CryptProtectData (DPAPI) weird behavior RRS feed

  • Question

  • I am using CryptProtectData to protect (using machine specific protection) some piece of data on one machine. Then I am hashing (using HMAC hash algorithm) this output and storing it in file.

    So far this value used to be unique across machines but recently it comes out to be same on three machines (ony three) which are on network. Rest machines this is working fine.

    Not sure why this is happening on only these three machines.

    Any clues?

    Thanks, Sachin
    Tuesday, May 3, 2011 8:06 PM

All replies

  • CRYPTPROTECT_LOCAL_MACHINE only makes the guarantee that users on the same machine will all be able to decrypt the data. It does not guarantee unique output for every machine on the planet.
    Friday, May 6, 2011 9:08 PM
  • I think it also make sure that data encrypted will be only be decrypted on the same machine on which encryption is carried out. 

    Here is definition from MSDN - 

    CRYPTPROTECT_LOCAL_MACHINE When this flag is set, it associates the data protected with the current computer instead of with an individual user. Any user on the computer on which the internal protect function is called with this flag can use the internal unprotect function to unprotect the data. Application developers should understand that by using this flag no "real" protection is provided by DPAPI. By "real" we mean that any process running on the system can unprotect any data protected with this flag. We highly recommended that this flag not be used on workstations to protect user's data. It does make sense, however, for a server process to use the flag on a server where untrusted users are not allowed to logon. It also makes sense for a local machine process to use the flag to protect data to be stored off the machine or on a shared drive.

    This implies decryption could be carried on same machine. 


    Thanks, Sachin
    Monday, May 9, 2011 2:23 PM
  • Any clues about the behavior. 

    In case on different machines I am getting same result that means DPAPI is not machine specific anymore. 

    To be more clear, here is example - 

    Machine 1 - I encrypt ABC and get output 98RT907. So while decryption I will get back ABC,

    Machine 2 - Again I encrypt ABC and get output 98RT907 (same - which is actual issue). So while decryption I will get back ABC.

    This means I can take encrypted data from one machine (as both output is same) and can decrypt on other machine. 

    So not sure how this flag CRYPTPROTECT_LOCAL_MACHINE makes sure that users on the same machine will all be able to decrypt the data. 


    Is there something I am missing or there is some issue here???


    Thanks, Sachin
    Tuesday, May 24, 2011 6:51 PM