Locking data to user
-
Hello! I'm trying to write a tool that associates some data with the currently logged on Windows user account. I.e. the encryption key for the file is generated based on the user. How can I do this? Of course, just using the user name is bad, because it should also depend on the users password. Unfortunately I haven't found a function to get the user's password (is there one?). I tried using the
System.Security.Cryptography.ProtectedData.Protectfunction. The problem with this approach is that this function returns a byte array that includes a seed. I.e. when calling this function twice, you'll never get the same results. But this is a requirement, as I want to use its output only as key for my own encryption engine (which offers choice between different algorithms, like AES, Twofish, ...). Best regards Dominik
Too many passwords to remember? Try KeePass Password Safe!
-
Hello! I'm trying to write a tool that associates some data with the currently logged on Windows user account. I.e. the encryption key for the file is generated based on the user. How can I do this? Of course, just using the user name is bad, because it should also depend on the users password. Unfortunately I haven't found a function to get the user's password (is there one?). I tried using the
System.Security.Cryptography.ProtectedData.Protectfunction. The problem with this approach is that this function returns a byte array that includes a seed. I.e. when calling this function twice, you'll never get the same results. But this is a requirement, as I want to use its output only as key for my own encryption engine (which offers choice between different algorithms, like AES, Twofish, ...). Best regards Dominik
Too many passwords to remember? Try KeePass Password Safe!
Using the users name is a bad idea because a user can change their name. You also cannot use a users password because, for one, passwords expire and change, and two, there is no function to get the password. About the only thing that doesn't change in a user object is it's SID.
Dave Kreskowiak Microsoft MVP - Visual Basic
-
Using the users name is a bad idea because a user can change their name. You also cannot use a users password because, for one, passwords expire and change, and two, there is no function to get the password. About the only thing that doesn't change in a user object is it's SID.
Dave Kreskowiak Microsoft MVP - Visual Basic
I know that the SID is the only constant thing in a users account, but it is public isn't it? An administrator can easily read all SIDs of users in a network. Therefore, using just the SID is a bad idea, too... Any other way? Thanks for your reply and best regards Dominik
Too many passwords to remember? Try KeePass Password Safe!
-
Using the users name is a bad idea because a user can change their name. You also cannot use a users password because, for one, passwords expire and change, and two, there is no function to get the password. About the only thing that doesn't change in a user object is it's SID.
Dave Kreskowiak Microsoft MVP - Visual Basic
I've just found a solution and wanted to quickly let you know it, in case it's interesting for you, too: First, a random byte array is generated using a cryptographically secure random number generator. This is the key used for encryption. It is protected using
ProtectedData.Protectwith theDataProtectionScope.CurrentUseroption and written to the registry. When loading, the protected key is retrieved from the registry, unprotected usingProtectedData.Unprotectand used as decryption key for our file. I'm not sure what data ProtectedData is using, but it seems that the password can be changed, without making the ProtectedData behavior change, i.e. the user's password actually doesn't matter. Same applies to the user name. Probably Windows keeps some secret key for each user, which we can't access manually. Best regards Dominik
Too many passwords to remember? Try KeePass Password Safe!