DP API Security queries

Discussion in 'ASP .Net Security' started by Sachin Chavan, Feb 21, 2006.

  1. Hi,

    In my application, I am using a .net wrapper class (a dll) which internally
    calls the Win32 DP API for encryption and decryption.

    Now, my client has following queries:

    1. Since the encryption Key is managed by Windows internally what is the
    security of the Key used for encryption?

    i.e. Microsoft can be able to access such keys and therefore, the
    information is not secure.

    2. What is the guarantee that the encrypted text thus generated won’t
    contain characters not supported by xml. This may create problem, if they do
    generate such characters, since we store them to web.config which is an xml
    file.

    And,

    3. What is the guarantee that the encrypted text thus generated won’t
    contain a double quote which denote end of the Value field in web.config. If
    it generates one, you will have a bad xml file.


    Please help me, I am stuck up with this issues.

    Thanks,
    Sachin R. Chavan.
     
    Sachin Chavan, Feb 21, 2006
    #1
    1. Advertising

  2. Hi Aachin,

    The encryption key is, as you said, maintained by Windows. Depending on the
    scope you are using (I assume you use machine, since you are in an ASP.NET
    application), any process on that machine can decrypt that value. Thats why
    you can pass along an array of bytes for additional security.


    The other two questions have one answer: Base64. Just convert the byte array
    you get to a BASE64 string, and you will have no problem at all (use
    Convert.ToBase64String() method).

    Greetings,
    Henning


    "Sachin Chavan" <> wrote in message
    news:...
    > Hi,
    >
    > In my application, I am using a .net wrapper class (a dll) which
    > internally
    > calls the Win32 DP API for encryption and decryption.
    >
    > Now, my client has following queries:
    >
    > 1. Since the encryption Key is managed by Windows internally what is the
    > security of the Key used for encryption?
    >
    > i.e. Microsoft can be able to access such keys and therefore, the
    > information is not secure.
    >
    > 2. What is the guarantee that the encrypted text thus generated won't
    > contain characters not supported by xml. This may create problem, if they
    > do
    > generate such characters, since we store them to web.config which is an
    > xml
    > file.
    >
    > And,
    >
    > 3. What is the guarantee that the encrypted text thus generated won't
    > contain a double quote which denote end of the Value field in web.config.
    > If
    > it generates one, you will have a bad xml file.
    >
    >
    > Please help me, I am stuck up with this issues.
    >
    > Thanks,
    > Sachin R. Chavan.
     
    Henning Krause [MVP], Feb 21, 2006
    #2
    1. Advertising

  3. Hi Henning,

    Thanks a lot for the info.

    One more thing that I forget to mention was, I have already hard coded
    additional entropy in my code while encrypting and decrypting the plain text.

    So, this means that even Microsoft, even though they have the key wont be
    able to decrypt the things right?

    Thanks a lot once more for the quick reply.

    Thanks,
    Sachin Chavan.


    "Henning Krause [MVP]" wrote:

    > Hi Aachin,
    >
    > The encryption key is, as you said, maintained by Windows. Depending on the
    > scope you are using (I assume you use machine, since you are in an ASP.NET
    > application), any process on that machine can decrypt that value. Thats why
    > you can pass along an array of bytes for additional security.
    >
    >
    > The other two questions have one answer: Base64. Just convert the byte array
    > you get to a BASE64 string, and you will have no problem at all (use
    > Convert.ToBase64String() method).
    >
    > Greetings,
    > Henning
    >
    >
    > "Sachin Chavan" <> wrote in message
    > news:...
    > > Hi,
    > >
    > > In my application, I am using a .net wrapper class (a dll) which
    > > internally
    > > calls the Win32 DP API for encryption and decryption.
    > >
    > > Now, my client has following queries:
    > >
    > > 1. Since the encryption Key is managed by Windows internally what is the
    > > security of the Key used for encryption?
    > >
    > > i.e. Microsoft can be able to access such keys and therefore, the
    > > information is not secure.
    > >
    > > 2. What is the guarantee that the encrypted text thus generated won't
    > > contain characters not supported by xml. This may create problem, if they
    > > do
    > > generate such characters, since we store them to web.config which is an
    > > xml
    > > file.
    > >
    > > And,
    > >
    > > 3. What is the guarantee that the encrypted text thus generated won't
    > > contain a double quote which denote end of the Value field in web.config.
    > > If
    > > it generates one, you will have a bad xml file.
    > >
    > >
    > > Please help me, I am stuck up with this issues.
    > >
    > > Thanks,
    > > Sachin R. Chavan.

    >
    >
    >
     
    Sachin Chavan, Feb 21, 2006
    #3
  4. Hi Sachin,

    Thanks for posting!

    >"this means that even Microsoft, even though they have the key wont be

    able to decrypt the things right?"
    Yes, you are correct. Actually, although the key is maintained by the
    Windows system, this is impossible to get the key from system internal via
    internet. If you still concern about this, your behavior is right
    obviously. After hard coding something, even Microsoft can not decrypt the
    thing.

    Thanks for your understanding!

    Regards,

    Yuan Ren [MSFT]
    Microsoft Online Support
    ======================================================
    PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were
    updated on February 14, 2006. Please complete a re-registration process
    by entering the secure code mmpng06 when prompted. Once you have
    entered the secure code mmpng06, you will be able to update your profile
    and access the partner newsgroups.
    ======================================================
    When responding to posts, please "Reply to Group" via your newsreader
    so that others may learn and benefit from this issue.
    ======================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
    ======================================================
     
    Yuan Ren[MSFT], Feb 22, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Sameer

    General Queries on Java API

    Sameer, Sep 18, 2005, in forum: Java
    Replies:
    3
    Views:
    375
    Roedy Green
    Sep 18, 2005
  2. snacktime

    Quoting sql queries with the DB-API

    snacktime, Jan 24, 2005, in forum: Python
    Replies:
    2
    Views:
    310
    snacktime
    Jan 24, 2005
  3. Ian Roddis

    xslt queries in xml to SQL queries

    Ian Roddis, Feb 26, 2006, in forum: Python
    Replies:
    3
    Views:
    1,530
    Crutcher
    Feb 26, 2006
  4. moreati
    Replies:
    1
    Views:
    546
    Дамјан ГеоргиевÑки
    Jan 28, 2009
  5. Abby Lee

    so many queries within queries I'm confused

    Abby Lee, Aug 4, 2004, in forum: ASP General
    Replies:
    11
    Views:
    366
    Aaron [SQL Server MVP]
    Aug 6, 2004
Loading...

Share This Page