I came across Michael Muckin’s paper titled Windows Vista Security Internals in Blackhat archives recently. The paper begins with an introduction to Vista logon/security architecture1 changes vis-a-vis Windows XP and goes onto Vista crypto architecture (CNG, BCrypt, NCrypt). The paper ends with analysis of Vista SP1 changes in lsasrv.dll functions LsaInitializeProtectedMemory and LsaEncryptMemory, two functions involved in protecting in-memory password hashes2 in Vista. Here is a quote from the paper –
At a high level, the protection mechanisms that encrypt in-memory password hashes have completely changed. Prior to Vista SP1, the primary mechanism used to perform the in-memory encryption was DES. Actually, it is a Microsoft specific implementation of DES called DESX (DES Extended). In Vista SP1 (and Windows Server 2008), Microsoft has applied the new CNG functions to protect the in-memory hashes. The algorithms used to perform these functions are 3DES and AES.
Interesting read.
1Assessment of Windows Vista Kernel-Mode Security by Matthew Conover, Principal Security Researcher, Symantec Corporation touches upon many aspects of kernel mode Vista security enhancements.
2Read more about in-memory hashes and how they can be used to authenticate without knowing the original password (referred to as pass-the-hash technique) and among other fun things, potentially gain domain administrator privileges here.
