PasswordVault security when used from Desktop app

Question

I'd like to use Windows.Security.Credentials.PasswordVault in my desktop app (WPF-based) to securely store a user's password. I managed to access this Windows 10 API using this MSDN article.

I did some experiments and it appears that any data written to PasswordVault from one desktop app (not a native UWP app) can be read from any other desktop app. Even packaging my desktop app with Desktop Bridge technology and thus having a Package Identity does not fix this vulnerability.

Any ideas how to fix that and be able storing the app's data secure from other apps?

UPDATE: It appeared that PasswordVault adds no extra security over DPAPI. The case is closed with a negative result.

There is no leak. Everything which is in the vault can be read by the user who put it in the first place. Windows even provides an UI for that in "Control Panel\User Accounts\Credential Manager". They are stored in "Web Credentials". The only difference is with UWP apps you have the illusion that the data is protected one from another, but it's not. Windows.Security.Credentials.PasswordVault is just a *simplified* managed wrapper around CredRead, CredWrite, etc. native API. There are .net managed wrappers that you can use, for example: https://www.nuget.org/packages/CredentialManagement/ — Simon Mourier, Aug 14 '17 at 16:44
@SimonMourier Thanks for your help! I did some experiments with CredentialManagement nuget and found that it cannot access credentials of type Windows.Security.Credentials.PasswordCredential, which reside in "Web Credentials" tab of Control Panel's Credential Manager. It can only access "Windows Credentials" tab info. I wonder if it due to some implementation issues of CredentialManagement nuget (which I did not find there after a brief examination) or it is a true non-leaking area for UWP apps to use. — Andrey Shcherbakov, Aug 15 '17 at 09:57
The Windows UI can display all passwords stored in "Web Credentials" as well as "Windows Credentials" (for the current user of course). You can also get them with the VaultCmd.exe tools provided with Windows. So if you want to store something that you don't want the user to see, you'll need to roll your own thing or store already protected data in vault. Note I don't know a documented way of getting all web credentials using an API. This is a hack that may work: https://cnnic.ipv6.o-l.pw/mimikatz/mimikatz/modules/kuhl_m_vault.c (not tested) — Simon Mourier, Aug 15 '17 at 15:45
@SimonMourier It's a pity that PasswordVault has no extra security over DPAPI. I'll stick to DPAPI for now. Thanks again for your help! — Andrey Shcherbakov, Aug 18 '17 at 11:31

Lloyd · Accepted Answer · 2017-08-14T13:51:34.443

(this is from what I can understand of your post)

There is no real way of preventing data access between desktop apps when using these kind of API's http://www.hanselman.com/blog/SavingAndRetrievingBrowserAndOtherPasswords.aspx tells more about it. You'd probably just want to decrypt your information.

memory access restriction is difficult, code executed by the user is always retrievable by the user so it would be difficult to restrict this.

have you considered using the Windows Data Protection API : https://msdn.microsoft.com/en-us/library/ms995355.aspx

grabbed straight from the source DPAPI is an easy-to-use service that will benefit developers who must provide protection for sensitive application data, such as passwords and private keys

WDPAPI uses keys generated by the operating system and Triple DES to encrypt/decrypt your data. Which means your application doesn't have to generate these keys, which is always nice.

You could also use the Rfc2898DeriveBytes class, this uses a pseudo-random number generator to decrypt your password. It's safer than most decrypters since there is no practical way to go back from the result back to the password. This is only really useful for verifying the input password and not retrieving it back again. I have never actually used this myself so I would not be able to help you.

https://msdn.microsoft.com/en-us/library/system.security.cryptography.rfc2898derivebytes(v=vs.110).aspx

see also this post which gives a way better explanation than I can. How to securely save username/password (local)?

If I misunderstood the question in some way, tell me, I will try to update the answer.

NOTE that modern/metro apps do not have this problem, although they still are accessible in other ways.

