Encryption Question



We have some .dlls that we have written that use config files to store
configuration information such as usernames and passwords. In a previous
posting I asked for some suggestions for encrypting the passwords. Someone
suggested DPAPI and after some research this sounded like a good idea. After
implementing this solution I find that there is a problem. DPAPI decryption
is user based. The password that is stored in the config file is only
decrypted correctly if the person running the application is the same person
who encrypted it. This works fine for simple apps. However in my case the
..dlls that I've written could be called by an application, a web service or a
windows service all which may be running under the context of a different
user account.

Now that I realize this, I think DPAPI is the wrong choice. Can anyone
offer a suggestion of a simpler method of encryption. FYI: The passwords
that I'm storing aren't admin password. The are usually just domain accounts
that have rights for certain directories.




DPAPI offers a number of encryption mechanizims. The one you are using
is EncryptData which uses the default encryption algorith in conjuction
with the users masterkey to make a user spesific cipher.

However, DPAPI also allows you run the encryption algorithims manually.
So just use ICryptoTransform and a CryptoStream in
System.Security.Cryptography and you can just cipher using a key and
some enrtopy bytes.

MSDN has a good example of using CryptoStream

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question