Re: Getting a user's specific key

From: Amit Rahul [MS] (arahul_at_online.microsoft.com)
Date: 04/28/04 

Date: Tue, 27 Apr 2004 20:17:04 -0700

If you have a roaming profile and your DPAPI keys that were used to encrypt
your data were created on the W2K machine then you should be able to
retrieve stuff on W2K machine that were encrypted on WS03/XP and vice versa.
But if the DPAPI keys were created on WS03/XP and some data encrypted using
that then they won't be decrypted on W2K.
DPAPI uses 3DES and no, you can't choose the algorithm. But DPAPI in itself
provides you a strong mechanism to secure your data. 

-- 
Thanks,
Amit Rahul [MS]
This posting is provided "AS IS" with no warranties, and confers no rights.
"Yu Chen [MS]" <yuchen@online.microsoft.com> wrote in message
news:e4$JntLLEHA.1312@TK2MSFTNGP12.phx.gbl...
> The following article answers most of your questions:
>
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/windataprotection-dpapi.asp
>
> Note in order to be able to decrypt protected data on a machine other than
> the one that did the encryption, you need to enable roaming profile for
that
> user account. This should work even if the two machines are running two
> different OSes (e.g. XP, W2k3) If enabling roaming profile is not an
option
> for you, I think you can use your current solution - the biggest challenge
> is to protect "my_secret".
>
> -- 
> Yu Chen [MS]
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> "Jacques Le***" <jacques.le***@evidian.com> wrote in message
> news:408e16d8$0$20165$636a15ce@news.free.fr...
> > Yu Chen [MS] a écrit :
> >
> > > If you are looking for a way to protect data on per-user basis, check
> out
> > > CryptProtectData() and CryptUnprotectData() in MSDN.
> > >
> >
> > Is it possible to know (or, better, to set) the algorithm and key length
> > used by CryptProtectData, e.g. to ensure that at least 128 bit
> > encryption is applied ?
> >
> > What kind of user's "logon credentials" are used during encryption by
> > CryptProtectData ? The SID ? The UserName ? Both ? Other elements from
> > the User Token ?
> >
> > If data are enciphered by CryptProtectData() on a 2003 server, can it be
> > decrypted on a 2000 or XP workstation ? What happens if the list of
> > available/authorized CSP differs between two workstations ?
> >
> > I'm trying to find a stronger solution to my current encryption:
> >      key = PKCS5_PBKDF2(my_secret+SID);
> >      encrypted = Encrypt128(key, randomizer, clear_text);
> > without requiring users to possess a private/public key pair allowing
> > data encryption.
> >
> > Thanks for your help,
> > -- 
> > jacques
>
>