Often in your own applications, there is the need to securely store informationpasswords, database connection strings, credit card numbers . For some time now, versions of Windows have included the protected storage system (PStore), a system service that includes several APIs for generating and storing keys. Most applications used PStore to store passwordsolder versions of Internet Explorer, Outlook, and Outlook Express stored their passwords in the PStore. Microsoft has deprecated the PStore ; indeed, there is no guarantee that it will continue to exist after Windows XP and Windows Server 2003. [9] It is also not secure and should not be used any longer for that reason alone.
[9] http://msdn.microsoft.com//library/en-us/devnotes/winprog/pstore.asp.
Beginning with Windows 2000, the Data Protection API [10] (DPAPI) is the preferred method for applications that need to store secrets. DPAPI is much easier to use than PStore: there are only two calls, CryptProtectData() and CryptUnprotectData() . With DPAPI, there is no need for you to manage keys in your applications because this is all handled by the operating system. For every user on a computer, DPAPI generates a strong master key. To protect this key, DPAPI uses PKCS #5 to generate a key from the user's password and encrypts the master key with this password-derived key. DPAPI then stores the encrypted master key in the user 's profile. When an application calls CryptProtectData() , DPAPI generates a session key based on the master key and some random bits. DPAPI uses this session key to encrypt the data passed to the function. It also stores the random bits in the encrypted blob so that it can regenerate the key when the application calls CryptUnprotectData() . The full session key is never stored anywhere .
[10] See http://msdn.microsoft.com/library/en-us/dnsecure/html/windataprotection-dpapi.asp and http://msdn.microsoft.com/msdnmag/issues/03/11/ProtectYourData/default.aspx for good discussions.
Should you want to verify whether an application uses these APIs you can, but you need a development environment to do so. Microsoft's Visual Studio comes with a tool called dumpbin . If you run it with the /imports switch, it will tell you which libraries a particular binary imports, and which functions within that library it uses. If you find crypt32.dll being imported, it means that the application is at least using properly tested cryptographic functions. Whether it uses them properly itself is a different matter. However, seeing that library should make you feel better than if you see the function "MySuperSecretCrypto" being called.