Re: DP API Security queries

From: "Sachin Chavan" <sachinrchavan@xxxxxxxxxxxxxxxx>
Date: Tue, 21 Feb 2006 06:55:27 -0800

Hi Henning,

Thanks a lot for the info.

One more thing that I forget to mention was, I have already hard coded
additional entropy in my code while encrypting and decrypting the plain text.

So, this means that even Microsoft, even though they have the key wont be
able to decrypt the things right?

Thanks a lot once more for the quick reply.

Thanks,
Sachin Chavan.

"Henning Krause [MVP]" wrote:

Hi Aachin,

The encryption key is, as you said, maintained by Windows. Depending on the
scope you are using (I assume you use machine, since you are in an ASP.NET
application), any process on that machine can decrypt that value. Thats why
you can pass along an array of bytes for additional security.

The other two questions have one answer: Base64. Just convert the byte array
you get to a BASE64 string, and you will have no problem at all (use
Convert.ToBase64String() method).

Greetings,
Henning

"Sachin Chavan" <sachinrchavan@xxxxxxxxxxxxxxxx> wrote in message
news:36FDD5EC-4C92-4395-9B50-5D44EC127230@xxxxxxxxxxxxxxxx

Hi,

In my application, I am using a .net wrapper class (a dll) which
internally
calls the Win32 DP API for encryption and decryption.

Now, my client has following queries:

1. Since the encryption Key is managed by Windows internally what is the
security of the Key used for encryption?

i.e. Microsoft can be able to access such keys and therefore, the
information is not secure.

2. What is the guarantee that the encrypted text thus generated won't
contain characters not supported by xml. This may create problem, if they
do
generate such characters, since we store them to web.config which is an
xml
file.

And,

3. What is the guarantee that the encrypted text thus generated won't
contain a double quote which denote end of the Value field in web.config.
If
it generates one, you will have a bad xml file.

Please help me, I am stuck up with this issues.

Thanks,
Sachin R. Chavan.

Follow-Ups:
- Re: DP API Security queries
  - From: "Yuan Ren[MSFT]"

References:
- Re: DP API Security queries
  - From: Henning Krause [MVP]

Prev by Date: Re: Simple website with open and restricted area
Next by Date: Re: Sarting New Process from aspx page
Previous by thread: Re: DP API Security queries
Next by thread: Re: DP API Security queries
Index(es):
- Date
- Thread

Relevant Pages

How do I Use DPAPI to Encrypt and Decrypt Data (C#/VB.NET)?
... Use DPAPI to Encrypt and Decrypt Data ... The code below demonstrates how to call Data Protection API (DPAPI) ... In addition to encryption and decryption, ... public static string Encrypt ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: Byte array to string and back - newbie question
... // Create a symmetric algorithm. ... This is done to make encryption more ... // Encrypt a string into a string using a password ... // Decrypt a byte array into a byte array using a key and an IV ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: CryptAPI(encryption/decryption)
... It seems like you're missing the Base64 decode step when trying to decrypt ... I misspelled the Private Key as Primary Key. ... Is there any variation in the encryption format in openssl compared to ... "Dylan DSilva " wrote: ...
(microsoft.public.pocketpc.developer)
Re: Writing spaghetti code for obfuscation/encryption
... > undocumented opcodes and simple encryption? ... do the protection and distribution (I'll justify this later, ... This key was used to decrypt the main program code. ... So here's the scheme in action: Put disk in, ...
(comp.lang.asm.x86)
Re: Which is more secure RC2 or RC4 ?
... Credit card info... ... If your application can decrypt the information (in order to send it ... one goofy solution may be to use public key encryption on ... decryption key on a separate computer (laptop). ...
(sci.crypt)