US 7818567 B2 Randals. Springfield, Chapel Hill, NC

US00781-8567B2

(12) United States Patent (10) Patent No.: US 7,818,567 B2 Waltermann et al. (45) Date of Patent: Oct. 19, 2010

(54) METHOD FOR PROTECTING SECURITY (56) References Cited ACCOUNTS MANAGER (SAM) FILES WITHIN WINDOWS OPERATING SYSTEMS U.S. PATENT DOCUMENTS 75 7,380,136 B2 * 5/2008 Zimmer et al...... T13, 193 (75) Inventors: Rod D. Waltermann, Rougemont, NC 2003/0188179 A1 * 10, 2003 Challener et al...... T13, 193 (US); David C. Challener, Raleigh, NC (US); Philip L. Childs, Raleigh, NC (US); Norman A. Dion, II, Cary, NC OTHER PUBLICATIONS (US); James Hunt, Chapel Hill, NC (US); Nathan J. Peterson, Raleigh, NC Roberta Bragg, Protecting the SAM with Syskey, infomIT.* (US);Randals. David Springfield, Rivera, Durham, Chapel NC Hill, (US); NC "cited by examiner (US); Arnold S. Weksler, Raleigh, NC Primary Examiner Emmanuel L. Moise (US) Assistant Examiner Ali S Abyaneh (74) Attorney, Agent, or Firm Antony P. Ng; Dillon & (73) Assignee: Lenovo (Singapore) Pte. Ltd., Yudell, LLP Singapore (SG) - (57) ABSTRACT (*) Notice: Subject to any disclaimer, the term of this patent is extended or adjusted under 35 U.S.C. 154(b) by 1057 days. A method for protecting Security Accounts Manager (SAM) files within a Windows(R operating system is disclosed. A (21) Appl. No.: 11/535,542 SAM file encryption key is generated by encrypting a SAM file via a syskey utility provided within the Windows.(R) oper (22) Filed: Sep. 27, 2006 ating system. The SAM file encryption key is then stored in a (65) Prior Publication Data virtual floppy disk by selecting an option to store SAM file encryption key to a floppy disk under the syskey utility. A blob US 2008/0076355A1 Mar. 27, 2008 is generated by performing a Trusted Platform Module (51) Int. Cl. (TPM) Seal command against the SAM file encryption key H04L 29/06 (2006.01) along with a value stored in a Performance Control Register (52) U.S. Cl...... 713/165 and a TPM Storage Root Key. The blob is stored in a non (58) Field of Classification Search ...... 713/16s, volatile storage area of a computer. 713/189, 190, 193 See application file for complete search history. 12 Claims, 4 Drawing Sheets

ENABE ANDCONFIGURETPM 2O WITHINCOMPUTER

INSTALWRTUALFLOPPY 22O DISKDEWCEDRWER

GENERATEA SAM FILEENCRYPTION 23O KEY WIASYSKEYUTILITY

WRITESAMFILEENCRYPTIONKEY 24O TOWIRTUALFOPPYDISK

GENERATEBOBBASED ON 25O SAMFLEENCRYPTIONKEY

STORE BOSN NON-OLATLE 26O SORASE

GENERATESECONDBOB 27O

STORESECONDENCRYPTEDBLOB-2ao INAREMOVABLE STORAGEMEDIA

REMOWEREMOVABLESTORACE 29O. MEDIAFROMCOMPUTER U.S. Patent Oct. 19, 2010 Sheet 1 of 4 US 7,818,567 B2

ETHWTON-NON ? U.S. Patent Oct. 19, 2010 Sheet 2 of 4 US 7,818,567 B2

START 2OO

ENABE AND CONFIGURETPM 21O WITHIN COMPUTER

INSTALL VIRTUAL FLOPPY 22O DISKDEVICEDRIVER

GENERATE A SAMFILE ENCRYPTION 23O KEY WASYSKEY UTILITY

WRITE SAMFILE ENCRYPTION KEY 24-O TO WIRTUAL FLOPPY DISK

GENERATE BOB BASED ON 25O SAMFILE ENCRYPTION KEY

STORE BIOS INNON-WOLATE 26O STORAGE

GENERATE SECOND BLOB 27O

STORE SECONDENCRYPTED BLOB 23O NAREMOVABLESTORAGEMEDIA

REMOVE REMOVABLE STORAGE 29O MEDIA FROM COMPUTER

FG. 2 U.S. Patent Oct. 19, 2010 Sheet 3 of 4 US 7,818,567 B2 RETRIEVE SAM FLEENCRYPTION KEY 7-3OO DURING POWER ON SELF-TEST (POST)

