Securing data to a process identity

Giganews Newsgroups
Subject: Securing data to a process identity
Posted by:  Steve Schuler (sjsc…@safeco.com)
Date: Mon, 3 Mar 2008

Hello all -

I've been looking for a way to do this, and I'm hoping someone either can
point me at the obvious API that does this that I somehow missed after
searching long and hard, or else can comment on an idea I'll outline below
that I think would get me there.

First, here's what I'm trying to do: I want something similar to DPAPI, but
with process identity granularity. I'm going to have an administrative UI
that would take a service ID and password, call LogonUser, and then call my
encryption API to encrypt data based on something unique to the security
context created by LogonUser. Later, I want a process configured to run as
that service ID / password identity - and *only* processes running with that
identity - to be able to call a decryption API on that data. (As for why I
want this, it's to provide a "vault" to applications in a shared
environment, where I don't want to require that applications "trust" each
other. Machine-level DPAPI is inadequate for this, since any application can
decrypt another app's secrets.)

So maybe I've missed an obvious way you do this in Windows, and someone can
point me at the right API ... but if not, here's my idea:

An obvious secret associated with the process' identity is the password
hash, but how to get at it - there's no API that I can find that would let
me do that. (Of course there are hacker tools that do this using kernel mode
code, but I don't want anything so messy.) Now here's the idea: I do both
client and server sides of the NTLM challenge / response using SSPI (I have
code that does this already from something else), but I don't really do the
server side that would be generating a random challenge. Instead I feed a
constant pre-baked challenge packet to the second call to
InitializeSecurityContext, so that I get the same challenge response packet
every time, but one which still depends uniquely on the caller's security
context. That challenge response could then be used in a CryptDeriveKey call
to get the actual reversible encryption key.

I'd appreciate any comments.

Thanks,
Steve Schuler
Safeco Insurance

Please reply to the group. If you also want to send private email, I can be
reached at sjschu AT safeco DOT com

Replies