`dissect.target.plugins.os.windows.dpapi.crypto`#

Module Contents#

Classes#

`CipherAlgorithm`
`HashAlgorithm`

Functions#

`pbkdf2`	Implementation of PBKDF2 that allows specifying digest algorithm.
`dpapi_hmac`	Internal function used to compute HMACs of DPAPI structures.
`crypt_session_key_type1`	Computes the decryption key for Type1 DPAPI blob, given the master key and optional information.
`crypt_session_key_type2`	Computes the decryption key for Type2 DPAPI blob, given the masterkey and optional information.
`derive_password_hash`	Internal use. Computes the encryption key from a user's password hash.

Attributes#

`CIPHER_ALGORITHMS`
`HASH_ALGORITHMS`

dissect.target.plugins.os.windows.dpapi.crypto.CIPHER_ALGORITHMS: dict[int | str, CipherAlgorithm]#

dissect.target.plugins.os.windows.dpapi.crypto.HASH_ALGORITHMS: dict[int | str, HashAlgorithm]#

class dissect.target.plugins.os.windows.dpapi.crypto.CipherAlgorithm#

id: int#

name: str#

key_length: int#

iv_length: int#

block_length: int#

classmethod __init_subclass__()#

classmethod from_id(id: int) → CipherAlgorithm#

classmethod from_name(name: str) → CipherAlgorithm#

derive_key(key: bytes, hash_algorithm: HashAlgorithm) → bytes#: Mimics the corresponding native Microsoft function.

decrypt_with_hmac(data: bytes, key: bytes, iv: bytes, hash_algorithm: HashAlgorithm, rounds: int) → bytes#

abstract decrypt(data: bytes, key: bytes, iv: bytes | None = None) → bytes#

class dissect.target.plugins.os.windows.dpapi.crypto.HashAlgorithm#

id: int#

name: str#

digest_length: int#

block_length: int#

classmethod __init_subclass__()#

classmethod from_id(id: int) → HashAlgorithm#

classmethod from_name(name: str) → HashAlgorithm | None#

dissect.target.plugins.os.windows.dpapi.crypto.pbkdf2(passphrase: bytes, salt: bytes, key_len: int, iterations: int, digest: str = 'sha1') → bytes#

Implementation of PBKDF2 that allows specifying digest algorithm.

Returns the corresponding expanded key which is key_len long.

dissect.target.plugins.os.windows.dpapi.crypto.dpapi_hmac(pwd_hash: bytes, hmac_salt: bytes, value: bytes, hash_algorithm: HashAlgorithm) → bytes#: Internal function used to compute HMACs of DPAPI structures.

dissect.target.plugins.os.windows.dpapi.crypto.crypt_session_key_type1(master_key: bytes, nonce: bytes | None, hash_algorithm: HashAlgorithm, entropy: bytes | None = None, strong_password: str | None = None, smart_card_secret: bytes | None = None, verify_blob: bytes | None = None) → bytes#

Computes the decryption key for Type1 DPAPI blob, given the master key and optional information.

This implementation relies on a faulty implementation from Microsoft that does not respect the HMAC RFC. Instead of updating the inner pad, we update the outer pad. This algorithm is also used when checking the HMAC for integrity after decryption.

Parameters:

master_key – Decrypted master key (should be 64 bytes long).
nonce – This is the nonce contained in the blob or the HMAC in the blob (integrity check).
hash_algorithm – A HashAlgorithm to use for calculating block sizes.
entropy – This is the optional entropy from CryptProtectData() API.
strong_password – Optional password used for decryption or the blob itself.
smart_card_secret – Optional MS Next Gen Crypto secret (e.g. from PIN code).
verify_blob – Optional encrypted blob used for integrity check.

Returns:

decryption key

dissect.target.plugins.os.windows.dpapi.crypto.crypt_session_key_type2(masterkey: bytes, nonce: bytes, hash_algorithm: HashAlgorithm, entropy: bytes | None = None, strong_password: str | None = None, smart_card_secret: bytes | None = None, verify_blob: bytes | None = None) → bytes#

Computes the decryption key for Type2 DPAPI blob, given the masterkey and optional information.

This implementation relies on an RFC compliant HMAC implementation. This algorithm is also used when checking the HMAC for integrity after decryption.