One of the tenants of moderm cryptology is that algorithms and mechanisms have to be published for analysis and review. The basic idea is that security is based on a mathematical impossibility that a cryptosystem cabe be broken within the time remaining in the universe. The once dominant idea was that a system sufficiently obscure was good enough. I dare say that the experiece of the third reich demonstrated the weakness of the latter argument.
Microsoft is assuming a position that is theoretically impossible and refuses to publish their system's algorithms for legititate analysis. It is hard to argue that their system is anything but garbage top to bottom, waiting only for a disgruntled employee to blw the whole thing sky high. It is well understood that security by obscurity is no security at all. If Microsoft actually believed they had a robus system, they wouldn't hesitate to publish -- and patent -- their system. Possibly it is fairly secure. More likely, it's bullshit. If they published the details, we would all know. But they won't. Once it was belived that nobody could get fired for going IBM (SNA anyone? Anyone?). Then it was Microsoft instead of IBM. But that was then abd this is now. Are you really going to trust a company that staked their future on Windiws RT tablets and Windows phones? To paraphrase Yoda, break me a frigging give. On Saturday, August 22, 2015, Brian Vraamark <brian.vraam...@plandent.dk> wrote: > > I have a strong preference for portable, transparent solutions. > > That I can understand and would always be the best solution, but not > always possible. > > > > There is also the small point that it has been broken (see Wikipedia). > > As I read it, it was mostly before Windows XP. Since Windows Server > 2003/Windows 7, a lot of changes in DPAPI has made it more secure. The > security analysis from Passcape concludes: > > "DPAPI deserves such close attention at least for the fact that it's the > only password-based system that provides appropriate and thoroughly thought > out protection of user's personal data. None of the operating systems has a > more viable alternative to DPAPI! > > We should, perhaps, mention that the first implementation of DPAPI had a > number of serious flaws, which could enable a potential malefactor to > easily compromise user's data protected by DPAPI. > > The first pancake is known to be always lumpy. In all the sequel operating > systems, beginning with Windows XP, those vulnerabilities have not merely > been eliminated; the entire DPAPI system has undergone a major revision. In > particular, it has adopted new encryption algorithms; that has made the > Master Key password lookup speed about 1000 (!) times slower. Master Key > encryption errors that potentially allowed any user to gain access to any > files encrypted by EFS were fixed. The local Master Key backup system has > been replaced with the password reset disk, etc. > > Overall, the DPAPI encryption system has become more robust, powerful, > meeting the stringent requirements of password security." > > > Brian Vraamark > > > ------------------------------------------------------------------------------ > Firebird-Devel mailing list, web interface at > https://lists.sourceforge.net/lists/listinfo/firebird-devel > -- Jim Starkey
------------------------------------------------------------------------------
Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