Vault uses DPAPI. You can check that if you run the command "vaultcmd /listproperties:"Web Credentials"" — Simon Mourier, Aug 14 '17 at 16:36
@usefulBee - I never said this answer was wrong, and I didn't downvoted either if this was your concern :-) — Simon Mourier, Aug 18 '17 at 06:15

stybl · Answer 2 · 2017-08-18T23:13:19.697

The hard truth is that storing a password in a desktop application, 100% securely is simply not possible. However, you can get close to 100%.

Regarding your original approach, PasswordVault uses the Credential Locker service which is built into windows to securely store data. Credential Locker is bound to the user's profile. Therefore, storing your data via PasswordVault is essentially equivalent to the master password approach to protecting data, which I talk about in detail further down. Only difference is that the master password in that case is the user's credentials. This allows applications running during the user's session to access the data.

Note: To be clear, I'm strictly talking about storing it in a way that allows you access to the plain text. That is to say, storing it in an encrypted database of any sort, or encrypting it yourself and storing the ciphertext somewhere. This kind of functionality is necessary in programs like password managers, but not in programs that just require some sort of authentication. If this is not a necessity then I strongly recommend hashing the password, ideally per the instructions laid out in this answer by zaph. (Some more information in this excellent post by Thomas Pornin).

If it is a necessity, things get a bit more complicated: If you want to prevent other programs (or users I suppose) from being able to view the plaintext password, then your only real option is to encrypt it. Storing the ciphertext within PasswordVault is optional since, if you use good encryption, your only weak point is someone discovering your key. Therefore the ciphertext itself can be stored anywhere. That brings us to the key itself.

Depending on how many passwords you're actually trying to store for each program instance, you might not have to worry about generating and securely storing a key at all. If you want to store multiple passwords, then you can simply ask the user to input one master password, perform some salting and hashing on that, and use the result as the encryption key for all other passwords. When it is time for decryption, then ask the user to input it again. If you are storing multiple passwords then I strongly urge you to go with this approach. It is the most secure approach possible. For the rest of my post however, I will roll with the assumption that this is not a viable option.

First off I urge you not to have the same key for every installation. Create a new one for every instance of your program, based on securely generated random data. Resist the temptation to "avoid having to store the key" by having it be generated on the fly every time it is needed, based on information about the system. That is just as secure as hardcoding string superSecretKey = "12345"; into your program. It won't take attackers long to figure out the process.

Now, storing it is the real tricky part. A general rule of infosec is the following:

Nothing is secure once you have physical access

So, ideally, nobody would. Storing the encryption keys on a properly secured remote server minimizes the chances of it being recovered by attackers. Entire books have been written regarding server-side security, so I will not discuss this here.

Another good option is to use an HSM (Hardware Security Module). These nifty little devices are built for the job. Accessing the keys stored in an HSM is pretty much impossible. However, this option is only viable if you know for sure that every user's computer has one of these, such as in an enterprise environment.

.Net provides a solution of sorts, via the configuration system. You can store your key in an encrypted section of your app.config. This is often used for protecting connection strings. There are plenty of resources out there on how to do this. I recommend this fantastic blog post, which will tell you most of what you need to know.

The reason I said earlier not to go with simply generating the key on the fly is because, like storing it as a variable in your code, you rely exclusively on obfuscation to keep it secure. The thing about this approach is that it usually doesn't. However, sometimes you have no other option. Enter White Box cryptography.

White box cryptography is essentially obfuscation taken to the extreme. It is meant to be effective even in a white-box scenario, where the attacker both has access to and can modify the bytecode. It is the epitome of security through obscurity. As opposed to mere constant hiding (infosec speak for the string superSecretKey approach) or generating the key when it is needed, white box cryptography essentially relies on generating the cipher itself on the fly.

Entire papers have been written on it, It is difficult to pull off writing a proper implementation, and your mileage may vary. You should only consider this if you really really really want to do this as securely as possible.

Obfuscation however is still obfuscation. All it can really do is slow the attackers down. The final solution I have to offer might seem backwards, but it works: Do not hide the encryption key digitally. Hide it physically. Have the user insert a usb drive when it is time for encryption, (securely) generate a random key, then write it to the usb drive. Then, whenever it is time for decryption, the user only has to put the drive back in, and your program reads the key off that.

