4 Protocol Examples
To illustrate the working of the BackupKey Remote Protocol, this section sketches the process used in Windows for protecting user secrets with the Data Protection Application Program Interface (DPAPI). This example uses the ClientWrap subprotocol, but it can be adapted to illustrate the ServerWrap subprotocol with few changes. For more information about DPAPI, see [MSDN-DPAPI].
In this example, a Windows user, who is logged on to a domain-joined computer running Windows Vista, creates a new RSA key pair for signing his e-mail. This causes the DPAPI function CryptProtectData to be invoked to protect the private key. This leads to the following sequence of events:
- DPAPI generates a symmetric key, known as the DPAPI master key, and uses this to encrypt the user's private key.
- DPAPI then makes two copies of this master key. One copy is encrypted with a key derived from the user's logon credentials and stored locally.
- DPAPI attempts to use the BackupKey Remote Protocol to wrap the second copy of the master key.
- If DPAPI is unable to locate a local copy of the BackupKey server's ClientWrap public key, it makes a BackuprKey request to the server with the BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID parameter. It receives the server's ClientWrap public key and stores it in a local cache.
- DPAPI then uses the BackupKey server's ClientWrap public key to perform client-side wrapping of its master key, as specified in section 22.214.171.124. It stores the result locally.
When the user subsequently attempts to sign his e-mail, the signing application causes the DPAPI function CryptUnprotectData to be invoked. This leads to the following sequence of events:
- DPAPI obtains the DPAPI master key by decrypting the copy that was encrypted with the user's credentials, and it uses this to decrypt the user's private key.
- The user is able to sign his e-mail.
- The BackupKey Remote Protocol is not invoked.
Now assume that at some later date, the user forgets his password and has to ask the domain administrator to reset it for him. Now when he tries to sign his e-mail, the signing application causes the DPAPI function CryptUnprotectData to be invoked once again. This time, it leads to the following sequence of events:
DPAPI attempts to decrypt the copy of the master key encrypted with the user's logon credentials. This fails, as the user's credentials have changed.
DPAPI retrieves the copy of the master key that was wrapped with the BackupKey server's public key, and it sends the copy to the server for unwrapping using a BackuprKey request with the BACKUPKEY_RESTORE_GUID parameter.
The BackuprKey call succeeds, and DPAPI obtains the unwrapped master key from the server.
DPAPI is able to decrypt the user's private key, and the user is able to sign his e-mail.