HOLD SAM FLEENCRYPTION KEY L-31O INSYSTEMMEMORY UNTIL NEEDED

PRESENT AVIRTUAL FLOPPY DRIVE L-32O TO WINDOWSOPERATING SYSTEM

TRAP ANDRETURNSAM FLEENCRYPTION KEY -33O TO WINDOWSOPERATING SYSTEM

DECRYPTENCRYPTONKEYRETURNED SAN FILEUSING RETURNED 34-O

CLEARSAMFILE ENCRYPTION KEY -350 FROMSYSTEMMEMORY

FG, 3 U.S. Patent Oct. 19, 2010 Sheet 4 of 4 US 7,818,567 B2 4-OO

BOOT COMPUTER SYSTEMVIA WINDOWSPE 41O

RETRIEVE SECONDENCRYPTED BLOBFROMSTORAGE L-42O AND PASSED TOBIOSITSNEXTBOOT

WRITE FLAG TO LET BIOSKNOW -430 THAT SECONDENCRYPTEDBLOBIS ASSOCIATED WITH ADMNSTRATOR PASSWORD

BIOS READS SECONDENCRYPTED BLOBON REBOOT -44-O AND BIOS PROMPTSFOR ADMINISTRATOR PASSWORD

DECRYPT SAM FLEENCRYPTION KEY L-450 USINGADMINSTRATOR PASSWORD

ENABLETPMAND/OR GENERATESRK 4-6O ONMOTHERBOARD AS NEEDED EARLAG '

