8

I understand that Windows DPAPI master keys are encrypted (directly or indirectly) with the user's login password - see e.g. Does DPAPI works if a user hasn't a login password?

If I understand that correctly, it means that physical access to the computer isn't enough to get the master key.

If I enable fingerprint login (in Windows 8.1, if it matters), what changes? I can now login with either my password or my fingerprint. Does Windows then store a duplicate copy of the master key encrypted with my fingerprint data?

The obvious concern is that stealing my fingerprint and my computer is then enough to decrypt the master key.

EDIT: or, even worse, given Is it possible to reliably derive a key from a biometric fingerprint?, is there a completely unencrypted copy?

Community
  • 1
GS - Apologise to Monica
  • 183
  • 9
  • Answer deleted since Thomas' is better, but point remains: DPAPI doesn't generally prevent someone who steals the machine from stealing your data. See [CryptProtectMemory](http://msdn.microsoft.com/en-us/library/windows/desktop/aa380262.aspx) for more details. – Billy ONeal Oct 08 '14 at 19:55

1 Answers1

3

If you don't log with a password, but instead with a fingerprint, then DPAPI plays an elaborate charade of encrypting keys with other keys, but the tower of encryptions must still end at some point. So what really happens in that case is that someone who steals your laptop will be able to extract all your secrets -- albeit with a substantial amount of reverse-engineering and cursing (though it can be widely automated, of course).

Or possibly quite easily. Indeed, right beside the fingerprint reader are 90+ keyboard keys, each of which adorned with a copy of the fingerprint of one of your fingers. Fooling the fingerprint reader with a printout of one of your fingerprints might be easier than wading through the swamp of encryption layers produced by the Microsoft developers. The raw truth remains that all these encryption layers are just smokes and mirrors: since the fingerprint itself cannot be converted into information suitable for cryptography (you cannot reliably turn a fingerprint into a key, contrary to a password), then your laptop with fingerprint-based login really contains, as it is, all the information needed to recover your DPAPI secrets.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • If the data is encrypted at rest (e.g. BitLocker or TrueCrypt) then physical access may not be sufficient without a key. But that's not the question the user asked... – Billy ONeal Oct 08 '14 at 19:33
  • 2
    Regardless of encryption, if the genuine user can access the data with just his finger but without typing any password, then it is essentially unavoidable that someone who steals the laptop can do the same (this would not be true if the laptop contains a TPM _and_ the fingerprint comparison is done within the TPM against a reference fingerprint encrypted with a key stored in the TPM -- but I don't believe it works that way even when a TPM is present). – Thomas Pornin Oct 08 '14 at 19:47
  • Ah, I see. +1 then :). – Billy ONeal Oct 08 '14 at 19:53
  • Your reasoning makes sense and chimes with my initial concern. Do you or anyone else know of any sources that confirm what Windows actually does? – GS - Apologise to Monica Oct 08 '14 at 20:39
  • If anything... the lack of an answer on a two-year old question on the msft forums might answer your question! http://social.msdn.microsoft.com/Forums/sqlserver/en-US/91deb83c-ab79-4bf1-9bc9-668d62b946c5/fingerprint-and-data-protection-encryption – Desthro Oct 08 '14 at 22:45