Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Size of Entropy with Dpapi Encrypted Connection String

Reply
Thread Tools

Size of Entropy with Dpapi Encrypted Connection String

 
 
Phil C.
Guest
Posts: n/a
 
      03-12-2005
Hi. I'm using the dpapi to encrypt a sql server connection string.
Strictly speaking
how many bytes of entropy am I supposed to use??

Phil Czapla
Boston, Massachusetts


 
Reply With Quote
 
 
 
 
WJ
Guest
Posts: n/a
 
      03-12-2005
16bytes


 
Reply With Quote
 
 
 
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      03-13-2005
Hello Phil C.,

you can pass in as much entropy as you want - understand - this only "seeds"
the key that is already used for DPAPI.



---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hi. I'm using the dpapi to encrypt a sql server connection string.
> Strictly speaking
> how many bytes of entropy am I supposed to use??
> Phil Czapla
> Boston, Massachusetts




 
Reply With Quote
 
Phil Czapla
Guest
Posts: n/a
 
      03-13-2005


Thanks Dominick,

The reason I ask is that in the encrypting of
the binary aes key by the dpapi, it appeared I had problems
unless the binary entropy value was the same number of
bytes as the key. Thus I extrapolated this to suggest that
perhaps I'd have to count the number of characters is the connection
string and use that as the number of bytes for the connection string
entropy.


Phil

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
 
Reply With Quote
 
Alek Davis
Guest
Posts: n/a
 
      03-15-2005
This does not sound right. Entropy can be any size (well, there may be
limitations, but for practical purposes it can be just about anything). I am
not sure I follow what you're saying. You said that you are encrypting a
Rijndael (or AES) key, but than you somehow linked it with connection
string. Where did the connection string come from? What is "the connection
string entropy?" Are you talking about initialization vector (IV) used with
Rijndael key by any chance? This value must be of specific size (related to
the key/encryption block size, normally 16 bytes). Could you clarify what
exactly you are doing?

Alek

"Phil Czapla" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
>
>
> Thanks Dominick,
>
> The reason I ask is that in the encrypting of
> the binary aes key by the dpapi, it appeared I had problems
> unless the binary entropy value was the same number of
> bytes as the key. Thus I extrapolated this to suggest that
> perhaps I'd have to count the number of characters is the connection
> string and use that as the number of bytes for the connection string
> entropy.
>
>
> Phil
>
> *** Sent via Developersdex http://www.developersdex.com ***
> Don't just participate in USENET...get rewarded for it!



 
Reply With Quote
 
charlestek
Guest
Posts: n/a
 
      03-15-2005


Alex,

I am doing TWO things with the dpapi.
I am decrypting my text encryption string, stored in my web config,
already encrypted by the dpapi once.
as well as decrypting a dpapi encrypted aes binary symmetric key stored
in the web config as well.

The connection string is used for my database access by the classes that
need it, and the symmetric key is used to encrypt and decrypt info in a
table in my database. Each encrypted row in my database has an IV for
that row stored as well.


For some reason, it Appeared that if I didn't use a binary entropy value
that was the same number of bytes as the symmetric aes binary key, I had
problems with encrypting/decrypting the symmetric aes binary key with
the dpapi.
That however could be coincidence, and I had some other bug
that was causing the problem.

In addition, now that I have the dpapi encrypted binary
aes key in my web config, when I use a class to encrypt and
decrypt some arbitrary text, I'm getting an invalid keysize
error upon decryption only. I forwarded the code about this particular
issue to Dominick recently.

If you read the MSDN documentation about the innards of the dpapi it is
hard for the lay person such as myself to understand the mathematics of
the entropy in the dpapi algorithm.

Phil

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
 
Reply With Quote
 
Alek Davis
Guest
Posts: n/a
 
      03-15-2005
See inline.

"charlestek" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
>
> Alex,
>
> I am doing TWO things with the dpapi.
> I am decrypting my text encryption string, stored in my web config,
> already encrypted by the dpapi once.
> as well as decrypting a dpapi encrypted aes binary symmetric key stored
> in the web config as well.


So you have two values stored encrypted using DPAPI (in Web.config). OK, I
am with you.

