Data Encryption and Decryption using DPAPI classes in .NET

Home » Article » .Netframework Article » Data Encryption and Decryption using DPAPI classes in .NET Submit Articles and Win Geeky Prizes!!

You are not logged in.

	Search

	Sponsors

	Technologies
	ASP.Net C# ASP.Net AJAX IIS .NetFramework Webservices ADO Sql Server Reporting Services Directory Services Windows Clustering Javascript Sharepoint Services

	CodeDigest Navigation
	Home Register Login Article Guidelines Submit Article Support Us Admin

	Technology News
	No News Feeds available at this time.

	Community News
	No News Feeds available at this time.

Data Encryption and Decryption using DPAPI classes in .NET

By Balamurali Balaji
Posted On Apr 16,2008

Article Rating: (Login)


Be first to rate this article.

No of Comments: 3

Category: .Netframework


Print this article.

Data Encryption and Decryption using DPAPI classes in .NET

This article explains how to use the ProtectMemory and ProtectData classes in System.Security.Cryptography namespace to encrypt and decrypt data by calling wrappers around DPAPI methods.

Introduction

Data Protection API (DPAPI) is a security encryption module introduced in Windows 2000 and is included with the later versions of Windows to provide cryptographic features like key management, to secure user credentials. This is a service that is provided by the operating system and does not require additional libraries. It provides encryption for sensitive data in memory.

DPAPI generates two keys: a key for the user credential, and a master key. It also uses random session key when you call CryptProtectData. Combine with all these keys, data is protected. When you change the password, DPAPI will hook up to the password change event and does the re-encryption whole again. DPAPI works at both the machine-level and user-level encryption access scenarios.

In .NET 2.0 and later versions, a set of wrapper classes have been introduced to encrypt data by simple means using the current user account or computer accessing DPAPI. You need not have to use the P/Invoke to work with the DPAPI methods and the encryption-decryption is not just limited to user credentials.

ProtectedMemory

The ProtectedMemory class may be used to encrypt an array of in-memory bytes. This functionality is available in Microsoft Windows XP and later operating systems. You can specify that memory encrypted by the current process can be decrypted by the current process only, by all processes, or from the same user context. The MemoryProtectionScope enumeration is available for this purpose.

To perform encryption and decryption of data stored in-memory, you may use the methods Protect and UnProtect methods.

Example:

To demonstrate this, create a new console application and add reference to System.Security.dll. In the program.cs, add the following code:

static void Main(string[] args)

{

byte[] myData = new byte[32];

System.Text.ASCIIEncoding ae = new ASCIIEncoding();

// Protecting and Un-protecting data in memory

Console.Write("Enter some text: ");

string text = Console.ReadLine();

if (text.Length < myData.Length)

text = text.PadRight(myData.Length, ' ');

else

text = text.Substring(0,myData.Length);

myData = ae.GetBytes(text);

Console.WriteLine("Before protection: {0}", ae.GetString(myData));

System.Security.Cryptography.ProtectedMemory.Protect(myData, System.Security.Cryptography.MemoryProtectionScope.SameProcess);

Console.WriteLine("After protection: {0}", ae.GetString(myData));

System.Security.Cryptography.ProtectedMemory.Unprotect(myData, System.Security.Cryptography.MemoryProtectionScope.SameProcess);

Console.WriteLine("After un-protection: {0}", ae.GetString(myData));

}

Similar Articles

ListView Control with LINQ to SQL Class– Part 2

Posted on 10/6/2008 @ 8:44 AM By Satheesh Babu

Using Logging application Block Enterprise library 4.0 - Step By Step

Posted on 10/3/2008 @ 9:27 AM By Shiv koi

How to format DateTime in GridView BoundColumn and TemplateColumn?

Posted on 9/25/2008 @ 10:13 AM By Satheesh Babu

ListView Control with LINQ to SQL Class – Part 1

Posted on 9/23/2008 @ 8:05 AM By Satheesh Babu

GridView with RadioButton – Select One at a Time

Posted on 9/21/2008 @ 1:58 AM By Bala Murugan

Both the Protect and UnProtect methods takes the input data only in multiples of 16 bytes. In the above program, the maximum length of the data to be encrypted in 32 bytes; if the user enters data more or less, the entered text is trimmed and padded with white spaces accordingly. Below is the output displaying both the encrypted and decrypted data you entered on the console.

Output:

ProtectedData

The ProtectedData class provides access to the Data Protection API (DPAPI) available in Microsoft Windows 2000 and later operating systems. This is a service that is provided by the operating system and does not require additional libraries. It provides protection using the user or machine credentials to protect or unprotect data.

The class consists of two wrappers for the unmanaged DPAPI, Protect and Unprotect. These two methods can be used to protect and unprotect data such as passwords, keys, and connection strings.

Example:

To demonstrate the usage of ProtectedData class, in the Main method, add the following code:

byte[] myEntropy = { 1, 2, 3, 4, 5, 6 };

byte[] protectedData = System.Security.Cryptography.ProtectedData.Protect(myData, myEntropy, System.Security.Cryptography.DataProtectionScope.CurrentUser);

Console.WriteLine("After data protection: {0}", ae.GetString(protectedData));

byte[] unprotectedData = System.Security.Cryptography.ProtectedData.Unprotect(protectedData, myEntropy, System.Security.Cryptography.DataProtectionScope.CurrentUser);

Console.WriteLine("After un-protection: {0}", ae.GetString(unprotectedData));

In the above code, both the Protect and UnProtect methods use the optionalEntropy parameter that provides additional information stored as a byte array to encrypt and decrypt data. This would give more protection over your data.

Output:

Summary:

The ProtectMemory and ProtectData classes comes in handy for encrypting and decrypting any data on the fly and you need not have to rely on any algorithms. It uses the Windows Operating System’s DPAPI security module and can be implemented across the applications, users and machines. Its real potential lays in its application in the distributed computing which is not the scope of the article.

Article Feedback

Title
Submitted By
Comment

Comments

DPAPI on the network

I need the ability to protect and un-protect a connection string in my config file on a Windows Forms application using VS2005. I am using Click Once Deployment to a server from which a user will install the applicaiton on their PC. From everything I have read, this cannot be done using DPAPI. Am I correct? If I am not correct, then how can it be done? If I am correct, what method of encryption should I use?

Commented By Greyhound on 7/23/2008 @ 11:43 AM

Hi, DPAPI works at both the machine and user level. I have mentioned this in the Introduction section. For example, In a networked environment, once you protect a password or config file specifying the scope as machine or user, un-protection would effect only at the particular machine and user. Otherwise, encryption and decryption must be available to all the machines/users especially when you have a option of storing the protected data in a file. I have not illustrated this in this article, as I felt to write about the simple use of ProtectMemory and ProtectData classes and I do not have a network to test the same. -Balamurali Balaji

Commented By Balamurali Balaji on 4/19/2008 @ 6:55 AM

Not portable

You should mention that data encrypted on one machine and decrypted on another will not work. This only works on a single machine and is meant for encrypting/decrypting the config file to hide a password.

Commented By pb on 4/19/2008 @ 5:16 AM