Managed DPAPI Part II: ProtectedMemory

re: Managed DPAPI Part II: ProtectedMemory

Michael Giagnocavo — Tue, 18 May 2004 01:07:00 GMT

Does windows make a lot of use of this? A concern I have that I see no end-user workaround is: What if an attacker shuts off my machine by pulling the power, and then steals the machine? Will they be able to gain access to any of the DPAPI protected things (since the pagefile won't be cleared like it is on a nice shutdown)?

re: Managed DPAPI Part II: ProtectedMemory

Shawn — Tue, 18 May 2004 02:46:00 GMT

I'm not sure how much Windows uses CryptProtectMemory internally, Michael Howard's blog might be a better place to find that out (http://blogs.msdn.com/michael_howard). As to your other concern, that threat is mitigated by the fact that data protected by CryptProtectMemory (and hence ProtectedMemory), cannot be decrypted across boots of Windows. The reason for this is that the base key is regenerated every time Windows boots up. Even if the attacker could get the encrypted data out of the swap file, they'd be unable to use CryptUnprotectMemory to decrypt it. They would also be unable to fool your app into calling CryptUnprotectMemory to decrypt the data.

Making Strings More Secure

.Net Security Blog — Fri, 28 May 2004 03:09:00 GMT

SecureString, Ahhh something new in Whidbey !!!

Vinod Kumar's Blog — Thu, 08 Jul 2004 06:32:00 GMT

Data Protection API (DPAPI)

Rule's Roost — Tue, 03 Aug 2004 23:46:00 GMT

Data Protection API (DPAPI)

Rule's Roost — Tue, 03 Aug 2004 23:47:00 GMT

Authentication in web services with HttpWebRequest

Buck Hodges — Mon, 10 Apr 2006 15:43:47 GMT

Hatteras has three tiers: client, middle, and data.&nbsp; The middle tier is an ASP.NET web service on...

.NET 2.0 posts

Nam, Seungho's Blog — Fri, 15 Sep 2006 09:14:14 GMT

Anoymous method
http://www.theserverside.net/tt/articles/showarticle.tss?id=AnonymousMethods
Generic...

Securing Connection string

Nam, Seungho's Blog — Wed, 01 Nov 2006 09:52:35 GMT

http://msdn2.microsoft.com/en-us/library/aa302406.aspx http://blogs.msdn.com/shawnfa/archive/2004/05/17/133650.asp

re: Managed DPAPI Part II: ProtectedMemory

Kurt — Mon, 05 Feb 2007 12:19:07 GMT

I use WindowsIdentity.Impersonate() to log on as a different user and protect data.

And ProtectedData.Protect() raises CryptographicException "The system can not find the file specified". What can that mean?

Same protection code is used when crypting by current user, and that goes ok.

re: Managed DPAPI Part II: ProtectedMemory

shawnfa — Tue, 20 Feb 2007 22:23:45 GMT

Hi Kurt,

DPAPI stores information in the user's profile, so in order to use it when you've impersonated another user you'll need to ensure that their entire profile is loaded. You can do this by calling LoadUserProfile after you've called LogonUser.

-Shawn

re: Managed DPAPI Part II: ProtectedMemory

Kevin — Thu, 03 May 2007 11:04:23 GMT

I get the same error as Kurt when I use Impersonate() on a web page (C#):

this.Context.Request.LogonUserIdentity.Impersonate();

return Convert.ToBase64String(ProtectedData.Protect(Encoding.UTF8.GetBytes(unencrypted), null, DataProtectionScope.CurrentUser));

If this problem is caused by the same issue as Kurt, how can I load the user profile from the web page

re: Managed DPAPI Part II: ProtectedMemory

shawnfa — Mon, 07 May 2007 21:32:46 GMT

Hi Kevin,

You can use the LoadUserProfile API to force the user's profile to be loaded.

-Shawn

SecureString in NET v1.1

Hernan de Lahitte's blog — Thu, 23 Apr 2009 14:50:26 GMT

Every time you need to store sensitive data your first thought use to be encryption. You probably gather