Credential Manager Security (Windows CE 5.0)
Credential Manager uses credentials and other assets that unauthorized users can access. The following list summarizes the best practices for protecting these assets.
Best Practices for Applications
Use Credential manager to cache credentials
Do not implement credential caching in your applications. Whenever possible, implement applications that use credential manager to cache their credentials rather than implementing credential caching in the application. This provides consistency and sharing of credentials, and allows the operating system service to leverage the best available method of credentials storage.
Beware of security risks of credential type CRED_TYPE_PLAINTEXT_PASSWORD
Plaintext credentials are the least secure and will put your sensitive information at the greatest risk. Avoid saving credentials of type CRED_TYPE_PLAINTEXT_PASSWORD. Consider using other alternatives such as saving a verifier or a hash of the password instead. If this credential is to be read only by trusted code, mark it with CRED_FLAG_TRUSTED during CredWrite. If this credential is rarely used, consider making user authentication a requirement by marking the credential with CRED_FLAG_SENSITIVE flag. For information about credential type choices other than CRED_TYPE_PLAINTEXT_PASSWORD, see Credential Types.
Use CRED_FLAG_TRUSTED when applicable
If a specific credential is to be read only by trusted code, use the CRED_FLAG_TRUSTED flag during . Note that this protection applies only to the credential blob. Other information, such as target and username, will still be available to untrusted code. For this flag to be effective, your device must implement the 2-tier trust model.
Do not use CRED_FLAG_PERSIST if the credential should not persist in the registry
If you require that the credentials live only in memory, you should not use the CRED_FLAG_PERSIST flag. For more information about CRED_FLAG_PERSIST flag, see structure.
Use proper flags to indicate exact target matches when using CredRead
In some cases, when you use to retrieve credentials, you may want to receive only an exact credential match to the target, and not the default or implicit default credential. Depending on the case, set dwFlags of CredRead to be either CRED_FLAG_NO_DEFAULT or CRED_FLAG_NO_IMPLICIT_DEFAULT.
Do not cache credentials
Do not cache credentials, especially the credential blob. Instead, store the type, target, and user information for the credential. When the credential is required, use CredRead to retrieve the credential blob information.
Implement user verification
You can protect sensitive credentials by requiring user verification before the credential is accessed. If user authentication is required before the application is reading a credential, use the CRED_FLAG_SENSITIVE flag with the CredWrite function. When you use the function, before the application is passing the credential blob to the caller, credential manager will call the function to authenticate the user.
For CRED_FLAG_SENSITIVE flag to be effective, your device must include the component.
Avoid collisions in credential types by specifying unique target names
Different applications may write credentials of the same type. If you are using credential manager as a private store of credentials specific to your application, make sure that you prepend an application-specific string to the credential target name, so that there is less chance of collision.
Clear credential data from memory after use
Do not leave credentials in memory after use. Clear all credential data from temporary storage after use by calling .
Best Practices for SSPs
Write credential type providers for custom credential types
If your SSP deals with a custom credential type, consider writing a credential type provider for that type. This will enable applications to use credential manager for managing your SSP's credentials.
Use credential manager to cache credentials
Do not implement credential caching in your SSPs. This provides consistency, sharing of credentials, and allows the operating system service to leverage the best available method of credentials storage.
To help improve the user experience, support the mode where the SSP will use credential manager to read any existing cached credentials if the application does not pass credentials explicitly.
Clear credential data from memory after use
Do not leave credentials in memory after use. Clear all credential data from temporary storage after use by calling .
Best Practices for OEMs
Ensure that multiple type providers are not registered for the same primitive type
Be careful when you register a credential type with a credential type provider by using the registry settings described in Credential Manager Registry Settings. You must ensure that multiple type providers are not assigned to a single primitive type because you can have only one valid association of a primitive type with a type provider.
Use the CRED_TYPE_FLAG_TRUSTED flag when applicable
If a type provider deals with credentials that are to be read only by trusted code, consider using the CRED_TYPE_FLAG_TRUSTED flag during configuration of the type provider. This will force all credentials of that type to be readable only by trusted code, independent of whether the CRED_FLAG_TRUSTED flag is specified during CredWrite or not. For more information about how to configure a type provider, see Credential Manager Registry Settings.
Clear credential data from memory after use
Do not leave credentials in memory after use. Clear all credential data from temporary storage after use by calling .
Default Registry Settings
You should be aware of the registry settings that impact security. If a value has security implications, you will find a Security Note in the registry settings documentation.
For information about credential manager registry settings, see Credential Manager Registry Settings.
See Also
Credential Manager | Credential Manager OS Design Development | Credential Manager Application Development
Send Feedback on this topic to the authors