All geek questions in one place

Does ProtectedData Protect Multiple Computers?

I am studying the storage of some sensitive data in an application that I am working on. I looked at the ProtectedData class provided by Microsoft and it looks pretty simple. However, I have a few questions regarding how this works.

First, I see that it uses "user credentials" to generate the encryption key. I saw in the documentation that only the current user will be able to decrypt the data. This is not a problem, I just want to know if the same user is registered on another machine, can they decrypt the data? I plan that the stored information will be transferred to OneDrive, so I hope it will be available on any device that uses the same user.

Example:

 User A logs in on desktop computer, saves encrypted file abc.txt User A then logs in on tablet, loads file abc.txt

Is abc.txt for user A on the tablet?

Secondly, what happens when a user changes his password? It seems to me that then the encryption key will be different and will not lead to the fact that the decryption of the data that used the previous encryption key can no longer be restored?

Example:

 User A logs in on desktop computer, saves encrypted file abc.txt User A changes password User A logs in on desktop computer, loads file abc.txt

Is abc.txt available to user A?

+5
source share
2 answers

Is abc.txt available for user A on the tablet?

"For DPAPI to work correctly when it uses roaming profiles, a domain user only needs to register on one computer in the domain. If the user wants to log on to another computer in the domain, the user must log off the first computer before the user logs on to the second computer "If a user logs on to multiple computers at the same time, it is likely that DPAPI will not be able to correctly decrypt existing encrypted data." - http://support.microsoft.com/kb/309408

Is abc.txt available to user A? On the same machine, after changing the password, the user should still have access to previously encrypted files. I understand that previously created keys are still stored in a list to allow this. (It would be a costly operation to decrypt and re-encrypt all previously saved data each time the user changes his password, so instead they just save the old keys.)

However, there are administrative tools that will allow you to change the password so that it could violate this.

I do not know how the password change on machine A will affect machine B. I would suggest that the roaming profile would deal with this correctly, but this might be an invalid assumption.

I would not store the data in DPAPI, which is critical without supporting it somewhere. Of course, this introduces other security-related complexities depending on the sensitivity of the data.

+4
source

Data Protection API (DPAPI) works correctly with roaming profiles . Thus, this will cover the fact that the user can decrypt the data over the network. Using IsolationStorage is used to store data that applies to multiple applications and is not tied to any particular application, such as username or license information.

An example of creating an isolated roaming repository:

 using (IsolatedStorageFile isoStore = IsolatedStorageFile.GetStore(IsolatedStorageScope.User | IsolatedStorageScope.Domain | IsolatedStorageScope.Assembly, null, null)) { isoStore.CreateDirectory("TopLevelDirectory"); isoStore.CreateFile("abc.txt"); }

An example of obtaining an isolated roaming storage:

 IsolatedStorageFile isoFile = IsolatedStorageFile.GetStore(IsolatedStorageScope.User | IsolatedStorageScope.Assembly | IsolatedStorageScope.Roaming, null, null);
+3
source

Source: https://habr.com/ru/post/1210429/

More articles:


All Articles