Carl Franklin

.NET Wonk

I love DPAPI

If you went to DevDays 2004 then you know about DP-API. This is part of the CryptoAPI that didn't make it into the .NET Framework. The nice folks at Vertigo Software wrote a nifty VB.NET managed code wrapper around DPAPI because it's so dang hard to use directly. They make it freakin easy to encrypt and decrypt strings without having to manage keys.

I extracted the DPAPI class from IssueVision (the reference application Vertigo wrote for Microsoft just for DevDays 2004) and turned it into a DLL assembly. Then I wrote a test harness application that encrypts and decrypts a string in a text box. The encrypted string is written to a file. I also used Matt Griffith's awesome .NET Utilities DLL to do some hi-res timing on the code. Using this test harness I was able to decrypt a 1.8MB string in about 365 ms on a 2.6GHz P4 with 1GB RAM. Not bad.

DPAPI makes use of the user's credentials and an entropy (extra data you add to the mix) to create the encrypted result and decrypt the ciphertext. Pretty slick. Anyway, you can download the dpapi assembly and test harness pruned and ready to go right here. Thanks Vertigo!

Posted: Mar 18 2004, 02:45 AM by Carl Franklin | with 12 comment(s)
Filed under: ,

Comments

Marshall Brooke said:

Hey Carl,

This may also be of interest to those who did'nt catch it, it's a full Crypto suite.

http://weblogs.asp.net/hernandl/archive/2004/03/08/85884.aspx

Also, whilst we're on the topic, I'm surprised I don't here more mention of the SSL TCP Library from Mentalis http://www.mentalis.org/soft/projects/seclib/. It's completely free and enables seamless SSL socket level transmission. It's written in C#, but since it has no GPL, a man of your VB stature may have a sudden late night desire to re-write it in VB. Look forward to the next show, only I can't hear it live as I'm in the UK and my wife has effectively banned computer use at night.
# March 18, 2004 4:42 AM

Don Kiely said:

There has also been wrappers in both VB.NET and C# for a long time on GotDotNet. Go to www.gotdotnet.com and search for DPAPI in the user samples. Pretty nice, and seem to be functionally similar to the Vertigo sammples.

Look for an article on DPAPI in an upcoming issue Advisor's VB.NET/Access magazine.
# March 18, 2004 2:05 PM

Carl Franklin said:

Awesome. Thanks, Don.
# March 18, 2004 2:14 PM

TrackBack said:

You have been Taken Out! Comments about your posting in this link. Thanks!
# March 18, 2004 11:06 PM

Jason Nadal said:

Interesting thing is that it looks like there's a DPAPI provider made for you in the machine.config in whidbey... very cool...
# March 19, 2004 10:28 AM

TrackBack said:

# March 19, 2004 1:10 PM

TrackBack said:

# April 29, 2004 4:31 PM

Kevin said:

I have gone through the "How to Use DPAPI (user store) from ASP.Net with Enterprise services"
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT07.asp

...But my sample asp.net and windows form app both give me the same "Access is denied" when I run the encrypt button logic. It actually is bombing on the creation. (dim x as dataprotectorcomp = new dataprotectorcomp)

Any ideas????
# May 21, 2004 6:14 PM

Bill B said:

It was suggested by another developer that we could use DPAPI to encrypt our connection strings for WinForms applications that either installed on local PC or run thru the URL.

After reviewing the code and using the examples it looks to me that ADAPI is not a good solution for this as the decryption will only work for the same user and/or machine that created the decrypted information. This makes sense in a ASP.NET app but not in a WinForms app. AM I correct or just missing something?
# July 6, 2004 7:34 PM

TrackBack said:

# November 26, 2004 12:20 PM

TrackBack said:

Encrypting Data in Cookies and Session Variables
# December 9, 2004 9:54 AM

TrackBack said:

# December 11, 2004 11:41 PM
Leave a Comment

(required) 

(required) 

(optional)

(required)