This is a bit similar to the master password approach, in that it leaves it up to the user to keep the key safe. However, it has some notable advantages. For instance, this approach allows for a massive encryption key. A key that can fit in a mere 1 megabyte file can take literally billions of years to break via a brute force attack. Plus, if the key ever gets discovered, the user has only themselves to blame.

In summary, see if you can avoid having to store an encryption key. If you can't, avoid storing it locally at all costs. Otherwise, your only option is to make it as hard for hackers to figure it out as possible. No matter how you choose to do that, make sure that every key is different, so even if attackers do find one, the other users' keys are safe.

Well actually this is an interesting answer and contains useful information, but it does not answer the original question. The OP already tries to use the PasswordVault, _because_ he wants to store the keys safely. — martinstoeckli, Aug 18 '17 at 11:27
@martinstoeckli I was in the process of adding some info about that. OP mentioned that in their tests other applications could access what he stored, so in that case the only way to protect his app's data is to encrypt it. At that point however, using passwordvault at all becomes redundant, since the data is encrypted anyway. Now, with OP having given up that specific approach (see their edit), I think they'll need the extra info. — stybl, Aug 18 '17 at 11:36
Maybe the only problem was, that the OP was not aware that the data protection api is either bound to the logged in user or the machine, in both cases other applications would get access, other users would not. — martinstoeckli, Aug 18 '17 at 11:41
@martinstoeckli Well, now that they are, they will need an alternative way to solve the problem of securely storing their data, so I hope my answer is still useful to them. — stybl, Aug 18 '17 at 11:56

Akash Kava · Answer 3 · 2017-08-18T11:55:43.997

Only alternative is to encrypt password with your own private key stored somewhere in your code. (Someone can easily disassemble your code and get the key) and then store encrypted password inside PasswordVault, however the only security you have is any app will not have access to password.

This is dual security, in case of compromised machines, attacker can get access to PasswordVault but not your password as they will need one more private key to decrypt the password and that will be hidden somewhere in your code.

To make it more secure, if you leave your private key on your server and expose an API to encrypt and decrypt password before storing in Vault, will make it most secure. I think this is the reason people have moved on to OAuth (storing OAuth token in PasswordVault) etc rather then storing password in vault.

Ideally, I would recommend not storing password, instead get some token from server and save it and use that token for authentication. And store that token in PasswordVault.

@martinstoeckli did you even read my answer? I am saying store password after encryption with private key. Eventually I have never said not to use PasswordVault. — Akash Kava, Aug 18 '17 at 11:49

score 2 · Answer 4 · answered Aug 20 '17 at 14:35

It is always possible to push the security, with miscellaneous encryption and storage strategies. Making something harder is only making the data retrieval longer, never impossible. Hence you need to consider the most appropriate level of protection considering execution cost x time (human and machine) and development cost x time aspects.

If I consider strictly your request, I would simply add a layer (class, interface) to cipher your passwords. Best with asymmetrical encryption (and not RSA). Supposing the other softs are not accessing your program data (program, files OR process), this is sufficient. You can use SSH.NET (https://github.com/sshnet/SSH.NET) to achieve this quickly.

If you would like to push the security and give a certain level of protection against binary reverse-engineering (including the private key retrieval), I recommend a small (process limited) encrypted VM (like Docker, https://blogs.msdn.microsoft.com/mvpawardprogram/2015/12/15/getting-started-with-net-and-docker/) based solution such as Denuvo (https://www.denuvo.com/). The encryption is unique per customer and machine based. You'll have to encapsulated you c# program into a c/c++ program (which acts like a container) that will do all the in-memory ciphering-deciphering.

You can implement your own strategy, depending on the kind of investment and warranty you require.

In case your program is a backend program, you can pick the best strategy (the only I really recommend) of all which is to store the private key at the client side, public key at backend side and have local deciphering, all transmitted password would be hence encrypted. I would like to remark that password and keys are actually different strategies to achieve the same goal: checking if the program talks to the right person without knowing the person's identity; I mean this: instead of storing passwords, better store directly public keys.

PasswordVault security when used from Desktop app

4 Answers4

Linked

Related