分享程序员开发的那些事...
更新时间:2022-12-10 13:27:30
你真的不想存储Windows密码哈希,因为正如已经指出的那样,如果存在域控制器,哈希可用于模拟用户。实际上,知道Kerberos中的实际密钥与知道攻击者的密码一样糟糕。相反,你应该做的就是用不同于Windows的密码来使用和存储密码。我建议寻找一个像PBKDF2这样的好密码哈希的实现并使用它。请参阅***的实施列表。有关Kerberos用于腌制密码的信息,请参阅 RFC 3962 。 Windows使用该进程进行AES,并为NTLM和RC4 Kerberos使用不同的进程。
我有理由相信没有公开的API可用于比较Kerberos盐渍密码。我对NTLM API不太熟悉。
i know it's possible to validate user's Windows (e.g. domain) credentials programatically using:
LogonUser(username, password)There has come a time when i want to persist those credentails.
i'm using the Data Protection API (via the CredUI API) to encrypt the password. This means that the encrypted data can only be accessed by the user themselves. My program, running as the user, can then decrypt the protected data.
But it also means that a malicious program running as the user can decrypt the protected data; stealing the user's encrypted credentials.
i know that Windows itself does not store the user's password. What they store is the salted and hashed version of the password; and forms the "shared secret" between the user and Windows.
Is there an API that lets me ask Windows if a user's password is valid, when i know the salted hash of the password?
You really don't want to store the Windows password hash, because as has been pointed out that hash can be used to impersonate the user if a domain controller is present. In effect, knowing the actual key in Kerberos is as bad as knowing the password for an attacker. Instead, what you should do is salt the password with a different salt than Windows would use and store that. I'd recommend looking for an implementation of a good password hash like PBKDF2 and using that. See Wikipedia's list of implementations. For information on what Kerberos does for salting passwords see RFC 3962. Windows uses that process for AES, and uses a different process for NTLM and for RC4 Kerberos.
I'm reasonably sure that there is no public API exposed to compare Kerberos salted passwords. I am less familiar with the NTLM APIs.