DPAPI and connection string

Discussion in 'ASP .Net Security' started by Kevin Cunningham, Oct 16, 2003.

  1. I am planning on using DPAPI for an asp.net application.
    I will configure the app to run under an account I
    create. My understaning of DPAPI is that it needs an
    login in order to work correctly, i.e. I need to log on
    interactivley at least once with the the account. That
    sounds dandy. My question is this, if I plan on
    configuring the custom account to *not* be able to logon
    interactively (via the local policy) will that nix the
    ability to use DPAPI??

    TIA, kevin
    Kevin Cunningham, Oct 16, 2003
    #1
    1. Advertising

  2. Kevin Cunningham

    Steve Jansen Guest

    Kevin,

    From
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT08.asp

    a.. DPAPI can work with either the machine store or user store (which
    requires a loaded user profile). DPAPI defaults to the user store, although
    you can specify that the machine store be used by passing the
    CRYPTPROTECT_LOCAL_MACHINE flag to the DPAPI functions.
    a.. The user profile approach affords an additional layer of security
    because it limits who can access the secret. Only the user who encrypts the
    data can decrypt the data. However, use of the user profile requires
    additional development effort when DPAPI is used from an ASP.NET Web
    application because you need to take explicit steps to load and unload a
    user profile (ASP.NET does not automatically load a user profile).
    a.. The machine store approach (adopted in this How To) is easier to develop
    because it does not require user profile management. However, unless an
    additional entropy parameter is used, it is less secure because any user on
    the computer can decrypt data. (Entropy is a random value designed to make
    deciphering the secret more difficult.) The problem with using an additional
    entropy parameter is that this must be securely stored by the application,
    which presents another key management issue.
    Note If you use DPAPI with the machine store, the encrypted string is
    specific to a given computer and therefore you must generate the encrypted
    data on every computer. Do not copy the encrypted data across computers in a
    farm or cluster.
    So, in theory, you never need to logon with the account if you use the
    machine store. Of course, your application should then safely store an
    entropy (salt) value to help protect it from other DPAPI applications with
    access to the machine store.

    -Steve Jansen

    "Kevin Cunningham" <> wrote in message
    news:2ccbd01c39409$b9d338f0$...
    > I am planning on using DPAPI for an asp.net application.
    > I will configure the app to run under an account I
    > create. My understaning of DPAPI is that it needs an
    > login in order to work correctly, i.e. I need to log on
    > interactivley at least once with the the account. That
    > sounds dandy. My question is this, if I plan on
    > configuring the custom account to *not* be able to logon
    > interactively (via the local policy) will that nix the
    > ability to use DPAPI??
    >
    > TIA, kevin
    Steve Jansen, Oct 16, 2003
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. BigLuzer
    Replies:
    1
    Views:
    1,413
    Cowboy \(Gregory A. Beamer\)
    Nov 21, 2006
  2. afsheen

    error DPAPI

    afsheen, Oct 24, 2003, in forum: ASP .Net Security
    Replies:
    0
    Views:
    123
    afsheen
    Oct 24, 2003
  3. Dan Amiga

    DPAPI and config files

    Dan Amiga, Aug 25, 2004, in forum: ASP .Net Security
    Replies:
    4
    Views:
    190
    Dan Amiga
    Aug 29, 2004
  4. Phil C.
    Replies:
    8
    Views:
    188
    charlestek
    Mar 17, 2005
  5. Replies:
    0
    Views:
    915
Loading...

Share This Page