> The connection string is used for my database access by the classes that
> need it, and the symmetric key is used to encrypt and decrypt info in a
> table in my database. Each encrypted row in my database has an IV for
> that row stored as well.


This does not seem to be relevant to your problem.

> For some reason, it Appeared that if I didn't use a binary entropy value
> that was the same number of bytes as the symmetric aes binary key, I had
> problems with encrypting/decrypting the symmetric aes binary key with
> the dpapi.
> That however could be coincidence, and I had some other bug
> that was causing the problem.


Yeah, the first statement does not make much sense. DPAPI entropy is totally
optional, and when used, the size of the entropy does not matter. You must
be doing something wrong.

> In addition, now that I have the dpapi encrypted binary
> aes key in my web config, when I use a class to encrypt and
> decrypt some arbitrary text, I'm getting an invalid keysize
> error upon decryption only. I forwarded the code about this particular
> issue to Dominick recently.


So you are saying that after you decrypt your key from Web.config (using
DPAPI with your misterious entropy), then this key (more specific, its size)
is corrupt, right? Well, it looks like you have a full bucket of issues
here. So after you decrypt the key, how many bytes (of the AES key) do you
get?

> If you read the MSDN documentation about the innards of the dpapi it is
> hard for the lay person such as myself to understand the mathematics of
> the entropy in the dpapi algorithm.


The thing is, you do not really need to understand the internals of DPAPI,
AES, etc. to be able to use them. Without looking at your code, this is what
I would suggest. Try to solve one problem at a time. I mean, forget about
Web.config and encryption for a moment and just make sure that you can
encrypt and decrypt data using DPAPI without corruption. Just make sure that
you encrypt a value, decrypt it and get the original data. There are lots of
samples online, e.g. http://www.obviex.com/samples/Dpapi.aspx. When this
works, try it with the Web.config file. Make sure that you can encrypt data
with DPAPI, store it in config file, get it back, decrypt it and get the
original value. One of the common porblems is the wrong character handling.
Since DPAPI - as any other encryption routine - operates on bytes and the
data you retrieve in Web.config is in string format, you must make sure that
you use the right encoding (e.g. UTF-8 and base64). I assume that you base64
encode encrypted data before storing it in Web.config. After you get this
working, then concentrate on encryption. I am not sure why you store the
encrypted key bytes. I mean how do you enter these bytes before you encrypt
them and store in Web.config? I suspect you are doing something silly here.
A common approach would be to use a password (passphrase) and derive the AES
key from this password. Since the password is a string it is easier to
operate. Anyway, just make sure that your key bytes, password, or whatever
you are gonna use, are the same before encryption with DPAPI and after.
Also make sure that you use the AES key correctly. There are also many
samples available, e.g. http://www.obviex.com/samples/Encryption.aspx.

> Phil
>
> *** Sent via Developersdex http://www.developersdex.com ***
> Don't just participate in USENET...get rewarded for it!



 
Reply With Quote
 
charlestek
Guest
Posts: n/a
 
      03-16-2005


Alek,

The key is not corrupt, it will encrypt and
decrypt with the dpapi. It is when I decrypt a piece of text that has
been encrypted with aes using this key that I have the problem of an
error that says an improper keysize.

Please see:

http://users.rcn.com/charlestek/AesKey.zip
and
http://users.rcn.com/RindjaelTest.zip

Phil


*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
 
Reply With Quote
 
charlestek
Guest
Posts: n/a
 
      03-17-2005
Correction:

The url of the second file in the previous message should be

http://users.rcn.com/charlestek/RindjaelTest.zip




*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
CPANEL Entropy Chat Script Insertion Vulnerability Au79 Computer Support 0 11-05-2005 05:32 AM
DpAPI Encrypted Aes Key Problems Phil C. ASP .Net Security 0 03-05-2005 05:51 PM
Using encrypted dB connection string Alek Davis ASP .Net 12 06-03-2004 06:20 PM
Foveon X3 sensor, entropy, and Bayer sensors William Wallace Digital Photography 30 01-29-2004 10:31 AM
DPAPI and connection string Kevin Cunningham ASP .Net Security 1 10-16-2003 06:04 PM



Advertisments