Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > DP API Security queries

Reply
Thread Tools

DP API Security queries

 
 
Sachin Chavan
Guest
Posts: n/a
 
      02-21-2006
Hi,

In my application, I am using a .net wrapper class (a dll) which internally
calls the Win32 DP API for encryption and decryption.

Now, my client has following queries:

1. Since the encryption Key is managed by Windows internally what is the
security of the Key used for encryption?

i.e. Microsoft can be able to access such keys and therefore, the
information is not secure.

2. What is the guarantee that the encrypted text thus generated won’t
contain characters not supported by xml. This may create problem, if they do
generate such characters, since we store them to web.config which is an xml
file.

And,

3. What is the guarantee that the encrypted text thus generated won’t
contain a double quote which denote end of the Value field in web.config. If
it generates one, you will have a bad xml file.


Please help me, I am stuck up with this issues.

Thanks,
Sachin R. Chavan.
 
Reply With Quote
 
 
 
 
Henning Krause [MVP]
Guest
Posts: n/a
 
      02-21-2006
Hi Aachin,

The encryption key is, as you said, maintained by Windows. Depending on the
scope you are using (I assume you use machine, since you are in an ASP.NET
application), any process on that machine can decrypt that value. Thats why
you can pass along an array of bytes for additional security.


The other two questions have one answer: Base64. Just convert the byte array
you get to a BASE64 string, and you will have no problem at all (use
Convert.ToBase64String() method).

Greetings,
Henning


"Sachin Chavan" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi,
>
> In my application, I am using a .net wrapper class (a dll) which
> internally
> calls the Win32 DP API for encryption and decryption.
>
> Now, my client has following queries:
>
> 1. Since the encryption Key is managed by Windows internally what is the
> security of the Key used for encryption?
>
> i.e. Microsoft can be able to access such keys and therefore, the
> information is not secure.
>
> 2. What is the guarantee that the encrypted text thus generated won't
> contain characters not supported by xml. This may create problem, if they
> do
> generate such characters, since we store them to web.config which is an
> xml
> file.
>
> And,
>
> 3. What is the guarantee that the encrypted text thus generated won't
> contain a double quote which denote end of the Value field in web.config.
> If
> it generates one, you will have a bad xml file.
>
>
> Please help me, I am stuck up with this issues.
>
> Thanks,
> Sachin R. Chavan.



 
Reply With Quote
 
 
 
 
Sachin Chavan
Guest
Posts: n/a
 
      02-21-2006
Hi Henning,

Thanks a lot for the info.

One more thing that I forget to mention was, I have already hard coded
additional entropy in my code while encrypting and decrypting the plain text.

So, this means that even Microsoft, even though they have the key wont be
able to decrypt the things right?

Thanks a lot once more for the quick reply.

Thanks,
Sachin Chavan.


"Henning Krause [MVP]" wrote:

> Hi Aachin,
>
> The encryption key is, as you said, maintained by Windows. Depending on the
> scope you are using (I assume you use machine, since you are in an ASP.NET
> application), any process on that machine can decrypt that value. Thats why
> you can pass along an array of bytes for additional security.
>
>
> The other two questions have one answer: Base64. Just convert the byte array
> you get to a BASE64 string, and you will have no problem at all (use
> Convert.ToBase64String() method).
>
> Greetings,
> Henning
>
>
> "Sachin Chavan" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Hi,
> >
> > In my application, I am using a .net wrapper class (a dll) which
> > internally
> > calls the Win32 DP API for encryption and decryption.
> >
> > Now, my client has following queries:
> >
> > 1. Since the encryption Key is managed by Windows internally what is the
> > security of the Key used for encryption?
> >
> > i.e. Microsoft can be able to access such keys and therefore, the
> > information is not secure.
> >
> > 2. What is the guarantee that the encrypted text thus generated won't
> > contain characters not supported by xml. This may create problem, if they
> > do
> > generate such characters, since we store them to web.config which is an
> > xml
> > file.
> >
> > And,
> >
> > 3. What is the guarantee that the encrypted text thus generated won't
> > contain a double quote which denote end of the Value field in web.config.
> > If
> > it generates one, you will have a bad xml file.
> >
> >
> > Please help me, I am stuck up with this issues.
> >
> > Thanks,
> > Sachin R. Chavan.

>
>
>

 
Reply With Quote
 
Yuan Ren[MSFT]
Guest
Posts: n/a
 
      02-22-2006
Hi Sachin,

Thanks for posting!

>"this means that even Microsoft, even though they have the key wont be

able to decrypt the things right?"
Yes, you are correct. Actually, although the key is maintained by the
Windows system, this is impossible to get the key from system internal via
internet. If you still concern about this, your behavior is right
obviously. After hard coding something, even Microsoft can not decrypt the
thing.

Thanks for your understanding!

Regards,

Yuan Ren [MSFT]
Microsoft Online Support
================================================== ====
PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were
updated on February 14, 2006. Please complete a re-registration process
by entering the secure code mmpng06 when prompted. Once you have
entered the secure code mmpng06, you will be able to update your profile
and access the partner newsgroups.
================================================== ====
When responding to posts, please "Reply to Group" via your newsreader
so that others may learn and benefit from this issue.
================================================== ====
This posting is provided "AS IS" with no warranties, and confers no rights.
================================================== ====

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Reuse of DB-API 2.0 cursors for multiple queries? moreati Python 1 01-28-2009 11:56 PM
xslt queries in xml to SQL queries Ian Roddis Python 3 02-26-2006 06:49 PM
General Queries on Java API Sameer Java 3 09-18-2005 05:12 PM
Quoting sql queries with the DB-API snacktime Python 2 01-24-2005 02:44 AM
so many queries within queries I'm confused Abby Lee ASP General 11 08-06-2004 07:56 PM



Advertisments