Meet the Data Protection API

Troubleshooting Tips

LANGUAGES: All .NET Languages

ASP.NET VERSIONS: 1.0 | 1.1

Meet the Data Protection API

Encrypt your .NET data in a few simple steps.

By Don Kiely

In the last installment of this column (see EncryptionMade (Sort of) Easy) I examined a short example of encrypting anddecrypting data using the .NET Framework. While theSystem.Security.Cryptography namespace has some powerful features thatimplement some of the best algorithms available, it is still way too hard. Butwhat's hardest of all is that it provides very little support for keymanagement. Cryptography is based on keeping secrets secret. This means that ifyou're using symmetric cryptographic techniques you have to share the secret -the key - securely. And if you're using public/private key pairs, you stillhave to keep your private key private. With spyware and viruses invadingsystems every day, how do you even keep stuff on your local machine secure?

Microsoft's answer is to let the operating system takecare of it for you, and with Windows 2000 they introduced the Data ProtectionAPI, (DPAPI). DPAPI is part of the Crypto API implemented in Crypt32.dll,available with all installations of Windows 2000 and later. (There were someminor changes to the API after Windows 2000, so test your code on all theplatforms where it will run.) That means that you don't even have to includethe DLLs when you use it in your app, whether it is a server-based Web or adesktop app. The API uses TripleDES encryption and strong keys, which Windowstakes care of further encrypting and storing within a user's profile. DPAPIisn't part of the .NET Framework, but it is simple to use from there and you caneasily include it in .NET apps.

While DPAPI encrypts data, the real value of using it inapplications is that it securely stores the critical secret of encryption -your private key - while making it available to your applications. You canstore the keys in either of two stores on a local machine, either the userstore or machine store. The user store is more secure but the machine store ismore easily used from server applications like ASP.NET.

I'll talk more about how to use these stores in upcominginstallments of this column, but let's start by looking at how the DPAPIprocess of encrypting data works. Your application - a desktop or Web app -starts with a piece of data that it needs to protect. Your code calls the DPAPIand passes the data to it. Remember that you're calling DPAPI on the localmachine, so you don't have to transmit the data across any network, not even alocal intranet. DPAPI passes your data to the Local Security Authority (LSA),which turns around and calls back into the DPAPI to actually encrypt the data.DPAPI then passes the encrypted data back to your application for whatever useyou need to put it.

Why the intermediate step to use the LSA? The LSA is asystem process that manages much of the Windows security infrastructure, andpassing the data through it allows security auditing, among other servicesprovided by LSA.

In the next installment I'll show you how to call and usethe DPAPI in an application to securely encrypt data.

Don Kiely is seniortechnology consultant for Information Insights, a business and technologyconsultancy in Fairbanks, Alaska. E-mail him at mailto:[email protected].