Re: DPAPI or not DPAPI, that is the question

From: John Banes [MS] (jbanes_at_online.microsoft.com)
Date: 10/30/03

• Next message: lmok: "How to get the domain user's name list of Windows2000server?"
• Previous message: John Banes [MS]: "Re: How to get a handle of pre-master key of TLS"
• In reply to: Andrew Edward: "Re: DPAPI or not DPAPI, that is the question"
• Next in thread: Andrew Edward: "Re: DPAPI or not DPAPI, that is the question"
• Reply: Andrew Edward: "Re: DPAPI or not DPAPI, that is the question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 29 Oct 2003 19:06:04 -0800

Yes, this approach is essentially what EFS does as well, except that they
use a certificate (and private key) protected by DPAPI, rather than a
password. The certificate can then be backed up and moved around as needed.

In general, password are often very easy to crack and so you need to be
carefull using one as a basis for your encryption. Using a long randomly
generated password is okay. Encrypting your encryption key with a password
using an interative encryption scheme such as PKCS5 can also be effective.

Regards,

John Banes
[Microsoft Security Developer]

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send email directly to this alias. This alias is for newsgroup
purposes only.

"Andrew Edward" <spam@spam.spam> wrote in message
news:eLI05HlnDHA.1672@TK2MSFTNGP09.phx.gbl...
> Of course, right after I posted my article I realized this is probably
what
> I should do:
>
> Don't use DPAPI to encrypt the data itself. Use DPAPI to encrypt a
password
> entered by the user, from which we generate our own encryption key. That
> way all the user has to do to decrypt the data on another computer is
> remember their password. No need to muck around with trying to export and
> import DPAPI key(s) (assuming that's even possible).
>
> Sorry...I'm new at this (as if you couldn't tell).
>
>

---

• Next message: lmok: "How to get the domain user's name list of Windows2000server?"
• Previous message: John Banes [MS]: "Re: How to get a handle of pre-master key of TLS"
• In reply to: Andrew Edward: "Re: DPAPI or not DPAPI, that is the question"
• Next in thread: Andrew Edward: "Re: DPAPI or not DPAPI, that is the question"
• Reply: Andrew Edward: "Re: DPAPI or not DPAPI, that is the question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages How do I Use DPAPI to Encrypt and Decrypt Data (C#/VB.NET)? ... Use DPAPI to Encrypt and Decrypt Data ... The code below demonstrates how to call Data Protection API (DPAPI) ... In addition to encryption and decryption, ... public static string Encrypt ... (microsoft.public.dotnet.framework.aspnet.security) Re: Where/How to Securely Store ID and Password? ... > - Encrypted with DPAPI ... > encryption key. ... > Storing plain text passwords in Web.config is not recommended. ... > Many applications use custom text files to store connection strings. ... (microsoft.public.dotnet.framework.aspnet) Re: Where/How to Securely Store ID and Password? ... - Encrypted with DPAPI ... While encryption ... Using Custom Text Files ... Many applications use custom text files to store connection strings. ... (microsoft.public.dotnet.framework.aspnet) Re: Security - Best Encryption Tool ... DPAPI with user store cannot be used from an ASP.NET application unless you ... If you use DPAPI encryption with machine store and your machine ... (microsoft.public.vb.general.discussion) Re: Security - Best Encryption Tool ... DPAPI with user store cannot be used from an ASP.NET application unless you ... If you use DPAPI encryption with machine store and your machine ... (microsoft.public.dotnet.distributed_apps)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)