Exploring the DPAPI

Troubleshooting Tips

LANGUAGES: All .NETLanguages

ASP.NET VERSIONS:1.0 | 1.1

Exploringthe DPAPI

EncryptingData

By Don Kiely

TheWindows Data Protection API (DPAPI) solves a gnarly problem you face anytimeyou need to encrypt data: Where do you store the keys? As I've discussed inpast installments in this series, DPAPI uses features built into Windows sinceWindows 2000 to save keys securely within Windows itself, under a robust layerof keys based on authentication credentials.

Butwhile DPAPI provides measures to protect data, it is a Win32 API and has a fewoptions that can make it less than intuitive. To start, it consists of twointerfaces, user and system. Frankly, I've no idea why Microsoft chose to evendocument the system interfaces, as they are usable only by the Local SecurityAuthority (LSA) to perform the actual encryption; your code must use the userinterface. This interface is included in crypt32.dll provided by Windows.

The goodnews is that there are only two methods in the interface, CryptProtectData andCryptUnprotectData, each of which returns true if the call was successful. Youcan use the optional CRYPTPROTECT_PROMPSTRUCT structure to prompt the user fora password, and use the DATA_BLOB structure to receive the encrypted data or topass it to be decrypted. The latter is an opaque structure that, according tothe documentation, you only need to store without paying any attention to theinternals for any reason. The contents are hashed with a Hashed MessageAuthentication Code (HMAC), using the SHA-1 hashing algorithm.

TheCryptProtectData method has several parameters:

Theresult is an output reference to the DATA_BLOB with the protected data, whichyou can store wherever you want knowing that it would be very difficult for ahacker to crack. The CryptUnprotectData method has pretty much the same set ofparameters, but is geared toward output of the encrypted data.

Thehardest thing about using DPAPI is that the methods are Win32 API functions,which require that the data be in precisely the right data types, or else thecall will fail. This usually means that you have to write a hundred lines ofcode to get the data in the right form to make a single statement call to theAPI, particularly if you use a language with non-standard native data types. Ifyou're writing .NET code, this means some messy p/invoke calls to unmanagedcode, which are never easy or fun, and are fraught with potential securityissues.

Fortunately,Microsoft has made available a wrapper class written in both VB .NET and C#that does most of the heavy lifting for you. It won't solve any securityproblems, but it makes using DPAPI just about as easy as it should be. Thecomponents are available at http://www.gotdotnet.com,a Microsoft site with lots of sample code, discussions, and workspaces for developmentprojects. Go there, select User Samples from the Toolbox, and search for DPAPI.It includes the source code, so you can learn a lot about DPAPI by goingthrough the code. I showed an example of using this component in an earlierinstallment of this column.

Nexttime I'll wrap up my DPAPI rants by discussing some of the hoops you need tojump through to use it with ASP.NET, particularly if you want to use the userstore for the keys.

Don Kiely is seniortechnology consultant for Information Insights, a business and technologyconsultancy in Fairbanks, Alaska. E-mail him at mailto:[email protected].