FG. 4 US 7,818,567 B2 1. 2 METHOD FOR PROTECTING SECURITY stood by reference to the following detailed description of an ACCOUNTS MANAGER (SAM) FILES illustrative embodiment when read in conjunction with the WITHIN WINDOWS OPERATING SYSTEMS accompanying drawings, wherein: FIG. 1 is a block diagram of a computing device in which BACKGROUND OF THE INVENTION 5 a preferred embodiment of the present invention is incorpo rated; and 1. Technical Field FIG. 2 is a high-level logic flow diagram of a method for The present invention relates to computer security in gen setting up a computer for protecting a Security Accounts eral, and, in particular, to a method for providing security Manager (SAM) file within a Windows(R) operating system, in management in computer systems. Still more particularly, the 10 accordance with a preferred embodiment of the present present invention relates to a method for protecting Security invention; Accounts Manager (SAM) files within Windows(R operating FIG. 3 is a high-level logic flow diagram of a method for systems. performing a normal boot process after the setup process 2. Description of Related Art from FIG. 2 has been completed, in accordance with a pre Within the family of Windows(R operating systems manu- 15 ferred embodiment of the present invention; and factured by the Microsoft(R) Corporation, such as Windows.(R) FIG. 4 is a high-level logic flow diagram of a method for NT/2000/XP, a Security Accounts Manager (SAM) file is booting a computer by using a backup key, inaccordance with utilized to store various passwords to be applied to different a preferred embodiment of the present invention. user accounts within a local computer system and/or other computer systems on a computer network. If an unauthorized 20 DETAILED DESCRIPTION OF A PREFERRED user can retrieve password information from a SAM file by EMBODIMENT hacking the SAM file within a computer system, the unau thorized user can access sensitive data on the computer sys Referring now to the drawings and in particular to FIG. 1, tem. there is depicted a block diagram of a computing device in The Windows(R) operating system does provide a syskey 25 which a preferred embodiment of the present invention is utility for the encryption of SAM files, which somewhat incorporated. As shown, a computing device 100 includes a strengthens the protection of SAM files by making them more processing unit 102 and a memory 104. Memory 104 includes difficult for a hacker to break. The syskey utility generates an a volatile memory (such as a random access memory) and a encryption key by encrypting sensitive areas of a SAM file. non-volatile memory (Such as a read-only memory). Com The encryption key generated by the syskey utility can be 30 puting device 100 also contains removable storage media either stored on a floppy disk (which is required when the devices 108. Such as compact discs, optical disks, magnetic Windows(R operating system is being loaded during system tapes, etc., and non-removable storage devices 110. Such as startup) or stored in a hard drive using a "complex obfuscation hard drives. In addition, computing device 100 may contain algorithm' (as described by Microsoft(R). communication channels 112 for providing communications While the storage of an encryption key in a floppy disk 35 with other systems on a computer network 120. Computing provides additional Security over the storage of the encryption device 100 also includes input components 114 such as a key in a hard drive of a computer system, it is also less keyboard, mouse, etc., and output components 116 Such as convenient because all users that share the computer system displays, speakers, printers, etc. are required to have a floppy disk that contains the encryption In accordance with a preferred embodiment of the present key in order to access the computer system. In addition, 40 invention, a Trusted Platform Module (TPM) is used in con multiple copies of floppy disks can increase the likelihood of junction with modifications to a basic input/output system the floppy disk being lost, and without the floppy disk, the (BIOS) for providing protection to an encryption key gener owner of the floppy disk cannot access the computer system. ated by the syskey utility intended to be used for the encryp Consequently, it would be desirable to provide an tion of a Security Accounts Manager (SAM) file within a improved method for protecting SAM files within Windows.(R) 45 Windows(R) operating system. The TPM allows secure gen operating systems. eration of cryptographic keys, and limits the use of those keys SUMMARY OF THE INVENTION to either signing/verification or encryption/decryption, as it is known to those skilled in the art. There are three main com In accordance with a preferred embodiment of the present ponents to the method of the present invention, namely, setup, invention, a SAM file encryption key is generated by encrypt 50 boot up and recovery. ing a SAM file via a syskey utility provided within a Win Setup Process dows(R operating system. The SAM file encryption key is With reference now to FIG. 2, there is depicted a high-level then stored in a virtual floppy disk by selecting an option to logic flow diagram of a method for setting up a computer for store SAM file encryption key to a floppy disk under the 55 protecting a SAM file within a Windows(R operating system, syskey utility. A blob is generated by performing a Trusted in accordance with a preferred embodiment of the present Platform Module (TPM) Seal command against the SAM file encryption key along with a value Stored in a Performance invention. Starting at block 200, a Trusted Platform Module Control Register and a TPM Storage Root Key. The blob is (TPM) within the computer is enabled and configured using stored in a non-volatile storage area of a computer. methods that are knownto those skilled in the art, as shown in 60 block 210. In addition, a virtual floppy disk device driver that All features and advantages of the present invention will emulates the presence of a physical floppy drive is installed, become apparent in the following detailed written descrip as depicted in block 220. Instead of requiring the presence of tion. a physical floppy drive, the virtual floppy disk device driver BRIEF DESCRIPTION OF THE DRAWINGS basically causes the data to be written to a system memory. 