DP API Security queries

[Sachin Chavan]

Hi,

In my application, I am using a .net wrapper class (a dll) which internally
calls the Win32 DP API for encryption and decryption.

Now, my client has following queries:

1. Since the encryption Key is managed by Windows internally what is the
security of the Key used for encryption?

i.e. Microsoft can be able to access such keys and therefore, the
information is not secure.

2. What is the guarantee that the encrypted text thus generated won’t
contain characters not supported by xml. This may create problem, if they do
generate such characters, since we store them to web.config which is an xml
file.

And,

3. What is the guarantee that the encrypted text thus generated won’t
contain a double quote which denote end of the Value field in web.config. If
it generates one, you will have a bad xml file.


Please help me, I am stuck up with this issues.

Thanks,
Sachin R. Chavan.

 

[Henning Krause [MVP]]

Hi Aachin,

The encryption key is, as you said, maintained by Windows. Depending on the
scope you are using (I assume you use machine, since you are in an ASP.NET
application), any process on that machine can decrypt that value. Thats why
you can pass along an array of bytes for additional security.


The other two questions have one answer: Base64. Just convert the byte array
you get to a BASE64 string, and you will have no problem at all (use
Convert.ToBase64String() method).

Greetings,
Henning

 

[Sachin Chavan]

Hi Henning,

Thanks a lot for the info.

One more thing that I forget to mention was, I have already hard coded
additional entropy in my code while encrypting and decrypting the plain text.

So, this means that even Microsoft, even though they have the key wont be
able to decrypt the things right?

Thanks a lot once more for the quick reply.

Thanks,
Sachin Chavan.

 

[Yuan Ren[MSFT]]

Hi Sachin,

Thanks for posting!

"this means that even Microsoft, even though they have the key wont be

able to decrypt the things right?"
Yes, you are correct. Actually, although the key is maintained by the
Windows system, this is impossible to get the key from system internal via
internet. If you still concern about this, your behavior is right
obviously. After hard coding something, even Microsoft can not decrypt the
thing.

Thanks for your understanding!

Regards,

Yuan Ren [MSFT]
Microsoft Online Support
======================================================
PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were
updated on February 14, 2006. Please complete a re-registration process
by entering the secure code mmpng06 when prompted. Once you have
entered the secure code mmpng06, you will be able to update your profile
and access the partner newsgroups.
======================================================
When responding to posts, please "Reply to Group" via your newsreader
so that others may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
======================================================