"egypteg***@gmail.com" wrote:

> I'm trying to use the ProtectedData class to store encrypted data in
> isolated storage but something seems to be wrong.  If I call the class
> twice with the same string I get a different encrypted value each time.
>  Here's my encryption method:
>
> private static string EncryptString(string Input)
> {
>     byte[] ClearBytes = null;
>     byte[] EncryptedBytes = null;
>
>     ClearBytes = Encoding.UTF8.GetBytes(Input);
>     EncryptedBytes =
> System.Security.Cryptography.ProtectedData.Protect(ClearBytes, null,
> System.Security.Cryptography.DataProtectionScope.CurrentUser);
>     return Convert.ToBase64String(EncryptedBytes);
> }
>
> See anything wrong there?
> Thanks in advance.
>
>

> The ProtectedData class wraps the DPAPI, the following link -
> http://blogs.msdn.com/shawnfa/archive/2004/05/05/126825.aspx - details this
> api and states:
> DPAPI works by generating a key from the current user's credentials
> (generally their password, although a smart card will provide a different
> credential).  It then generates a master key, and encrypts this with the key
> generated by the user's credentials.  A random session key is created for
> each call to CryptProtectData.  This key is derived from the master key, some
> random data, and some optional entropy passed in by the user.  The session
> key is then used to do the actual encryption.  Rather than storing the
> session key, the random data used in key creation is stored in the encrypted
> output.
>
> So essentially everytime that you encrypt a partially random session key is
> added to the encrypted data (which is then used for decryption) which
> explains why the encrypted data is different even if the original clear
> string is identical.  You should find that decrypting the encrypted data will
> return the same string.
>
>
> "egypteg***@gmail.com" wrote:
>
> > I'm trying to use the ProtectedData class to store encrypted data in
> > isolated storage but something seems to be wrong.  If I call the class
> > twice with the same string I get a different encrypted value each time.
> >  Here's my encryption method:
> >
> > private static string EncryptString(string Input)
> > {
> >     byte[] ClearBytes = null;
> >     byte[] EncryptedBytes = null;
> >
> >     ClearBytes = Encoding.UTF8.GetBytes(Input);
> >     EncryptedBytes =
> > System.Security.Cryptography.ProtectedData.Protect(ClearBytes, null,
> > System.Security.Cryptography.DataProtectionScope.CurrentUser);
> >     return Convert.ToBase64String(EncryptedBytes);
> > }
> >
> > See anything wrong there?
> > Thanks in advance.
> >
> >

news:1154985102.110687.105810@h48g2000cwc.googlegroups.com...
> Do you know of another method that will always produce the same
> encrypted value?  I'm storing key/value pairs in isolated storage and
> would like to have the key encrypted as well just to obfuscate things a
> bit more.
> Thanks.
>
> GarthS wrote:
>> The ProtectedData class wraps the DPAPI, the following link -
>> http://blogs.msdn.com/shawnfa/archive/2004/05/05/126825.aspx - details
>> this
>> api and states:
>> DPAPI works by generating a key from the current user's credentials
>> (generally their password, although a smart card will provide a different
>> credential).  It then generates a master key, and encrypts this with the
>> key
>> generated by the user's credentials.  A random session key is created for
>> each call to CryptProtectData.  This key is derived from the master key,
>> some
>> random data, and some optional entropy passed in by the user.  The
>> session
>> key is then used to do the actual encryption.  Rather than storing the
>> session key, the random data used in key creation is stored in the
>> encrypted
>> output.
>>
>> So essentially everytime that you encrypt a partially random session key
>> is
>> added to the encrypted data (which is then used for decryption) which
>> explains why the encrypted data is different even if the original clear
>> string is identical.  You should find that decrypting the encrypted data
>> will
>> return the same string.
>>
>>
>> "egypteg***@gmail.com" wrote:
>>
>> > I'm trying to use the ProtectedData class to store encrypted data in
>> > isolated storage but something seems to be wrong.  If I call the class
>> > twice with the same string I get a different encrypted value each time.
>> >  Here's my encryption method:
>> >
>> > private static string EncryptString(string Input)
>> > {
>> > byte[] ClearBytes = null;
>> > byte[] EncryptedBytes = null;
>> >
>> > ClearBytes = Encoding.UTF8.GetBytes(Input);
>> > EncryptedBytes =
>> > System.Security.Cryptography.ProtectedData.Protect(ClearBytes, null,
>> > System.Security.Cryptography.DataProtectionScope.CurrentUser);
>> > return Convert.ToBase64String(EncryptedBytes);
>> > }
>> >
>> > See anything wrong there?
>> > Thanks in advance.
>> >
>> >
>

