Geek Answers Handbook

Data Protection API Information (DPAPI)

I am currently writing a C # mvc web application in which the password is taken from the user and stored on the database server - sql. I need a way to hash passwords.

It was recommended that you use the Data Protection API (DPAPI). I am not familiar with it either from research on the Internet; there is very little information on it.

Can someone point out further information about this? OR give me an overview of how to configure it and work with it, etc.

+4
source share
2 answers

The data protection API is mainly used to protect cryptographic keys and secrets under user credentials. If you want to store hashed passwords in a database, DAPI is not really what you want.

The ASP.NET Membership Provider is used to manage users, including hashing passwords with salt. Unfortunately, it seems that the method simply does not return a hashed password, so if you do not need additional functions, it may be worth extracting the corresponding code from the CodeFirst Memberhip Provider (see Crypto.cs in the source code). The advantage here is that this member provider uses PBKDF2 to obtain a hash that is more resistant to brute force attacks, given the number of rounds. He uses the StackOverflow method himself.

+7
source

.Net has a wrapper class for DPAPI called ProtectedData . It is very easy to use and contains only two static methods: Protect and Unprotect . Here you can find the article here . DPAPI does not require a key because it uses either the credentials of registered users or the credentials of a computer for encryption, depending on which area you select when calling Protect. Please note: if you intend to store encrypted data in a database, you should always use the same user account or Windows machine (again, depending on the area of ​​encryption), otherwise you will not be able to decrypt the data. Thus, depending on your application, this API may not be optimal. It is intended primarily for local encryption on a single machine, and not for distributed applications.

+5
source

More articles:


All Articles