Introduction
Data Protection API (DPAPI) is a security encryption module introduced in Windows 2000 and is included with the later versions of Windows to provide cryptographic features like key management, to secure user credentials. This is a service that is provided by the operating system and does not require additional libraries. It provides encryption for sensitive data in memory. DPAPI generates two keys: a key for the user credential, and a master key. It also uses random session key when you call CryptProtectData. Combine with all these keys, data is protected. When you change the password, DPAPI will hook up to the password change event and does the re-encryption whole again. DPAPI works at both the machine-level and user-level encryption access scenarios.
In .NET 2.0 and later versions, a set of wrapper classes have been introduced to encrypt data by simple means using the current user account or computer accessing DPAPI. You need not have to use the P/Invoke to work with the DPAPI methods and the encryption-decryption is not just limited to user credentials.
ProtectedMemory
The ProtectedMemory class may be used to encrypt an array of in-memory bytes. This functionality is available in Microsoft Windows XP and later operating systems. You can specify that memory encrypted by the current process can be decrypted by the current process only, by all processes, or from the same user context. The MemoryProtectionScope enumeration is available for this purpose.
To perform encryption and decryption of data stored in-memory, you may use the methods Protect and UnProtect methods.
Example:
To demonstrate this, create a new console application and add reference to System.Security.dll. In the program.cs, add the following code:
static void Main(string[] args)
{
byte[] myData = new byte[32];
System.Text.ASCIIEncoding ae = new ASCIIEncoding();
// Protecting and Un-protecting data in memory
Console.Write("Enter some text: ");
string text = Console.ReadLine();
if (text.Length < myData.Length)
text = text.PadRight(myData.Length, ' ');
else
text = text.Substring(0,myData.Length);
myData = ae.GetBytes(text);
Console.WriteLine("Before protection: {0}", ae.GetString(myData));
System.Security.Cryptography.ProtectedMemory.Protect(myData, System.Security.Cryptography.MemoryProtectionScope.SameProcess);
Console.WriteLine("After protection: {0}", ae.GetString(myData));
System.Security.Cryptography.ProtectedMemory.Unprotect(myData, System.Security.Cryptography.MemoryProtectionScope.SameProcess);
Console.WriteLine("After un-protection: {0}", ae.GetString(myData));
}
Both the Protect and UnProtect methods takes the input data only in multiples of 16 bytes. In the above program, the maximum length of the data to be encrypted in 32 bytes; if the user enters data more or less, the entered text is trimmed and padded with white spaces accordingly. Below is the output displaying both the encrypted and decrypted data you entered on the console.
Output:
Enter some text: Hello,World!
Before protection: Hello,World!
After protection: pX?oT??nQ?[?????
After un-protection: Hello,World!
ProtectedData
The ProtectedData class provides access to the Data Protection API (DPAPI) available in Microsoft Windows 2000 and later operating systems. This is a service that is provided by the operating system and does not require additional libraries. It provides protection using the user or machine credentials to protect or unprotect data.
The class consists of two wrappers for the unmanaged DPAPI, Protect and Unprotect. These two methods can be used to protect and unprotect data such as passwords, keys, and connection strings.
Example:
To demonstrate the usage of ProtectedData class, in the Main method, add the following code:
byte[] myEntropy = { 1, 2, 3, 4, 5, 6 };
byte[] protectedData = System.Security.Cryptography.ProtectedData.Protect(myData, myEntropy, System.Security.Cryptography.DataProtectionScope.CurrentUser);
Console.WriteLine("After data protection: {0}", ae.GetString(protectedData));
byte[] unprotectedData = System.Security.Cryptography.ProtectedData.Unprotect(protectedData, myEntropy, System.Security.Cryptography.DataProtectionScope.CurrentUser);
Console.WriteLine("After un-protection: {0}", ae.GetString(unprotectedData));
In the above code, both the Protect and UnProtect methods use the optionalEntropy parameter that provides additional information stored as a byte array to encrypt and decrypt data. This would give more protection over your data.
Output:
Enter some text: Hello,World!
After data protection: ? ?????§???z ?O???? ?6&???hD???? @O? ? ?f ?
? F?w_?)????$???¦? ?? ? ? ?????z??Q ??8?oG? ????$??#$C\???¦D??kp??
¶ ?,??Gn?\|@???zUO????
After un-protection: Hello,World!
Summary:
The ProtectMemory and ProtectData classes comes in handy for encrypting and decrypting any data on the fly and you need not have to rely on any algorithms. It uses the Windows Operating System’s DPAPI security module and can be implemented across the applications, users and machines. Its real potential lays in its application in the distributed computing which is not the scope of the article.
|
No responses found. Be the first to respond and make money from revenue sharing program.
|