Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > DPAPI and connection string

Reply
Thread Tools

DPAPI and connection string

 
 
Kevin Cunningham
Guest
Posts: n/a
 
      10-16-2003
I am planning on using DPAPI for an asp.net application.
I will configure the app to run under an account I
create. My understaning of DPAPI is that it needs an
login in order to work correctly, i.e. I need to log on
interactivley at least once with the the account. That
sounds dandy. My question is this, if I plan on
configuring the custom account to *not* be able to logon
interactively (via the local policy) will that nix the
ability to use DPAPI??

TIA, kevin
 
Reply With Quote
 
 
 
 
Steve Jansen
Guest
Posts: n/a
 
      10-16-2003
Kevin,

From
http://msdn.microsoft.com/library/de...SecNetHT08.asp

a.. DPAPI can work with either the machine store or user store (which
requires a loaded user profile). DPAPI defaults to the user store, although
you can specify that the machine store be used by passing the
CRYPTPROTECT_LOCAL_MACHINE flag to the DPAPI functions.
a.. The user profile approach affords an additional layer of security
because it limits who can access the secret. Only the user who encrypts the
data can decrypt the data. However, use of the user profile requires
additional development effort when DPAPI is used from an ASP.NET Web
application because you need to take explicit steps to load and unload a
user profile (ASP.NET does not automatically load a user profile).
a.. The machine store approach (adopted in this How To) is easier to develop
because it does not require user profile management. However, unless an
additional entropy parameter is used, it is less secure because any user on
the computer can decrypt data. (Entropy is a random value designed to make
deciphering the secret more difficult.) The problem with using an additional
entropy parameter is that this must be securely stored by the application,
which presents another key management issue.
Note If you use DPAPI with the machine store, the encrypted string is
specific to a given computer and therefore you must generate the encrypted
data on every computer. Do not copy the encrypted data across computers in a
farm or cluster.
So, in theory, you never need to logon with the account if you use the
machine store. Of course, your application should then safely store an
entropy (salt) value to help protect it from other DPAPI applications with
access to the machine store.

-Steve Jansen

"Kevin Cunningham" <(E-Mail Removed)> wrote in message
news:2ccbd01c39409$b9d338f0$(E-Mail Removed)...
> I am planning on using DPAPI for an asp.net application.
> I will configure the app to run under an account I
> create. My understaning of DPAPI is that it needs an
> login in order to work correctly, i.e. I need to log on
> interactivley at least once with the the account. That
> sounds dandy. My question is this, if I plan on
> configuring the custom account to *not* be able to logon
> interactively (via the local policy) will that nix the
> ability to use DPAPI??
>
> TIA, kevin



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
DPAPI - decrypt error: Decryption failed. Key not valid for use in specified state. BigLuzer ASP .Net 1 11-21-2006 04:05 PM
Size of Entropy with Dpapi Encrypted Connection String Phil C. ASP .Net Security 8 03-17-2005 07:01 AM
How do I Use DPAPI to Encrypt and Decrypt Data (C#/VB.NET)? anonieko@hotmail.com ASP .Net Security 0 03-16-2005 11:54 PM
DPAPI and config files Dan Amiga ASP .Net Security 4 08-29-2004 11:57 AM
error DPAPI afsheen ASP .Net Security 0 10-24-2003 01:54 AM



Advertisments