Hi. I'm using the dpapi to encrypt a sql server connection string.
Strictly speaking
how many bytes of entropy am I supposed to use??

Phil Czapla
Boston, Massachusetts

16bytes

Hello Phil C.,

you can pass in as much entropy as you want - understand - this only "seeds"
the key that is already used for DPAPI.



---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

[quoted text, click to view]

Thanks Dominick,

The reason I ask is that in the encrypting of
the binary aes key by the dpapi, it appeared I had problems
unless the binary entropy value was the same number of
bytes as the key. Thus I extrapolated this to suggest that
perhaps I'd have to count the number of characters is the connection
string and use that as the number of bytes for the connection string
entropy.


Phil

*** Sent via Developersdex http://www.developersdex.com ***

This does not sound right. Entropy can be any size (well, there may be
limitations, but for practical purposes it can be just about anything). I am
not sure I follow what you're saying. You said that you are encrypting a
Rijndael (or AES) key, but than you somehow linked it with connection
string. Where did the connection string come from? What is "the connection
string entropy?" Are you talking about initialization vector (IV) used with
Rijndael key by any chance? This value must be of specific size (related to
the key/encryption block size, normally 16 bytes). Could you clarify what
exactly you are doing?

Alek

[quoted text, click to view]

Alex,

I am doing TWO things with the dpapi.
I am decrypting my text encryption string, stored in my web config,
already encrypted by the dpapi once.
as well as decrypting a dpapi encrypted aes binary symmetric key stored
in the web config as well.

The connection string is used for my database access by the classes that
need it, and the symmetric key is used to encrypt and decrypt info in a
table in my database. Each encrypted row in my database has an IV for
that row stored as well.


For some reason, it Appeared that if I didn't use a binary entropy value
that was the same number of bytes as the symmetric aes binary key, I had
problems with encrypting/decrypting the symmetric aes binary key with
the dpapi.
That however could be coincidence, and I had some other bug
that was causing the problem.

In addition, now that I have the dpapi encrypted binary
aes key in my web config, when I use a class to encrypt and
decrypt some arbitrary text, I'm getting an invalid keysize
error upon decryption only. I forwarded the code about this particular
issue to Dominick recently.

If you read the MSDN documentation about the innards of the dpapi it is
hard for the lay person such as myself to understand the mathematics of
the entropy in the dpapi algorithm.

Phil

*** Sent via Developersdex http://www.developersdex.com ***

See inline.

[quoted text, click to view]

So you have two values stored encrypted using DPAPI (in Web.config). OK, I
am with you.

[quoted text, click to view]

This does not seem to be relevant to your problem.

[quoted text, click to view]

Yeah, the first statement does not make much sense. DPAPI entropy is totally
optional, and when used, the size of the entropy does not matter. You must
be doing something wrong.

[quoted text, click to view]

So you are saying that after you decrypt your key from Web.config (using
DPAPI with your misterious entropy), then this key (more specific, its size)
is corrupt, right? Well, it looks like you have a full bucket of issues
here. So after you decrypt the key, how many bytes (of the AES key) do you
get?

[quoted text, click to view]

The thing is, you do not really need to understand the internals of DPAPI,
AES, etc. to be able to use them. Without looking at your code, this is what
I would suggest. Try to solve one problem at a time. I mean, forget about
Web.config and encryption for a moment and just make sure that you can
encrypt and decrypt data using DPAPI without corruption. Just make sure that
you encrypt a value, decrypt it and get the original data. There are lots of
samples online, e.g. http://www.obviex.com/samples/Dpapi.aspx. When this
works, try it with the Web.config file. Make sure that you can encrypt data
with DPAPI, store it in config file, get it back, decrypt it and get the
original value. One of the common porblems is the wrong character handling.
Since DPAPI - as any other encryption routine - operates on bytes and the
data you retrieve in Web.config is in string format, you must make sure that
you use the right encoding (e.g. UTF-8 and base64). I assume that you base64
encode encrypted data before storing it in Web.config. After you get this
working, then concentrate on encryption. I am not sure why you store the
encrypted key bytes. I mean how do you enter these bytes before you encrypt
them and store in Web.config? I suspect you are doing something silly here.
A common approach would be to use a password (passphrase) and derive the AES
key from this password. Since the password is a string it is easier to
operate. Anyway, just make sure that your key bytes, password, or whatever
you are gonna use, are the same before encryption with DPAPI and after.
Also make sure that you use the AES key correctly. There are also many
samples available, e.g. http://www.obviex.com/samples/Encryption.aspx.

[quoted text, click to view]

Alek,

The key is not corrupt, it will encrypt and
decrypt with the dpapi. It is when I decrypt a piece of text that has
been encrypted with aes using this key that I have the problem of an
error that says an improper keysize.

Please see:

http://users.rcn.com/charlestek/AesKey.zip
and
http://users.rcn.com/RindjaelTest.zip

Phil


*** Sent via Developersdex http://www.developersdex.com ***

Correction:

The url of the second file in the previous message should be

http://users.rcn.com/charlestek/RindjaelTest.zip




*** Sent via Developersdex http://www.developersdex.com ***