HostedDB - Dedicated UNIX Servers

Q. What does System Key actually protect my passwords from?

Q. What does System Key actually protect my passwords from?

A. System key enables stronger encryption of account passwords stored in the registry in the SAM (Security Account Manager) database. With System key installed the passwords have enhanced encryption in the SAM. Note this is only the passwords and not for example the user name.

When System Key encryption has been enabled backups of the SAM database will also be encrypted: For example on back up tapes, RDISK and %systemroot%\repair. Which are often used to crack passwords.

System Key is used to make the decrypting or cracking of your passwords from the SAM more difficult and time consuming. Crackers such as L0pht crack , John the Ripper, Crack 5 with NT Extensions are used often to break NT password hashes. These use dictionary and brute force types of techniques. L0pht Crack is now using a form of intelligent brute forcing, which is the next generation of crackers.

- System Key prevents SAM dumping with the tool built into L0pht Crack 2.5.

- System Key prevents SAM dumping with the tool pwdump.

- System Key does not stop SAM dumping with the tool pwdump2 which uses DLL injection techniques different to pwdump.

- System Key does not prevent password cracking or decryption.

- System Key reuses the keystream used to perform some of the encryption. 
This significantly reduces the strength of the protection it provides by enabling a well-known cryptanalytic attack to be used against it. Todd Sabin from Bindview (www.bindview.com) and the author of pwdump2 discovered this exploit in December-1999.

- System Key still increases the time and complexity to crack password  hashes.

Note; Pwdump and pwdump2 require administrator access to be used.

System Key affects the following system components:
%systemroot%\system32\config\sam HKEY_LOCAL_MACHINE\SAM
%systemroot%\system32\config\security HKEY_LOCAL_MACHINE\Security

and three system security component files: Winlogon.exe, Samsrv.dll, Samlib.dll

Also see Q. How do I use the System Key functionality of Service Pack 3? for installing System Key.

For more information on System Key see Q143475 at http://support.microsoft.com/support/kb/articles/q143/4/75.asp

For information on the "System Key Keystream Reuse" Vulnerability and patch see http://www.microsoft.com/security/bulletins/ms99-056.asp

Contributed by Nathan House


This FAQ is copyright © 2000 John Savill (SavillTech Ltd). No part of this document should be reproduced, distributed or altered without my written permission. Contact Information.