Re: What's wrong with my encryption function?



Well, you could use ProtectedData to directly encrypt the data, or you could
use it to encrypt a key you generate/store. If you encrypt the key, then
you'll get the same key back every time and then you can use that to encrypt
the data however you want. If you use a fixed key and fixed IV, you'll get
the same ciphertext.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
<egyptegypt@xxxxxxxxx> wrote in message
news:1154988513.890224.78690@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I realize it might be less secure but it's better than storing plain
keys and having a different encrypted value each time makes this task
(encrypting keys in key/value pairs) impossible since the key needs to
be the same to retrieve the value.

Is it even possible to specify the session key with the ProtectedData
class? I only see an optional entropy parameter...


Joe Kaplan (MVP - ADSI) wrote:
It is actually to your disadvantage to have the encrypted data produce
the
same value each time, as that lowers your security. Ideally, even if you
use a fixed session key for encryption, you use a different random IV so
that the ciphertext is different.

However, if you use a fixed session key and fixed IV, you will get the
same
ciphertext back.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
<egyptegypt@xxxxxxxxx> wrote in message
news:1154985102.110687.105810@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Do you know of another method that will always produce the same
encrypted value? I'm storing key/value pairs in isolated storage and
would like to have the key encrypted as well just to obfuscate things a
bit more.
Thanks.

GarthS wrote:
The ProtectedData class wraps the DPAPI, the following link -
http://blogs.msdn.com/shawnfa/archive/2004/05/05/126825.aspx - details
this
api and states:
DPAPI works by generating a key from the current user's credentials
(generally their password, although a smart card will provide a
different
credential). It then generates a master key, and encrypts this with
the
key
generated by the user's credentials. A random session key is created
for
each call to CryptProtectData. This key is derived from the master
key,
some
random data, and some optional entropy passed in by the user. The
session
key is then used to do the actual encryption. Rather than storing the
session key, the random data used in key creation is stored in the
encrypted
output.

So essentially everytime that you encrypt a partially random session
key
is
added to the encrypted data (which is then used for decryption) which
explains why the encrypted data is different even if the original
clear
string is identical. You should find that decrypting the encrypted
data
will
return the same string.


"egyptegypt@xxxxxxxxx" wrote:

I'm trying to use the ProtectedData class to store encrypted data in
isolated storage but something seems to be wrong. If I call the
class
twice with the same string I get a different encrypted value each
time.
Here's my encryption method:

private static string EncryptString(string Input)
{
byte[] ClearBytes = null;
byte[] EncryptedBytes = null;

ClearBytes = Encoding.UTF8.GetBytes(Input);
EncryptedBytes =
System.Security.Cryptography.ProtectedData.Protect(ClearBytes, null,
System.Security.Cryptography.DataProtectionScope.CurrentUser);
return Convert.ToBase64String(EncryptedBytes);
}

See anything wrong there?
Thanks in advance.






.



Relevant Pages

  • Re: (Complete post) Decrypting CAPICOM objects with System.Security.Crypto methods
    ... CAPICOM Encrypt method is a proprietary implementation this is designed to ... then you can use the .NET Pkcs classes for decryption. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.platformsdk.security)
  • Re: Laszlo Elteto
    ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... the main issue is SECURITY. ... For better security you should stick with AES. ... the call to encrypt returns a length +15 of what I passed ...
    (microsoft.public.platformsdk.security)
  • Re: Key distribution in simetric algorithms
    ... you generate a new IV using crypto random number generator ... You often provide the IV simply by taking the output of the encrypt function and prepending the IV to the byte array before doing any additional encoding for serialization. ... If you do some study on this subject, you'll get more details on this area of crypto with symmetric algorithms and CBC (cipher block chaining) mode. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.dotnet.security)
  • Re: Encrypt data
    ... My recollection of RSA is that you can only encrypt up to key length - 11 ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.dotnet.security)
  • RE: NTE_BAD_DATA
    ... use CryptExportKey to encrypt the session key with the public key ... DWORD dwBlockLen; ... goto Exit_MyDecryptFile; ...
    (microsoft.public.platformsdk.security)