Data Protection Application Programming Interface

For almost all types of Encryption , a Cryptographic Key is required. A key is a string of characters or Bytes that is used to encrypt or decrypt the data. However, when developing secure systems, the question of how to store the encryption key often arises. If the key is stored in ''plain text'', then any user that can access the key can access the encrypted data. If the key is to be encrypted, another key is needed, and so on ad infinitum. DPAPI allows developers to encrypt keys based on a particular user's profile or all the users of the local machine by the use of the system DPAPI key.

The keys used for encrypting the user's keys are stored under "%USERPROFILE%\Application Data\Microsoft\Protect\{SID}", where {SID} is the security identifier of that user. The DPAPI key is stored in the same file as the master key that protects the users private keys. It usually is 40 bytes of random data. DPAPI doesn't store any persistent data for itself; instead, it simply receives plaintext and returns cryptext (or vice-versa).

DPAPI security relies upon the system's ability to protect the Master Key and RSA private keys from compromise, which in most attack scenarios is most highly reliant on the security of the end user's credentials. Particular data Binary Large Object s can be encrypted in a way that Salt is added and/or an external user-provided password (aka "Strong Key Protection") is required. The use of a salt is a per-implementation option - i.e. under the control of the application developer - not controllable by the end user or IT professional.

Delegated access can be given to keys through the use of a COM+ object. This enables IIS Web Servers to use DPAPI.

USE OF DPAPI BY MICROSOFT PRODUCTS

Encrypting File System in Windows 2000 and later

Internet Explorer 7, both in the standalone version available for Windows XP and in the integrated versions available in Windows Vista and Windows Server 2008

Outlook for S/MIME

IIS for SSL/TLS

Windows Rights Management Services client v1.1 and later

Windows 2000 and later for EAP/TLS (VPN authentication) and 802.1x ( WiFi authentication)

Windows XP and later for Stored User Names and Passwords (aka Credential Manager)

.NET Framework v2.0 and later for System.Security.Cryptography.ProtectedData

REFERENCES

EXTERNAL LINKS

Windows Data Protection API (DPAPI)

Data encryption with DPAPI

Use DPAPI to encrypt and decrypt data

How To: Use DPAPI (User Store) from ASP.NET 1.1 with Enterprise Services

System.Security.Cryptography.ProtectedData in .NET Framework 2.0 and later

The Windows PStore

	CATEGORIES ABOUT DATA PROTECTION API

	microsoft apis

	cryptographic software

	microsoft windows security technology

	APPAREL
	BABY
	BEAUTY
	BOOKS
	CAR TOYS
	CELL PHONES
	DVD'S
	ELECTRONICS
	GOURMET FOOD
	GROCERIES
	HEALTH & PERSONAL
	HOME & GARDEN
	JEWELRY
	MUSIC
	MUSIC INSTRUMENTS
	OFFICE PRODUCTS
	SOFTWARE
	SPORTING GOODS
	TOOLS & HARDWARE
	TOYS
	VIDEO GAMES
	SHOPPING HOME

	MORE SHOPPING...

Information About

Data Protection Application Programming Interface