DeepFreeze) and found that it
stores its password information in a .sys file (ie. Persi.sys). And this
file is always in memory. ie. cannot be accessed.
Is this a secure way to store password ? Or it can also be hacked in any
case?? Please Comment!

Thanks in advance…
Rohit

You are currently subscribed to ntfsd as: xxxxx@alfasp.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers.
Alfa File Monitor - File monitoring library for Win32 developers.

11

No. Yes.

There is no way to store passwords on a computer and make them secure
unless some external source is required to access the passwords that
have been encrypted. You can use a password hash and make it difficult
for someone to find a password that will produce the same hash, but it
is still possible given enough time. You could hash a password with MD5
& SHA-1024/512/256 storing both and then a cracker will have to solve
both problems.

If the computer has a password stored and some piece of software knows
how to decrypt the password, it cannot be make secure. You can with the
use of smartcards have an encrypted password cache/file on the computer.
Your program will then have to know how to get the encryption key from
the smartcard or have the smartcard actually do the decryption. I also
suggest that the only secure solution is to have a RSA smartcard and
require a password to access the smartcard. The smartcard reader will
have to have a keypad so that the computer never knows the “PIN” or
access password for the smartcard. This will keep key loggers from
stealing your “PIN”, so there are two missing pieces required to obtain
access - the smartcard and the “PIN”. For business access control you
will probably want a CA that validates that the smartcard is still
authorized on the network.

Just because I am paranoid, it doesn’t mean that the whole world is NOT
out to get me!

From your descriptions of various security ideas, they all fall into the
“security by obscurity” category, which is only effective against the
stupid, the lazy or those who don’t want to crack your system.

----- Original Message -----
From: “Rohit”
To: “File Systems Developers”
Sent: Saturday, May 24, 2003 4:08 AM
Subject: [ntfsd] Re: Store passwords in SYS files

> Dear All,
> Thanks a lot for providing such an invaluable information.
> I tried hack a security/recovery software (DeepFreeze) and found that
it
> stores its password information in a .sys file (ie. Persi.sys). And
this
> file is always in memory. ie. cannot be accessed.
> Is this a secure way to store password ? Or it can also be hacked in
any
> case?? Please Comment!
>
> Thanks in advance…
> Rohit
>
> —
> You are currently subscribed to ntfsd as: xxxxx@yoshimuni.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

12

I still don’t understand what you mean when you say “stores its password
information in a .sys file”. .sys is just an extension - but are you
saying that they implement a driver to store passwords in memory and
thereby in the kernel address space. Or do you mean the passwords are
physically stored in a file with a .sys extension - and if the latter -
are these somehow embedded in the image itself (sounds really bizarre).
Using NTFS, you can prevent access to a file using an access control
list that only allows the “SYSTEM” account access. I am not sure what
the purpose of a .sys file would be. However, whenever you store
passwords on a computer, you are exposed - at very least to physical
attacks. An ACL is pretty useless once the disk is physically removed
and can be low level scanned. And the encryption you use is only as
good as the crypto algorithm you choose - and most can be hacked given
sufficient time. I have implemented password caching before, but I
never stored passwords for on the disk unless I was guaranteed physical
security - because this can’t be secure no matter how hard you try.

-----Original Message-----
From: Dejan Maksimovic [mailto:xxxxx@alfasp.com]
Sent: Saturday, May 24, 2003 8:27 AM
To: File Systems Developers
Subject: [ntfsd] Re: Store passwords in SYS files

SoftICE, WinDbg…

Rohit wrote:

Dear All,
Thanks a lot for providing such an invaluable information.
I tried hack a security/recovery software (DeepFreeze) and found that
it
stores its password information in a .sys file (ie. Persi.sys). And
this
file is always in memory. ie. cannot be accessed.
Is this a secure way to store password ? Or it can also be hacked in
any
case?? Please Comment!

Thanks in advance…
Rohit

You are currently subscribed to ntfsd as: xxxxx@alfasp.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers.
Alfa File Monitor - File monitoring library for Win32 developers.

You are currently subscribed to ntfsd as: xxxxx@inflectionsystems.com
To unsubscribe send a blank email to xxxxx@lists.osr.com