DPAPI - Encrypt and Decrypt Data Using the Data Protection API

I talked about how the Cryptography Application Block uses DPAPI ( Data Protection API ) to secure the key file that contains the key for one of the Symmetric Encryption Providers:

DESCryptoServiceProvider
RC2CryptoServiceProvider
RijndaelManaged
TripleDESCryptoServiceProvider

The DPAPI is a nice way to encrypt and decrypt data without the need for a separate key. The DPAPI generates its own key based on the current Windows user credentials and stores this information ( key ) in the user's profile. This saves you the effort and problem of having to manage the location and security of the key, which is a huge security risk.

Data Protection API Example

Here is a quick example of how easy it is to use DPAPI. As mentioned back in my post about the SecureString Class, sadly we do have a managed string that does contain the original password. It is a vulnerability, because now we have this sensitive information in memory which won't get garbage collected until who knows when.

// Original Password
string password = "password";

// Create Entropy To salt the process
byte[] entropy =
    Encoding.Unicode.GetBytes("mysalt");

// Use DPAPI to Encrypt
byte[] encryptedData = ProtectedData.Protect
   (Encoding.Unicode.GetBytes("password"),
    entropy, DataProtectionScope.CurrentUser);

// Decrypt using DPAPI
byte[] decryptedData = ProtectedData.Unprotect
   (encryptedData, entropy, DataProtectionScope
    .CurrentUser);

// Get Original Password
string originalPassword = Encoding.Unicode.
    GetString(decryptedData);

Conclusion

As I have been digging more and more into cryptography and encryption, especially in the Enterprise Library 2.0 Cryptography Application Block, it is more and more apparent that Microsoft has put a lot of functionality into the .NET 2.0 Framework to make cryptography and encryption simple.

Source: David Hayden ( Florida MVP and ASP.NET Developer )

posted on Saturday, March 04, 2006 7:58 PM