See inline.
charlestek said:
Alex,
I am doing TWO things with the dpapi.
I am decrypting my text encryption string, stored in my web config,
already encrypted by the dpapi once.
as well as decrypting a dpapi encrypted aes binary symmetric key stored
in the web config as well.
So you have two values stored encrypted using DPAPI (in Web.config). OK, I
am with you.
The connection string is used for my database access by the classes that
need it, and the symmetric key is used to encrypt and decrypt info in a
table in my database. Each encrypted row in my database has an IV for
that row stored as well.
This does not seem to be relevant to your problem.
For some reason, it Appeared that if I didn't use a binary entropy value
that was the same number of bytes as the symmetric aes binary key, I had
problems with encrypting/decrypting the symmetric aes binary key with
the dpapi.
That however could be coincidence, and I had some other bug
that was causing the problem.
Yeah, the first statement does not make much sense. DPAPI entropy is totally
optional, and when used, the size of the entropy does not matter. You must
be doing something wrong.
In addition, now that I have the dpapi encrypted binary
aes key in my web config, when I use a class to encrypt and
decrypt some arbitrary text, I'm getting an invalid keysize
error upon decryption only. I forwarded the code about this particular
issue to Dominick recently.
So you are saying that after you decrypt your key from Web.config (using
DPAPI with your misterious entropy), then this key (more specific, its size)
is corrupt, right? Well, it looks like you have a full bucket of issues
here. So after you decrypt the key, how many bytes (of the AES key) do you
get?
If you read the MSDN documentation about the innards of the dpapi it is
hard for the lay person such as myself to understand the mathematics of
the entropy in the dpapi algorithm.
The thing is, you do not really need to understand the internals of DPAPI,
AES, etc. to be able to use them. Without looking at your code, this is what
I would suggest. Try to solve one problem at a time. I mean, forget about
Web.config and encryption for a moment and just make sure that you can
encrypt and decrypt data using DPAPI without corruption. Just make sure that
you encrypt a value, decrypt it and get the original data. There are lots of
samples online, e.g.
http://www.obviex.com/samples/Dpapi.aspx. When this
works, try it with the Web.config file. Make sure that you can encrypt data
with DPAPI, store it in config file, get it back, decrypt it and get the
original value. One of the common porblems is the wrong character handling.
Since DPAPI - as any other encryption routine - operates on bytes and the
data you retrieve in Web.config is in string format, you must make sure that
you use the right encoding (e.g. UTF-8 and base64). I assume that you base64
encode encrypted data before storing it in Web.config. After you get this
working, then concentrate on encryption. I am not sure why you store the
encrypted key bytes. I mean how do you enter these bytes before you encrypt
them and store in Web.config? I suspect you are doing something silly here.
A common approach would be to use a password (passphrase) and derive the AES
key from this password. Since the password is a string it is easier to
operate. Anyway, just make sure that your key bytes, password, or whatever
you are gonna use, are the same before encryption with DPAPI and after.
Also make sure that you use the AES key correctly. There are also many
samples available, e.g.
http://www.obviex.com/samples/Encryption.aspx.