ProtectedData.Unprotect after User changes password
I have a C# application that stores password information in a database using ProtectedData
class. I use a scope of local machine
and as I understand It DPAPI
will use master key
to encrypt it and it won't be changed unless I uninstall OS.
Let's say I want to use scope DataProtectionScope.CurrentUser
. As I understand it then uses different master key
that is protected by users password. So when User changes the password the master key with which it protected data stays the same and just password that protects it changed.
My question is: is my data (in database) retrievable (and how) after User changes password?
See this site, which has links to papers (and more importantly, code) reverse engineering the system. Their first presentation was this one at Blackhat Europe 2010.
Essentially, the SHA-1 hash of your current password protects the DPAPI masterkeys, which protect in turn each DPAPI-blob (there is a per blob salt as well). Each masterkey has a GUID that identifies the password that is used to protect it. Each blob also has a GUID that identifies which masterkey was used to encrypt it. These masterkeys expire after three months and a new one is created, but the old ones are kept around.
If you change the password all masterkeys are re-encrypted with the new SHA-1 hash, but as insurance (the process might get interrupted, e.g.) the old SHA-1 hash is also stored, encrypted with the new SHA-1 hash (and the old and new password GUID) (in a file named CREDHIST close to the master keys), to ensure all blobs are always decryptable with the current password, directly or indirectly. You can find password hashes of all your old passwords this way, if you know the current one, by chaining back. All of these password protections in masterkeys and CREDHIST also use the S-ID of the user (so if this would change, e.g. after a reinstallation of Windows, you could no longer decrypt old blobs.).