Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > DPAPI User Store Does Not Work as advertised

Reply
Thread Tools

DPAPI User Store Does Not Work as advertised

 
 
omar
Guest
Posts: n/a
 
      11-17-2004
http://msdn.microsoft.com/library/de...SecNetHT09.asp

I am following the above article to implement DPAPI User Store to
store Credit Card Info in my database.

I am doing exactly what the article says. I can encrypt and decrypt
from the same machine but not from different machines…. What I have
read is that if I have a roaming or a domain based user profile, I am
able to do that. I have created a domain account that my win services
on both machines and my COM+ compoenents also on both machines uses.
Still no cigar.

Any ideas?
 
Reply With Quote
 
 
 
 
Hernan de Lahitte
Guest
Posts: n/a
 
      11-17-2004
Take a look at this MSDN Magazine article that describe a component that
tackles this problem.

http://msdn.microsoft.com/msdnmag/is...y/default.aspx

However an alternate approach to solve this issue (actually a key management
topic) might somthing like this:
1) Create a session key (might be a derived random entropy material)
2) Protect this key with asymetric encryption (X509 Certificate installed on
the app server that will do the encr/decr operations)
3) Store this key on a central store
4) All app server will get this key, decrpyt it with its locally
public/private key pair (provided by the X509 Cert) and proceed to use this
master key to do the ecryption/decryption operations.


Hernan de Lahitte
http://weblogs.asp.net/hernandl


"omar" <(E-Mail Removed)> escribió en el mensaje
news:(E-Mail Removed) om...
> http://msdn.microsoft.com/library/de...SecNetHT09.asp
>
> I am following the above article to implement DPAPI User Store to
> store Credit Card Info in my database.
>
> I am doing exactly what the article says. I can encrypt and decrypt
> from the same machine but not from different machines.. What I have
> read is that if I have a roaming or a domain based user profile, I am
> able to do that. I have created a domain account that my win services
> on both machines and my COM+ compoenents also on both machines uses.
> Still no cigar.
>
> Any ideas?



 
Reply With Quote
 
 
 
 
omar
Guest
Posts: n/a
 
      11-17-2004
Thank you for your suggestion. However, it is Key Management that I am trying
to avoid. My problem is that I have followed the guide from Microsoft exactly
and I can encryt and decrypt, however, whatever I encrypt on one machine, i
cannot decrypt on another machine even though I am running under the same
profile as the How-To guide instructs. It seems like I am using the machine
store. I am sure I am using the User Store but the behaviour is that of a
user store.

"Hernan de Lahitte" wrote:

> Take a look at this MSDN Magazine article that describe a component that
> tackles this problem.
>
> http://msdn.microsoft.com/msdnmag/is...y/default.aspx
>
> However an alternate approach to solve this issue (actually a key management
> topic) might somthing like this:
> 1) Create a session key (might be a derived random entropy material)
> 2) Protect this key with asymetric encryption (X509 Certificate installed on
> the app server that will do the encr/decr operations)
> 3) Store this key on a central store
> 4) All app server will get this key, decrpyt it with its locally
> public/private key pair (provided by the X509 Cert) and proceed to use this
> master key to do the ecryption/decryption operations.
>
>
> Hernan de Lahitte
> http://weblogs.asp.net/hernandl
>
>
> "omar" <(E-Mail Removed)> escribió en el mensaje
> news:(E-Mail Removed) om...
> > http://msdn.microsoft.com/library/de...SecNetHT09.asp
> >
> > I am following the above article to implement DPAPI User Store to
> > store Credit Card Info in my database.
> >
> > I am doing exactly what the article says. I can encrypt and decrypt
> > from the same machine but not from different machines.. What I have
> > read is that if I have a roaming or a domain based user profile, I am
> > able to do that. I have created a domain account that my win services
> > on both machines and my COM+ compoenents also on both machines uses.
> > Still no cigar.
> >
> > Any ideas?

>
>
>

 
Reply With Quote
 
omar
Guest
Posts: n/a
 
      11-17-2004
Hernan, can you please elaborate some more on the X509 Certificate approach
you suggested? Are there any articles you can direct me to?

"Hernan de Lahitte" wrote:

> Take a look at this MSDN Magazine article that describe a component that
> tackles this problem.
>
> http://msdn.microsoft.com/msdnmag/is...y/default.aspx
>
> However an alternate approach to solve this issue (actually a key management
> topic) might somthing like this:
> 1) Create a session key (might be a derived random entropy material)
> 2) Protect this key with asymetric encryption (X509 Certificate installed on
> the app server that will do the encr/decr operations)
> 3) Store this key on a central store
> 4) All app server will get this key, decrpyt it with its locally
> public/private key pair (provided by the X509 Cert) and proceed to use this
> master key to do the ecryption/decryption operations.
>
>
> Hernan de Lahitte
> http://weblogs.asp.net/hernandl
>
>
> "omar" <(E-Mail Removed)> escribió en el mensaje
> news:(E-Mail Removed) om...
> > http://msdn.microsoft.com/library/de...SecNetHT09.asp
> >
> > I am following the above article to implement DPAPI User Store to
> > store Credit Card Info in my database.
> >
> > I am doing exactly what the article says. I can encrypt and decrypt
> > from the same machine but not from different machines.. What I have
> > read is that if I have a roaming or a domain based user profile, I am
> > able to do that. I have created a domain account that my win services
> > on both machines and my COM+ compoenents also on both machines uses.
> > Still no cigar.
> >
> > Any ideas?

