DPAPI User Store Does Not Work as advertised

[omar]

[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT09.asp[/url]

I am following the above article to implement DPAPI User Store to
store Credit Card Info in my database.

I am doing exactly what the article says. I can encrypt and decrypt
from the same machine but not from different machines…. What I have
read is that if I have a roaming or a domain based user profile, I am
able to do that. I have created a domain account that my win services
on both machines and my COM+ compoenents also on both machines uses.
Still no cigar.

Any ideas?

[Hernan de Lahitte]

Take a look at this MSDN Magazine article that describe a component that
tackles this problem.

[url]http://msdn.microsoft.com/msdnmag/issues/04/11/CryptoUtility/default.aspx[/url]

However an alternate approach to solve this issue (actually a key management
topic) might somthing like this:
1) Create a session key (might be a derived random entropy material)
2) Protect this key with asymetric encryption (X509 Certificate installed on
the app server that will do the encr/decr operations)
3) Store this key on a central store
4) All app server will get this key, decrpyt it with its locally
public/private key pair (provided by the X509 Cert) and proceed to use this
master key to do the ecryption/decryption operations.


Hernan de Lahitte
[url]http://weblogs.asp.net/hernandl[/url]


"omar" <osaleh@usapsys.com> escribió en el mensaje
news:c8d161a5.0411161713.5eb27fbd@posting.google.c om...

> [url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT09.asp[/url]
>
> I am following the above article to implement DPAPI User Store to
> store Credit Card Info in my database.
>
> I am doing exactly what the article says. I can encrypt and decrypt
> from the same machine but not from different machines.. What I have
> read is that if I have a roaming or a domain based user profile, I am
> able to do that. I have created a domain account that my win services
> on both machines and my COM+ compoenents also on both machines uses.
> Still no cigar.
>
> Any ideas?

[omar]

Thank you for your suggestion. However, it is Key Management that I am trying
to avoid. My problem is that I have followed the guide from Microsoft exactly
and I can encryt and decrypt, however, whatever I encrypt on one machine, i
cannot decrypt on another machine even though I am running under the same
profile as the How-To guide instructs. It seems like I am using the machine
store. I am sure I am using the User Store but the behaviour is that of a
user store.

"Hernan de Lahitte" wrote:

> Take a look at this MSDN Magazine article that describe a component that
> tackles this problem.
>
> [url]http://msdn.microsoft.com/msdnmag/issues/04/11/CryptoUtility/default.aspx[/url]
>
> However an alternate approach to solve this issue (actually a key management
> topic) might somthing like this:
> 1) Create a session key (might be a derived random entropy material)
> 2) Protect this key with asymetric encryption (X509 Certificate installed on
> the app server that will do the encr/decr operations)
> 3) Store this key on a central store
> 4) All app server will get this key, decrpyt it with its locally
> public/private key pair (provided by the X509 Cert) and proceed to use this
> master key to do the ecryption/decryption operations.
>
>
> Hernan de Lahitte
> [url]http://weblogs.asp.net/hernandl[/url]
>
>
> "omar" <osaleh@usapsys.com> escribió en el mensaje
> news:c8d161a5.0411161713.5eb27fbd@posting.google.c om...

> > [url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT09.asp[/url]
> >
> > I am following the above article to implement DPAPI User Store to
> > store Credit Card Info in my database.
> >
> > I am doing exactly what the article says. I can encrypt and decrypt
> > from the same machine but not from different machines.. What I have
> > read is that if I have a roaming or a domain based user profile, I am
> > able to do that. I have created a domain account that my win services
> > on both machines and my COM+ compoenents also on both machines uses.
> > Still no cigar.
> >
> > Any ideas?

>
>
>

[omar]

Hernan, can you please elaborate some more on the X509 Certificate approach
you suggested? Are there any articles you can direct me to?

"Hernan de Lahitte" wrote:

> Take a look at this MSDN Magazine article that describe a component that
> tackles this problem.
>
> [url]http://msdn.microsoft.com/msdnmag/issues/04/11/CryptoUtility/default.aspx[/url]
>
> However an alternate approach to solve this issue (actually a key management
> topic) might somthing like this:
> 1) Create a session key (might be a derived random entropy material)
> 2) Protect this key with asymetric encryption (X509 Certificate installed on
> the app server that will do the encr/decr operations)
> 3) Store this key on a central store
> 4) All app server will get this key, decrpyt it with its locally
> public/private key pair (provided by the X509 Cert) and proceed to use this
> master key to do the ecryption/decryption operations.
>
>
> Hernan de Lahitte
> [url]http://weblogs.asp.net/hernandl[/url]
>
>
> "omar" <osaleh@usapsys.com> escribió en el mensaje
> news:c8d161a5.0411161713.5eb27fbd@posting.google.c om...