> It is actually to your disadvantage to have the encrypted data produce the
> same value each time, as that lowers your security.  Ideally, even if you
> use a fixed session key for encryption, you use a different random IV so
> that the ciphertext is different.
>
> However, if you use a fixed session key and fixed IV, you will get the same
> ciphertext back.
>
> Joe K.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"
> http://www.directoryprogramming.net
> --
> <egypteg***@gmail.com> wrote in message
> news:1154985102.110687.105810@h48g2000cwc.googlegroups.com...
> > Do you know of another method that will always produce the same
> > encrypted value?  I'm storing key/value pairs in isolated storage and
> > would like to have the key encrypted as well just to obfuscate things a
> > bit more.
> > Thanks.
> >
> > GarthS wrote:
> >> The ProtectedData class wraps the DPAPI, the following link -
> >> http://blogs.msdn.com/shawnfa/archive/2004/05/05/126825.aspx - details
> >> this
> >> api and states:
> >> DPAPI works by generating a key from the current user's credentials
> >> (generally their password, although a smart card will provide a different
> >> credential).  It then generates a master key, and encrypts this with the
> >> key
> >> generated by the user's credentials.  A random session key is created for
> >> each call to CryptProtectData.  This key is derived from the master key,
> >> some
> >> random data, and some optional entropy passed in by the user.  The
> >> session
> >> key is then used to do the actual encryption.  Rather than storing the
> >> session key, the random data used in key creation is stored in the
> >> encrypted
> >> output.
> >>
> >> So essentially everytime that you encrypt a partially random session key
> >> is
> >> added to the encrypted data (which is then used for decryption) which
> >> explains why the encrypted data is different even if the original clear
> >> string is identical.  You should find that decrypting the encrypted data
> >> will
> >> return the same string.
> >>
> >>
> >> "egypteg***@gmail.com" wrote:
> >>
> >> > I'm trying to use the ProtectedData class to store encrypted data in
> >> > isolated storage but something seems to be wrong.  If I call the class
> >> > twice with the same string I get a different encrypted value each time.
> >> >  Here's my encryption method:
> >> >
> >> > private static string EncryptString(string Input)
> >> > {
> >> > byte[] ClearBytes = null;
> >> > byte[] EncryptedBytes = null;
> >> >
> >> > ClearBytes = Encoding.UTF8.GetBytes(Input);
> >> > EncryptedBytes =
> >> > System.Security.Cryptography.ProtectedData.Protect(ClearBytes, null,
> >> > System.Security.Cryptography.DataProtectionScope.CurrentUser);
> >> > return Convert.ToBase64String(EncryptedBytes);
> >> > }
> >> >
> >> > See anything wrong there?
> >> > Thanks in advance.
> >> >
> >> >
> >

news:1154988513.890224.78690@h48g2000cwc.googlegroups.com...
>I realize it might be less secure but it's better than storing plain
> keys and having a different encrypted value each time makes this task
> (encrypting keys in key/value pairs) impossible since the key needs to
> be the same to retrieve the value.
>
> Is it even possible to specify the session key with the ProtectedData
> class?  I only see an optional entropy parameter...
>
>
> Joe Kaplan (MVP - ADSI) wrote:
>> It is actually to your disadvantage to have the encrypted data produce
>> the
>> same value each time, as that lowers your security.  Ideally, even if you
>> use a fixed session key for encryption, you use a different random IV so
>> that the ciphertext is different.
>>
>> However, if you use a fixed session key and fixed IV, you will get the
>> same
>> ciphertext back.
>>
>> Joe K.
>>
>> --
>> Joe Kaplan-MS MVP Directory Services Programming
>> Co-author of "The .NET Developer's Guide to Directory Services
>> Programming"
>> http://www.directoryprogramming.net
>> --
>> <egypteg***@gmail.com> wrote in message
>> news:1154985102.110687.105810@h48g2000cwc.googlegroups.com...
>> > Do you know of another method that will always produce the same
>> > encrypted value?  I'm storing key/value pairs in isolated storage and
>> > would like to have the key encrypted as well just to obfuscate things a
>> > bit more.
>> > Thanks.
>> >
>> > GarthS wrote:
>> >> The ProtectedData class wraps the DPAPI, the following link -
>> >> http://blogs.msdn.com/shawnfa/archive/2004/05/05/126825.aspx - details
>> >> this
>> >> api and states:
>> >> DPAPI works by generating a key from the current user's credentials
>> >> (generally their password, although a smart card will provide a
>> >> different
>> >> credential).  It then generates a master key, and encrypts this with
>> >> the
>> >> key
>> >> generated by the user's credentials.  A random session key is created
>> >> for
>> >> each call to CryptProtectData.  This key is derived from the master
>> >> key,
>> >> some
>> >> random data, and some optional entropy passed in by the user.  The
>> >> session
>> >> key is then used to do the actual encryption.  Rather than storing the
>> >> session key, the random data used in key creation is stored in the
>> >> encrypted
>> >> output.
>> >>
>> >> So essentially everytime that you encrypt a partially random session
>> >> key
>> >> is
>> >> added to the encrypted data (which is then used for decryption) which
>> >> explains why the encrypted data is different even if the original
>> >> clear
>> >> string is identical.  You should find that decrypting the encrypted
>> >> data
>> >> will
>> >> return the same string.
>> >>
>> >>
>> >> "egypteg***@gmail.com" wrote:
>> >>
>> >> > I'm trying to use the ProtectedData class to store encrypted data in
>> >> > isolated storage but something seems to be wrong.  If I call the
>> >> > class
>> >> > twice with the same string I get a different encrypted value each
>> >> > time.
>> >> >  Here's my encryption method:
>> >> >
>> >> > private static string EncryptString(string Input)
>> >> > {
>> >> > byte[] ClearBytes = null;
>> >> > byte[] EncryptedBytes = null;
>> >> >
>> >> > ClearBytes = Encoding.UTF8.GetBytes(Input);
>> >> > EncryptedBytes =
>> >> > System.Security.Cryptography.ProtectedData.Protect(ClearBytes, null,
>> >> > System.Security.Cryptography.DataProtectionScope.CurrentUser);
>> >> > return Convert.ToBase64String(EncryptedBytes);
>> >> > }
>> >> >
>> >> > See anything wrong there?
>> >> > Thanks in advance.
>> >> >
>> >> >
>> >
>