LANGUAGES: All .NET Languages
ASP.NET VERSIONS: 1.0 | 1.1
Getting to a User Profile without the User
Jumping through DPAPI Hoops
By Don Kiely
Over the last few iterations of this troubleshooting column, I've explored a solution to one of the most difficult, yet most critical, elements of Web application development: encrypting data while storing keys securely. It's far too easy to write an app that is full of security holes, but the Windows Data Protection API (DPAPI) provides the infrastructure to securely store keys. The official Microsoft line is that DPAPI is available to any application in Windows 2000 and later, but for ASP.NET applications you must jump through a few hoops to obtain the highest level of security.
The problem is that DPAPI creates its keys based on the user's password (or on some other credential from an alternative authentication method, such as a smart card or a biometric technique). This means you must have a current user profile in order to utilize a user data store. And the user's profile is available only once the user has logged onto the computer. This is far from an optimal situation for server applications! Moreover, this problem isn't specific to ASP.NET applications; any server application will have the same problem.
One option is to use a machine store with DPAPI. This provides strong encryption, but means one of two things: either every application on that server can access the data, or you must use salt (an arbitrary value) to customize the encryption key. But then you have the same problem as with keys: You must protect the salt used in each application.
So for the best security, you must figure out a way to make a user profile available for your ASP.NET application, without requiring a user to be logged onto the server. Let me tell you, this ain't easy! When I first tackled this problem, every solution I came up with fell short in some way. I finally found the solution in the Microsoft Patterns & Practices book Building Secure ASP.NET Applications (which you can download as a PDF file from MSDN). The book has a how-to section called "Use DPAPI (User Store) from ASP.NET with Enterprise Services." The solution described there is what a friend of mine would call a goat rope; others might refer to Rube Goldberg. But if you need secure encryption from an ASP.NET application, this is the way to go.
The solution involves adding a couple of tiers to your application. It boils down to creating a Windows service that loads a COM+ component that your ASP.NET application can use to provide the encryption. By setting everything up correctly, the COM+ component is loaded with a user profile - without requiring a user to be logged onto the server. It's pretty ugly, but it works nicely. The code accompanying this article includes a simple implementation of the ideas discussed in the book. You'll need to carefully read the how-to section, as well as the readme included with the code, to get it all set up and working.
DPAPI is a great addition to Windows. Despite some of the minor difficulties in working with it, it can help keep your data safe and secure.
The files accompanying this article are available for download.
Don Kiely is senior technology consultant for Information Insights, a business and technology consultancy in Fairbanks, AK. E-mail him at mailto:[email protected].