On Wednesday 13 April 2005 12:16, Alexandre Julliard wrote: > I don't understand while you come up with such an elaborate scheme of > storing things in the registry when it's clearly not the way this > thing is supposed to work. If you can't figure out what Windows does, > then just xoring the data with 0xdeadbeef or something like this would > be at least as secure as your solution, and would actually be much > closer to the proper behavior.
What Windows does is described in detail at: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/windataprotection-dpapi.asp Besides the complicated (and in my opinion braindead) procedure for key backup and restauration, it all basically melts down to the following (simplified): When a user logs in to the system a hash of his password is computed. This hash is kept in memory in a system service called "Local Security Authority". CryptProtectData/CryptUnprotectData asks the LSA via RPC to en/de-crypt data using this hash as a symmetric key on behalf of the user. Since the unix/linux login process doesn't provide such a functionality, this is not easy to replicate. I like Mike McCormacks' idea to apply "ssh-agent", but I didn't look into it in detail. Bye, -- Michael Jung [EMAIL PROTECTED]