65 A SAM file encryption key is generated by encrypting a The invention itself, as well as a preferred mode of use, SAM file with a 128-bit key (16 bytes) via the syskey utility further objects, and advantages thereof, will best be under provided within the Windows(R) operating system, as shown US 7,818,567 B2 3 4 in block 230. The SAM file encryption key is then written to require the SAM file encryption key. From Windows PE, the the virtual floppy disk (instead of a physical floppy disk) by second encrypted blob (i.e., copy of the SAM file encryption selecting the option to store the SAM file encryption key to a key that was encrypted by the administrator password in floppy disk in the syskey utility, as depicted in block 240. block 270 of FIG. 2) is retrieved from its storage location and Next, a 256-byte blob is generated based on the SAM file 5 passed to the BIOS for retrieval on its next boot, as depicted encryption key, as shown in block 250. The 256-byte blob of in block 420. A flag is also written to let the BIOS know that data is generated by reading the SAM file encryption key the second encrypted blob is associated with the administra from the virtual floppy disk and by performing a TPM Seal tor password and not the TPM, as shown in block 430. command against the SAM file encryption key along with the On reboot, the BIOS reads the second encrypted blob, and value stored in the register 0 of a Platform Configuration 10 since there is a flag indicating that the second encrypted key Register (PCR) and a TPM Storage Root Key (SRK). The was encrypted with the administrator password, the BIOS 256-byte blob is then passed to the BIOS for storage in a prompts for the administrator password, as depicted in block non-volatile storage area of the computer, such as a flash 440. The administrator password is then used to decrypt the memory or a hard disk drive, as depicted block 260. SAM file encryption key, as shown in block 450. The INT 13h Because the protection of the SAM file encryption key is 15 handler subsequently passes the SAM file encryption key to tied to the TPMSRK, there must be a recovery mechanism for the Windows.(R) operating system as described in the normal the SAM file encryption key in case the motherboard is boot process (blocks 320-330 of FIG. 2). replaced or the TPM security chip is cleared. For such pur After the Windows.(R) operating system has been loaded, the pose, the SAM file encryption key must also be encrypted via TPM recovery process is run to enable the TPM and/or gen some other mechanism. Thus, the SAM file encryption key is 20 erate the SRK on the motherboard as needed, as depicted in encrypted using an Advanced Encryption Standard (AES) block 460. Once the new SRK has been generated, the recov key derived from the administrator password within the Win ery process under the WindowS(R) operating system can either dows(R operating system to generate a second encrypted blob, re-generate the file encryption key, or decrypt the archive as shown in block 270. The second encrypted blob can be version of the SAM file encryption key using the administra stored on a removable storage media, Such as a floppy disk, a 25 tor password, and re-seal it to the new SRK as described universal serial bus (USB) key, etc., as depicted in block 280. above. The removable storage media is then removed from the com The flag indicating that the BIOS is using a password puter system, as shown in block 290. encrypted version of the key (from block 430) should be Normal Boot Process cleared, as shown in block 470, so that the BIOS knows that Referring now to FIG. 3, there is shown a high-level logic 30 it is using the TPM-protected version of the SAM file encryp flow diagram of a method of performing a system boot up tion key from this point on, so that the normal boot process after the setup process (from FIG. 2) has been completed, in can be executed during subsequent boots. accordance with a preferred embodiment of the present AS has been described, the present invention provides an invention. A TPM Unseal command is performed on the improved method for protecting a SAM file within a Win 256-byte blob against the value of the register 0 within the 35 dows(R operating system. The present invention improves PCR (i.e., PCR 0) to retrieve the SAM file encryption key upon the current methods of protecting SAM files provided during power on self-test (POST), as shown in block 300. by the Windows.(R) operating system. This is performed when the BIOS comes out of the boot It is also important to note that although the present inven block. The BIOS holds the SAM file encryption key in the tion has been described in the context of a fully functional system memory until it is needed, as depicted in block 310. 40 computer system, those skilled in the art will appreciate that When the SAM file encryption key is needed during the the mechanisms of the present invention are capable of being system boot up, the BIOS the “tricks' the Windows.(R) oper distributed as a program product in recordable type media ating system into thinking it is reading the SAM file encryp Such as compact discs. tion key from a physical floppy disk drive. To this end, an INT While the invention has been particularly shown and 13h handler is utilized to present a virtual floppy drive to the 45 described with reference to a preferred embodiment, it will be Windows(R) operating system, as shown in block 320. Once understood by those skilled in the art that various changes in the BIOS knows that the computer is booting from the hard form and detail may be made therein without departing from drive, the INT 13h handler then traps the read request number the spirit and scope of the invention. to the floppy disk drive, and returns the SAM file encryption 50 What is claimed is: key to the Windows.(R) operating system, as depicted in block 1. A method for protecting a Security Accounts Manager 330. (SAM) file within a Windows.