> > [url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT09.asp[/url]
> >
> > I am following the above article to implement DPAPI User Store to
> > store Credit Card Info in my database.
> >
> > I am doing exactly what the article says. I can encrypt and decrypt
> > from the same machine but not from different machines.. What I have
> > read is that if I have a roaming or a domain based user profile, I am
> > able to do that. I have created a domain account that my win services
> > on both machines and my COM+ compoenents also on both machines uses.
> > Still no cigar.
> >
> > Any ideas?

>
>
>

[Patricio Jutard]

Are you using "exactly" the same Credentials? it´s not the same to have
THISMACHINE\pjutard than MYDOMAIN\pjutard

Also be aware that in order to use the User Store, the User Profile must be
loaded, so if you are not logged as the user but you are impersonating it in
a a Windows Service you must be sure that the Profile exists, for this you
MUST login at least once using this user credentials.

Cheers,

Patricio Jutard

"omar" wrote:

> Thank you for your suggestion. However, it is Key Management that I am trying
> to avoid. My problem is that I have followed the guide from Microsoft exactly
> and I can encryt and decrypt, however, whatever I encrypt on one machine, i
> cannot decrypt on another machine even though I am running under the same
> profile as the How-To guide instructs. It seems like I am using the machine
> store. I am sure I am using the User Store but the behaviour is that of a
> user store.

[omar]

Thank you Patricio. I am following the How-To guide to the letter except
that I am using a domain account so that I will be able to use that across
machines. So I am using one account with one password "domain/DPAPIAccount".
And as to your other question, yes, I did log on with the domian account and
a profile was created. Another thing I made sure is that when the service got
started it actually forced the Serviced Component to start too. Any other
sugestions?

"Patricio Jutard" wrote:

> Are you using "exactly" the same Credentials? it´s not the same to have
> THISMACHINE\pjutard than MYDOMAIN\pjutard
>
> Also be aware that in order to use the User Store, the User Profile must be
> loaded, so if you are not logged as the user but you are impersonating it in
> a a Windows Service you must be sure that the Profile exists, for this you
> MUST login at least once using this user credentials.
>
> Cheers,
>
> Patricio Jutard
>
> "omar" wrote:
>

> > Thank you for your suggestion. However, it is Key Management that I am trying
> > to avoid. My problem is that I have followed the guide from Microsoft exactly
> > and I can encryt and decrypt, however, whatever I encrypt on one machine, i
> > cannot decrypt on another machine even though I am running under the same
> > profile as the How-To guide instructs. It seems like I am using the machine
> > store. I am sure I am using the User Store but the behaviour is that of a
> > user store.

[Patricio Jutard]

Look at this extract from
[url]http://msdn.microsoft.com/msdnmag/issues/04/11/CryptoUtility/default.aspx[/url] :

"... to allow for encryption and decryption across multiple machines,
roaming profiles must be enabled..."

May be you should try roaming profiles...

Please mantain me informed of your progress.

Cheers & good luck



"omar" wrote:

> Thank you Patricio. I am following the How-To guide to the letter except
> that I am using a domain account so that I will be able to use that across
> machines. So I am using one account with one password "domain/DPAPIAccount".
> And as to your other question, yes, I did log on with the domian account and
> a profile was created. Another thing I made sure is that when the service got
> started it actually forced the Serviced Component to start too. Any other
> sugestions?
>
> "Patricio Jutard" wrote:
>

> > Are you using "exactly" the same Credentials? it´s not the same to have
> > THISMACHINE\pjutard than MYDOMAIN\pjutard
> >
> > Also be aware that in order to use the User Store, the User Profile must be
> > loaded, so if you are not logged as the user but you are impersonating it in
> > a a Windows Service you must be sure that the Profile exists, for this you
> > MUST login at least once using this user credentials.
> >
> > Cheers,
> >
> > Patricio Jutard
> >
> > "omar" wrote:
> >

> > > Thank you for your suggestion. However, it is Key Management that I am trying
> > > to avoid. My problem is that I have followed the guide from Microsoft exactly
> > > and I can encryt and decrypt, however, whatever I encrypt on one machine, i
> > > cannot decrypt on another machine even though I am running under the same
> > > profile as the How-To guide instructs. It seems like I am using the machine
> > > store. I am sure I am using the User Store but the behaviour is that of a
> > > user store.