A Blog for Graymad

this one in VB.NET: 

If you went to DevDays 2004 then you know about DP-API. This is part of the CryptoAPI that didn't make it into the .NET Framework. The nice folks at Vertigo Software wrote a nifty VB.NET managed code wrapper around DPAPI because it's so dang hard to use directly. They make it freakin easy to encrypt and decrypt strings without having to manage keys.

I extracted the DPAPI class from IssueVision (the reference application Vertigo wrote for Microsoft just for DevDays 2004) and turned it into a DLL assembly. Then I wrote a test harness application that encrypts and decrypts a string in a text box. The encrypted string is written to a file. I also used Matt Griffith's awesome .NET Utilities DLL to do some hi-res timing on the code. Using this test harness I was able to decrypt a 1.8MB string in about 365 ms on a 2.6GHz P4 with 1GB RAM. Not bad.

DPAPI makes use of the user's credentials and an entropy (extra data you add to the mix) to create the encrypted result and decrypt the ciphertext. Pretty slick. Anyway, you can download the dpapi assembly and test harness pruned and ready to go right here. Thanks Vertigo!

[Carl Franklin]

I just finished up my first week of doing MSDN security briefings for Microsoft. I had a great time with the audiences in Albany, NY and Staten Island, NY. Both audiences were very attentive and asked some great questions. I’m looking forward to this week’s talks in Roanoke, VA, and Charlottesville, VA on Tuesday and Thursday of this week. So if you’re in those areas, and want to learn more about what you can do as a developer to create more secure applications, sign up, and come on down!

Coincidentally, I noticed that my fellow ASPInsider, Paul Glavich, has cobbled together a managed wrapper library for using DPAPI from within managed code. DPAPI is a Win32 encryption library that’s included with later versions of Windows, and we demonstrate using it for encrypting connection strings in the second of the two sessions I give. Here’s Paul’s announcement:

I have written a DPAPI Managed wrapper that was pretty much taken from MSDN examples and had some extra functions added for ease of use (EncryptString, DecryptString). It uses an attribute mechanism to sandbox calls to the unmanaged functions/libraries.

The library can be found here, including full source code.

No big deal but it works well, nothing fancy, although there are rumours it can grow back amputated limbs, however I cannot confirm or deny this... ;-)

[Paul Glavich] 

I haven’t used Paul’s library, but I know that DPAPI is a great tool for encrypting those secrets that you have to store (rule #1 of secrets…don’t store a secret if you don’t have to), so you may want to take a look.

More upcoming events I’ll be presenting in this series:

3/22 – Akron, OH
3/25 – Butler, PA (Pittsburgh area)
4/13 – Uniondale, NY
4/15 – Rochester, NY
4/20 – Pensacola, FL
4/22 – Fort Walton Beach, FL
4/27 – Portland, ME
4/29 – Bangor, ME
5/11 – Cumberland, MD
5/12 – Hagerstown, MD
5/13 – Baltimore, MD
5/18 – Richmond, VA
5/19 – Norfolk, VA
6/1 – Allentown, PA
6/2 – North Brunswick, NJ

I’ll get links up for the later events as soon as they’re available…if you’re in one of those areas, please sign up and spend the afternoon learning about developer security.

Ever wanted the definitive answer on just exactly how MSDE limits performance and scalability? Well, you’re in luck, as Microsoft has now published a whitepaper describing how the governor in MSDE works. The short version is that the governor stalls connections for a few milliseconds on each logical read or write, once the limit of more than eight concurrent operations has been reached. The connection limit for MSDE is the same as for a standard SQL Server instance (32,767), but obviously the more concurrent connections, the more likely you are to reach the limit of 8 concurrent operations that triggers the workload governor. Read the paper for all the juicy details, including specifics on physical vs. logical reads/writes, and how/when the governor is activated. Good stuff.

[via the VSDATA Team blog]

UPDATE: It looks like the original link is no longer valid. I'm not sure if it's exactly the same whitepaper, but another discussion of the MSDE 2000 workload governor can be found here.

…in VS 7, from Min Park:

http://weblogs.asp.net/mkpark/articles/86872.aspx

Posting for later search. J

Make sure to check out the Birds of a Feather (BoF) sessions, which are being run by INETA:

More info at:

http://www.ineta.org/bof/

and

http://geekswithblogs.net/evjen/archive/2004/03/08/2636.aspx

Just want to say “thank you” to all the folks who came out to the Ronald Reagan building in Washington, DC to see the DevDays presentations today. I had a great time presenting, along with my buddy Anil, and like Anil, I definitely got the impression that folks got a lot out of the talks. Thanks also to Justin Damelin, the local Microsoft Developer Evangelist who was responsible for coordinating the event with the speakers, and all of the other great folks who made the event (IMHO) a great success. Now I can’t wait for the next one. J