Links
Comment on page

cloudapkd 🛠️

dpapi::cloudapkd allows to decrypt via DPAPI the ProofOfPossesionKey (extracted from a Primary Refresh Token, a.k.a. PRT, e.g. cloudap) and thus recover the Clear key and the Derived Key.
  • /prt: Primary Refresh Token, used for JWT token generation (can be found with sekurlsa::cloudap)
  • /iat: Issued At, used for JWT token generation (Default: -112)
  • /pop: Proof-of-Possession (Unknown usage, Work In Progress)
  • /label: Object label, can be retrive from keyvalue with unprotect
  • /context: Used for JWT token generation (can be found with unprotect)
  • /keyname: Is necessary for opaque keys (when a TPM is used for example) during unprotect operation
  • /keyvalue: Part of ProofOfPossesionKey, can be found with sekurlsa::cloudap. Unprotect this data to retrieve context, label, clearkey and derivedkey
  • /derivedkey: used for JWT token generation (can be found with unprotect)
  • /unprotect: Decrypt the secret from DPAPI (masterkey is optionnal, but token::elevate is required)
  • /masterkey: master DPAPI key use to unprotect the secret (can be retrieved from sekurlsa::dpapi). This field is not mandatory, if absent the key will be found automatically

References

Last modified 1yr ago