DPAPI and connection string

K

Kevin Cunningham

I am planning on using DPAPI for an asp.net application.
I will configure the app to run under an account I
create. My understaning of DPAPI is that it needs an
login in order to work correctly, i.e. I need to log on
interactivley at least once with the the account. That
sounds dandy. My question is this, if I plan on
configuring the custom account to *not* be able to logon
interactively (via the local policy) will that nix the
ability to use DPAPI??

TIA, kevin
 
S

Steve Jansen

Kevin,

From
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT08.asp

a.. DPAPI can work with either the machine store or user store (which
requires a loaded user profile). DPAPI defaults to the user store, although
you can specify that the machine store be used by passing the
CRYPTPROTECT_LOCAL_MACHINE flag to the DPAPI functions.
a.. The user profile approach affords an additional layer of security
because it limits who can access the secret. Only the user who encrypts the
data can decrypt the data. However, use of the user profile requires
additional development effort when DPAPI is used from an ASP.NET Web
application because you need to take explicit steps to load and unload a
user profile (ASP.NET does not automatically load a user profile).
a.. The machine store approach (adopted in this How To) is easier to develop
because it does not require user profile management. However, unless an
additional entropy parameter is used, it is less secure because any user on
the computer can decrypt data. (Entropy is a random value designed to make
deciphering the secret more difficult.) The problem with using an additional
entropy parameter is that this must be securely stored by the application,
which presents another key management issue.
Note If you use DPAPI with the machine store, the encrypted string is
specific to a given computer and therefore you must generate the encrypted
data on every computer. Do not copy the encrypted data across computers in a
farm or cluster.
So, in theory, you never need to logon with the account if you use the
machine store. Of course, your application should then safely store an
entropy (salt) value to help protect it from other DPAPI applications with
access to the machine store.

-Steve Jansen
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Size of Entropy with Dpapi Encrypted Connection String 8
Win32 DPAPI - Drawbacks? 1
DPAPI Service Start access is denied 5
Use RunAs command with NT Authority\Network account for DPAPI 1
How do I Use DPAPI to Encrypt and Decrypt Data (C#/VB.NET)? 0
Further DPAPI (user store) problems 8
Use Dpapi with Shared Asp.Net Web Host? 2
Use Dpapi with Shared Asp.Net Web Host? 4

Members online

No members online now.
Total: 34 (members: 2, guests: 32)
Robots: 470

Forum statistics

Threads
473,769
Messages
2,569,580
Members
45,054
Latest member
TrimKetoBoost

Latest Threads

Top