Size of Entropy with Dpapi Encrypted Connection String

Discussion in 'ASP .Net Security' started by Phil C., Mar 12, 2005.

  1. Phil C.

    Phil C. Guest

    Hi. I'm using the dpapi to encrypt a sql server connection string.
    Strictly speaking
    how many bytes of entropy am I supposed to use??

    Phil Czapla
    Boston, Massachusetts
     
    Phil C., Mar 12, 2005
    #1
    1. Advertising

  2. Phil C.

    WJ Guest

    16bytes
     
    WJ, Mar 12, 2005
    #2
    1. Advertising

  3. Hello Phil C.,

    you can pass in as much entropy as you want - understand - this only "seeds"
    the key that is already used for DPAPI.



    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hi. I'm using the dpapi to encrypt a sql server connection string.
    > Strictly speaking
    > how many bytes of entropy am I supposed to use??
    > Phil Czapla
    > Boston, Massachusetts
     
    Dominick Baier [DevelopMentor], Mar 13, 2005
    #3
  4. Phil C.

    Phil Czapla Guest

    Thanks Dominick,

    The reason I ask is that in the encrypting of
    the binary aes key by the dpapi, it appeared I had problems
    unless the binary entropy value was the same number of
    bytes as the key. Thus I extrapolated this to suggest that
    perhaps I'd have to count the number of characters is the connection
    string and use that as the number of bytes for the connection string
    entropy.


    Phil

    *** Sent via Developersdex http://www.developersdex.com ***
    Don't just participate in USENET...get rewarded for it!
     
    Phil Czapla, Mar 13, 2005
    #4
  5. Phil C.

    Alek Davis Guest

    This does not sound right. Entropy can be any size (well, there may be
    limitations, but for practical purposes it can be just about anything). I am
    not sure I follow what you're saying. You said that you are encrypting a
    Rijndael (or AES) key, but than you somehow linked it with connection
    string. Where did the connection string come from? What is "the connection
    string entropy?" Are you talking about initialization vector (IV) used with
    Rijndael key by any chance? This value must be of specific size (related to
    the key/encryption block size, normally 16 bytes). Could you clarify what
    exactly you are doing?

    Alek

    "Phil Czapla" <> wrote in message
    news:%...
    >
    >
    > Thanks Dominick,
    >
    > The reason I ask is that in the encrypting of
    > the binary aes key by the dpapi, it appeared I had problems
    > unless the binary entropy value was the same number of
    > bytes as the key. Thus I extrapolated this to suggest that
    > perhaps I'd have to count the number of characters is the connection
    > string and use that as the number of bytes for the connection string
    > entropy.
    >
    >
    > Phil
    >
    > *** Sent via Developersdex http://www.developersdex.com ***
    > Don't just participate in USENET...get rewarded for it!
     
    Alek Davis, Mar 15, 2005
    #5
  6. Phil C.

    charlestek Guest

    Alex,

    I am doing TWO things with the dpapi.
    I am decrypting my text encryption string, stored in my web config,
    already encrypted by the dpapi once.
    as well as decrypting a dpapi encrypted aes binary symmetric key stored
    in the web config as well.

    The connection string is used for my database access by the classes that
    need it, and the symmetric key is used to encrypt and decrypt info in a
    table in my database. Each encrypted row in my database has an IV for
    that row stored as well.


    For some reason, it Appeared that if I didn't use a binary entropy value
    that was the same number of bytes as the symmetric aes binary key, I had
    problems with encrypting/decrypting the symmetric aes binary key with
    the dpapi.
    That however could be coincidence, and I had some other bug
    that was causing the problem.

    In addition, now that I have the dpapi encrypted binary
    aes key in my web config, when I use a class to encrypt and
    decrypt some arbitrary text, I'm getting an invalid keysize
    error upon decryption only. I forwarded the code about this particular
    issue to Dominick recently.

    If you read the MSDN documentation about the innards of the dpapi it is
    hard for the lay person such as myself to understand the mathematics of
    the entropy in the dpapi algorithm.

    Phil

    *** Sent via Developersdex http://www.developersdex.com ***
    Don't just participate in USENET...get rewarded for it!
     
    charlestek, Mar 15, 2005
    #6
  7. Phil C.

    Alek Davis Guest

    See inline.

    "charlestek" <> wrote in message
    news:...
    >
    >
    > Alex,
    >
    > I am doing TWO things with the dpapi.
    > I am decrypting my text encryption string, stored in my web config,
    > already encrypted by the dpapi once.
    > as well as decrypting a dpapi encrypted aes binary symmetric key stored
    > in the web config as well.