>
>
>

 
Reply With Quote
 
Patricio Jutard
Guest
Posts: n/a
 
      11-17-2004
Are you using "exactly" the same Credentials? it´s not the same to have
THISMACHINE\pjutard than MYDOMAIN\pjutard

Also be aware that in order to use the User Store, the User Profile must be
loaded, so if you are not logged as the user but you are impersonating it in
a a Windows Service you must be sure that the Profile exists, for this you
MUST login at least once using this user credentials.

Cheers,

Patricio Jutard

"omar" wrote:

> Thank you for your suggestion. However, it is Key Management that I am trying
> to avoid. My problem is that I have followed the guide from Microsoft exactly
> and I can encryt and decrypt, however, whatever I encrypt on one machine, i
> cannot decrypt on another machine even though I am running under the same
> profile as the How-To guide instructs. It seems like I am using the machine
> store. I am sure I am using the User Store but the behaviour is that of a
> user store.

 
Reply With Quote
 
omar
Guest
Posts: n/a
 
      11-18-2004
Thank you Patricio. I am following the How-To guide to the letter except
that I am using a domain account so that I will be able to use that across
machines. So I am using one account with one password "domain/DPAPIAccount".
And as to your other question, yes, I did log on with the domian account and
a profile was created. Another thing I made sure is that when the service got
started it actually forced the Serviced Component to start too. Any other
sugestions?

"Patricio Jutard" wrote:

> Are you using "exactly" the same Credentials? it´s not the same to have
> THISMACHINE\pjutard than MYDOMAIN\pjutard
>
> Also be aware that in order to use the User Store, the User Profile must be
> loaded, so if you are not logged as the user but you are impersonating it in
> a a Windows Service you must be sure that the Profile exists, for this you
> MUST login at least once using this user credentials.
>
> Cheers,
>
> Patricio Jutard
>
> "omar" wrote:
>
> > Thank you for your suggestion. However, it is Key Management that I am trying
> > to avoid. My problem is that I have followed the guide from Microsoft exactly
> > and I can encryt and decrypt, however, whatever I encrypt on one machine, i
> > cannot decrypt on another machine even though I am running under the same
> > profile as the How-To guide instructs. It seems like I am using the machine
> > store. I am sure I am using the User Store but the behaviour is that of a
> > user store.

 
Reply With Quote
 
Patricio Jutard
Guest
Posts: n/a
 
      11-20-2004
Look at this extract from
http://msdn.microsoft.com/msdnmag/is...y/default.aspx :

"... to allow for encryption and decryption across multiple machines,
roaming profiles must be enabled..."

May be you should try roaming profiles...

Please mantain me informed of your progress.

Cheers & good luck



"omar" wrote:

> Thank you Patricio. I am following the How-To guide to the letter except
> that I am using a domain account so that I will be able to use that across
> machines. So I am using one account with one password "domain/DPAPIAccount".
> And as to your other question, yes, I did log on with the domian account and
> a profile was created. Another thing I made sure is that when the service got
> started it actually forced the Serviced Component to start too. Any other
> sugestions?
>
> "Patricio Jutard" wrote:
>
> > Are you using "exactly" the same Credentials? it´s not the same to have
> > THISMACHINE\pjutard than MYDOMAIN\pjutard
> >
> > Also be aware that in order to use the User Store, the User Profile must be
> > loaded, so if you are not logged as the user but you are impersonating it in
> > a a Windows Service you must be sure that the Profile exists, for this you
> > MUST login at least once using this user credentials.
> >
> > Cheers,
> >
> > Patricio Jutard
> >
> > "omar" wrote:
> >
> > > Thank you for your suggestion. However, it is Key Management that I am trying
> > > to avoid. My problem is that I have followed the guide from Microsoft exactly
> > > and I can encryt and decrypt, however, whatever I encrypt on one machine, i
> > > cannot decrypt on another machine even though I am running under the same
> > > profile as the How-To guide instructs. It seems like I am using the machine
> > > store. I am sure I am using the User Store but the behaviour is that of a
> > > user store.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
fsync() doesn't work as advertised? Brian D Python 4 01-06-2010 01:10 PM
Threads don't seem to work as advertised Mark Seger Perl Misc 1 07-04-2008 01:37 AM
DPAPI failing with user store (revisited) Dominick Baier ASP .Net Security 1 01-28-2005 09:13 AM
DPAPI failing with user store (revisited) Jason Duckers ASP .Net Security 0 01-27-2005 10:11 AM
Further DPAPI (user store) problems Martin ASP .Net Security 8 09-22-2004 07:11 AM



Advertisments