(R) operating system, said The Windows(R) operating system is now able to decrypt the method comprising: SAM file using the encryption key returned by the BIOS, and generating a SAM file encryption key by encrypting a the Windows(R operating system is loaded and continues as 55 SAM file via a syskey utility provided within said Win normal, as shown in block 340. The SAM file encryption key dows(R operating system; is no longer needed by the BIOS so the SAM file encryption storing said SAM file encryption key to a virtual floppy key should be cleared from the system memory, as depicted in disk by selecting an option to store SAM file encryp block 350. tion key to a floppy disk under said syskey utility; Recovery Process 60 generating a blob based on said SAM file encryption With reference now to FIG.4, there is depicted a high-level key, wherein said blob is generated by performing a logic flow diagram of a method for performing a system boot Trusted Platform Module (TPM) Seal command up using the backup key, in accordance with a preferred against said SAM file encryption key along with a embodiment of the present invention. Starting at block 400, value stored in a Performance Control Register and a an administrator, who would like to perform a system boot 65 TPMStorage Root Key; and after a motherboard replacement, boots the computer system storing said blob in a non-volatile storage device of a via Windows PE, as shown in block 410, which does not computer; US 7,818,567 B2 5 6 retrieving said SAM file encryption key during Power 6. The computer recordable medium of claim 5, wherein On Self-Test by performing a TPM Unseal command said computer recordable medium further includes program on said blob against said value of stored in said Per code for initiating said TPM Seal command within said com formance Control Register, wherein retrieving said puter. SAM file encryption key includes tricking said Win 7. The computer recordable medium of claim 6, wherein dows(R operating system to read from said virtual said computer recordable medium further includes program floppy disk instead of a physical floppy disk by trap code for providing a virtual floppy disk device driver within ping a read request number to a floppy drive; and said computer. 8. The computer recordable medium of claim 5, wherein providing said SAM file encryption key to said Win 10 said computer recordable medium further includes dows(R operating system during system boot up via program code for generating a backup blob by encrypting interrupt handler. said SAM file encryption key via an Advanced Encryp 2. The method of claim 1, wherein said method further tion Standard key derived from an administrator pass includes providing a TPM within said computer. word; and 3. The method of claim 2, wherein said method further 15 program code for storing said backup blob in a removable includes providing a virtual floppy disk device driver within storage medium. said computer. 9. A computer system capable of protecting Security Accounts Manager (SAM) files within a Windows(R operat 4. The method of claim 1, wherein said method further ing systems, said computer system comprising: includes a SAM file encryption key generated by encrypting a SAM generating a backup blob by encrypting said SAM file file via a syskey utility provided within said Windows(R) encryption key via an Advanced Encryption Standard operating system; key derived from an administrator password; and a volatile storage device having a virtual floppy disk for storing said backup blob in a removable storage medium. storing said SAM file encryption key by selecting an 5. A non-transitory computer recordable medium having a 25 option to store SAM file encryption key to a floppy disk computer program product for protecting Security Accounts under said syskey utility; and Manager (SAM) files within a Windows(R operating system, a non-volatile storage device for storing a blob generated said computer recordable medium comprising: based on said SAM file encryption key, wherein said program code for generating a SAM file encryption key by blob is generated by performing a Trusted Platform 30 Module (TPM) Seal command against said SAM file encrypting a SAM file via a syskey utility provided encryption key along with a value stored in a Perfor within said Windows(R operating system; mance Control Register and a TPMStorage Root Key: program code for storing said SAM file encryption key to a a processor for retrieving said SAM file encryption key virtual floppy disk by selecting an option to store SAM during Power On Self-Test by performing a TPMUnseal file encryption key to a floppy disk under said syskey 35 command on said blob against said value of stored in utility; said Performance Control Register, wherein retrieving program code for generating a blob based on said SAM file said SAM file encryption key includestricking said Win encryption key, wherein said blob is generated by per dows(R operating system to read from said virtual floppy forming a Trusted Platform Module (TPM) Seal com disk instead of a physical floppy disk by trapping a read mand against said SAM file encryption key along with a 40 request number to a floppy drive; and value stored in a Performance Control Register and a an interrupt handler for providing said SAM file encryption TPMStorage Root Key; and key to said WindowSR operating system during system program code for storing said blob in a non-volatile storage boot. device of a computer, 10. The computer system of claim 9, wherein said com program code for retrieving said SAM file encryption key 45 puter system further includes a TPM. during Power On Self-Test by performing a TPMUnseal 11. The computer system of claim 10, wherein said com command on said blob against said value of stored in puter system further includes virtual floppy disk device said Performance Control Register, wherein retrieving driver. said SAM file encryption key includestricking said Win 12. The computer system of claim 9, wherein said com dows(R operating system to read from said virtual floppy 50 puter system further includes disk instead of a physical floppy disk by trapping a read an Advanced Encryption Standard key derived from an request number to a floppy drive; and administrator password for encrypting said SAM file program code for providing said SAM file encryption key encryption key to generate a backup blob; and to said WindowSR operating system during system boot a removable storage medium for storing said backup blob. up via interrupt handler. k k k k k