    So you have two values stored encrypted using DPAPI (in Web.config). OK, I
    am with you.

    > The connection string is used for my database access by the classes that
    > need it, and the symmetric key is used to encrypt and decrypt info in a
    > table in my database. Each encrypted row in my database has an IV for
    > that row stored as well.


    This does not seem to be relevant to your problem.

    > For some reason, it Appeared that if I didn't use a binary entropy value
    > that was the same number of bytes as the symmetric aes binary key, I had
    > problems with encrypting/decrypting the symmetric aes binary key with
    > the dpapi.
    > That however could be coincidence, and I had some other bug
    > that was causing the problem.


    Yeah, the first statement does not make much sense. DPAPI entropy is totally
    optional, and when used, the size of the entropy does not matter. You must
    be doing something wrong.

    > In addition, now that I have the dpapi encrypted binary
    > aes key in my web config, when I use a class to encrypt and
    > decrypt some arbitrary text, I'm getting an invalid keysize
    > error upon decryption only. I forwarded the code about this particular
    > issue to Dominick recently.


    So you are saying that after you decrypt your key from Web.config (using
    DPAPI with your misterious entropy), then this key (more specific, its size)
    is corrupt, right? Well, it looks like you have a full bucket of issues
    here. So after you decrypt the key, how many bytes (of the AES key) do you
    get?

    > If you read the MSDN documentation about the innards of the dpapi it is
    > hard for the lay person such as myself to understand the mathematics of
    > the entropy in the dpapi algorithm.


    The thing is, you do not really need to understand the internals of DPAPI,
    AES, etc. to be able to use them. Without looking at your code, this is what
    I would suggest. Try to solve one problem at a time. I mean, forget about
    Web.config and encryption for a moment and just make sure that you can
    encrypt and decrypt data using DPAPI without corruption. Just make sure that
    you encrypt a value, decrypt it and get the original data. There are lots of
    samples online, e.g. http://www.obviex.com/samples/Dpapi.aspx. When this
    works, try it with the Web.config file. Make sure that you can encrypt data
    with DPAPI, store it in config file, get it back, decrypt it and get the
    original value. One of the common porblems is the wrong character handling.
    Since DPAPI - as any other encryption routine - operates on bytes and the
    data you retrieve in Web.config is in string format, you must make sure that
    you use the right encoding (e.g. UTF-8 and base64). I assume that you base64
    encode encrypted data before storing it in Web.config. After you get this
    working, then concentrate on encryption. I am not sure why you store the
    encrypted key bytes. I mean how do you enter these bytes before you encrypt
    them and store in Web.config? I suspect you are doing something silly here.
    A common approach would be to use a password (passphrase) and derive the AES
    key from this password. Since the password is a string it is easier to
    operate. Anyway, just make sure that your key bytes, password, or whatever
    you are gonna use, are the same before encryption with DPAPI and after.
    Also make sure that you use the AES key correctly. There are also many
    samples available, e.g. http://www.obviex.com/samples/Encryption.aspx.

    > Phil
    >
    > *** Sent via Developersdex http://www.developersdex.com ***
    > Don't just participate in USENET...get rewarded for it!
     
    Alek Davis, Mar 15, 2005
    #7
  8. Phil C.

    charlestek Guest

    charlestek, Mar 16, 2005
    #8
  9. Phil C.

    charlestek Guest

    charlestek, Mar 17, 2005
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Alek Davis

    Using encrypted dB connection string

    Alek Davis, May 21, 2004, in forum: ASP .Net
    Replies:
    12
    Views:
    2,940
    Alek Davis
    Jun 3, 2004
  2. Ranginald
    Replies:
    2
    Views:
    438
    Ranginald
    Feb 6, 2007
  3. Kevin Cunningham

    DPAPI and connection string

    Kevin Cunningham, Oct 16, 2003, in forum: ASP .Net Security
    Replies:
    1
    Views:
    173
    Steve Jansen
    Oct 16, 2003
  4. Scott M.

    Encrypted Connection String

    Scott M., Dec 14, 2003, in forum: ASP .Net Security
    Replies:
    3
    Views:
    136
    Guest
    Dec 15, 2003
  5. Phil C.

    DpAPI Encrypted Aes Key Problems

    Phil C., Mar 5, 2005, in forum: ASP .Net Security
    Replies:
    0
    Views:
    346
    Phil C.
    Mar 5, 2005
Loading...

Share This Page