Encrypting and Decrypting data with DPAPI

Published Wednesday, February 09, 2005 5:15 PM

Creating secure applications is more important today than ever before. Most distributed applications need some form of cryptography to protect your secrets from snooping eyes whether they're hackers, users, or even your own DBA. The .NET Framework makes it easy to encrypt and decrypt data.  It provides a number of cryptography algorithms.  Each works by encrypting or decrypting data using a password or key. The password or key itself must be secured and protected in a way that only allows your application to access it.

 

Starting with Windows 2000, Microsoft began including an API to perform application-level encryption and decryption of data, this API is called Data Protection API or DPAPI. The DPAPI is used to hide secrets like connection strings and user credentials that are typically stored in a config file or in plain text. DPAPI uses a specifically strong cryptographic algorithm called Triple-DES and strong keys. You can use it to encrypt and decrypt your sensitive data at a machine or user specific level. DPAPI uses either a key derived from the machine or the currently logged-on user. The key can be optionally augmented with an application-specific secret key referred to as secondary entropy. As you can imagine, the benefits of using the DPAPI are not only that applications get a strong encryption algorithm but also that they don't have to handle, protect, or remember the secret key value.

 

The user profile approach affords an additional layer of security because it limits who can access the secret. Only the user who encrypts the data can decrypt the data.

 

The machine store approach is easier to develop because it does not require user profile management. However, unless an additional entropy parameter is used, it is less secure because any user on the computer can decrypt data. (Entropy is a random value designed to make deciphering the secret more difficult.) The problem with using an additional entropy parameter is that this must be securely stored by the application, which presents another key management issue.

 

Overall, DPAPI is a very easy-to-use service that will benefit developers that must provide protection for sensitive application data, such as passwords and private keys.

 

Below is the link to the class library that I created, that wrapps the DPAPI, and a demo application, showing how to use it. There is a link to SA Dev, that has my complete artical and source code.

 

Download: DPAPI .Net

Link: SA Dev

Share this post: email it! | bookmark it! | digg it! | reddit! | kick it! | live it!
by deon

Comments

No Comments

Leave a Comment

(required) 
(required) 
(optional)
(required) 

Enter the numbers above: