Re: Size of Entropy with Dpapi Encrypted Connection String

From: Alek Davis (alek_xDOTx_davis_xATx_intel_xDOTx_com)
Date: 03/15/05 

Date: Tue, 15 Mar 2005 09:46:49 -0800

See inline.

"charlestek" <charlestek@yahoo.com> wrote in message
news:OXKImaQKFHA.4092@tk2msftngp13.phx.gbl...
>
>
> Alex,
>
> I am doing TWO things with the dpapi.
> I am decrypting my text encryption string, stored in my web config,
> already encrypted by the dpapi once.
> as well as decrypting a dpapi encrypted aes binary symmetric key stored
> in the web config as well.

So you have two values stored encrypted using DPAPI (in Web.config). OK, I
am with you.

> The connection string is used for my database access by the classes that
> need it, and the symmetric key is used to encrypt and decrypt info in a
> table in my database. Each encrypted row in my database has an IV for
> that row stored as well.

This does not seem to be relevant to your problem.

> For some reason, it Appeared that if I didn't use a binary entropy value
> that was the same number of bytes as the symmetric aes binary key, I had
> problems with encrypting/decrypting the symmetric aes binary key with
> the dpapi.
> That however could be coincidence, and I had some other bug
> that was causing the problem.

Yeah, the first statement does not make much sense. DPAPI entropy is totally
optional, and when used, the size of the entropy does not matter. You must
be doing something wrong.

> In addition, now that I have the dpapi encrypted binary
> aes key in my web config, when I use a class to encrypt and
> decrypt some arbitrary text, I'm getting an invalid keysize
> error upon decryption only. I forwarded the code about this particular
> issue to Dominick recently.

So you are saying that after you decrypt your key from Web.config (using
DPAPI with your misterious entropy), then this key (more specific, its size)
is corrupt, right? Well, it looks like you have a full bucket of issues
here. So after you decrypt the key, how many bytes (of the AES key) do you
get?

> If you read the MSDN documentation about the innards of the dpapi it is
> hard for the lay person such as myself to understand the mathematics of
> the entropy in the dpapi algorithm.

The thing is, you do not really need to understand the internals of DPAPI,
AES, etc. to be able to use them. Without looking at your code, this is what
I would suggest. Try to solve one problem at a time. I mean, forget about
Web.config and encryption for a moment and just make sure that you can
encrypt and decrypt data using DPAPI without corruption. Just make sure that
you encrypt a value, decrypt it and get the original data. There are lots of
samples online, e.g. http://www.obviex.com/samples/Dpapi.aspx. When this
works, try it with the Web.config file. Make sure that you can encrypt data
with DPAPI, store it in config file, get it back, decrypt it and get the
original value. One of the common porblems is the wrong character handling.
Since DPAPI - as any other encryption routine - operates on bytes and the
data you retrieve in Web.config is in string format, you must make sure that
you use the right encoding (e.g. UTF-8 and base64). I assume that you base64
encode encrypted data before storing it in Web.config. After you get this
working, then concentrate on encryption. I am not sure why you store the
encrypted key bytes. I mean how do you enter these bytes before you encrypt
them and store in Web.config? I suspect you are doing something silly here.
A common approach would be to use a password (passphrase) and derive the AES
key from this password. Since the password is a string it is easier to
operate. Anyway, just make sure that your key bytes, password, or whatever
you are gonna use, are the same before encryption with DPAPI and after.
Also make sure that you use the AES key correctly. There are also many
samples available, e.g. http://www.obviex.com/samples/Encryption.aspx.

> Phil
>
> *** Sent via Developersdex http://www.developersdex.com ***
> Don't just participate in USENET...get rewarded for it!

Relevant Pages

  • Re: Need secure block cipher for 96 bits of block size
    ... AES need 128 bits data blocks. ... If you need to send exactly 96 bits of ciphertext for 96 bits of plaintext ... Encrypt the first 64 bits of plaintext to give a first 64-bit block. ... To decrypt you first decrypt the second block, and append the last 32 bits ...
    (sci.crypt)
  • Re: an encrypt arithmetic
    ... an example using 128-bit AES that I wrote last year. ... CIPHER MI to generate a secure random number that you can use as a salt ... One other thing the example does not do is encrypt ... DECRYPT_CHAR, DECRYPT_DB to decrypt the encrypted data. ...
    (comp.sys.ibm.as400.misc)
  • DPAPI implemented in Crypt32.dll
    ... This works great on windows xp. ... me to debug right up to the point where the DPAPI method ... Encrypt / Decrypt is called from my Visual Basic 6 code. ...
    (microsoft.public.win2000.security)
  • Re: AES-256 encryption
    ... Since AES is symmetric encryption algo, ... a problem to decrypt it using the correct key. ... Secret key generated by the tool itself to encrypt ...
    (Pen-Test)
  • Re: Encryption Key Question
    ... Here's a very quick explanation of how DPAPI works in Windows. ... > used to encrypt the user's secrets. ... the master key can not be decrypted. ... > that there are no universal solutions in security. ...
    (Security-Basics)