DPAPI User Store Does Not Work as advertised

[omar]

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT09.asp

I am following the above article to implement DPAPI User Store to
store Credit Card Info in my database.

I am doing exactly what the article says. I can encrypt and decrypt
from the same machine but not from different machines…. What I have
read is that if I have a roaming or a domain based user profile, I am
able to do that. I have created a domain account that my win services
on both machines and my COM+ compoenents also on both machines uses.
Still no cigar.

Any ideas?

 

[Hernan de Lahitte]

Take a look at this MSDN Magazine article that describe a component that
tackles this problem.

http://msdn.microsoft.com/msdnmag/issues/04/11/CryptoUtility/default.aspx

However an alternate approach to solve this issue (actually a key management
topic) might somthing like this:
1) Create a session key (might be a derived random entropy material)
2) Protect this key with asymetric encryption (X509 Certificate installed on
the app server that will do the encr/decr operations)
3) Store this key on a central store
4) All app server will get this key, decrpyt it with its locally
public/private key pair (provided by the X509 Cert) and proceed to use this
master key to do the ecryption/decryption operations.


Hernan de Lahitte
http://weblogs.asp.net/hernandl

 

[omar]

Thank you for your suggestion. However, it is Key Management that I am trying
to avoid. My problem is that I have followed the guide from Microsoft exactly
and I can encryt and decrypt, however, whatever I encrypt on one machine, i
cannot decrypt on another machine even though I am running under the same
profile as the How-To guide instructs. It seems like I am using the machine
store. I am sure I am using the User Store but the behaviour is that of a
user store.

 

[omar]

Hernan, can you please elaborate some more on the X509 Certificate approach
you suggested? Are there any articles you can direct me to?

 

[Patricio Jutard]

Are you using "exactly" the same Credentials? it´s not the same to have
THISMACHINE\pjutard than MYDOMAIN\pjutard

Also be aware that in order to use the User Store, the User Profile must be
loaded, so if you are not logged as the user but you are impersonating it in
a a Windows Service you must be sure that the Profile exists, for this you
MUST login at least once using this user credentials.

Cheers,

Patricio Jutard

 

[omar]

Thank you Patricio. I am following the How-To guide to the letter except
that I am using a domain account so that I will be able to use that across
machines. So I am using one account with one password "domain/DPAPIAccount".
And as to your other question, yes, I did log on with the domian account and
a profile was created. Another thing I made sure is that when the service got
started it actually forced the Serviced Component to start too. Any other
sugestions?

 

[Patricio Jutard]

Look at this extract from
http://msdn.microsoft.com/msdnmag/issues/04/11/CryptoUtility/default.aspx :

"... to allow for encryption and decryption across multiple machines,
roaming profiles must be enabled..."

May be you should try roaming profiles...

Please mantain me informed of your progress.

Cheers & good luck