Hello everybody,
I am performing some comparison among remote management tools based on Windows platform. In particular I am evaulating the security aspects of such software. By using some tracing systems I was able to detect the Registry Hive where TeamViewer stores the permanent password for unattended access and the optional passwords for remote access (Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TeamViewer: MultiPwdMgmtPwdData).
Now, I would like to understand what is the security process adopted by Teamviewer when dealing with password storage and protection. Within the registry key Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TeamViewer there are a number of keys. Here some questions:
- MultiPwdMgmtPwdData seems to be a base64 encoded value. Is that a hashed password? If so, what hash algIt is used?
- Is Windows Data Protection API used to encrypt any of the data among the Registry Keys in Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TeamViewer?
- What are PK and SK keys in Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TeamViewer?
Finally, in case I wanted to replace my old permanent password directly on the registry, what would be the operations that should I execute? I would guess: DPAPI_Protect(HASH(clearPassword))).
Regards,
Alberto.
