In this blog post, we are going to cover how the developers can now save data in encrypted format in Windows Phone.
In Mango, the Windows Phone team has provided the developers with DPAPI (Data protection API) and methods - Protect and Unprotect which can be used to encrypt and decrypt the data.
Why should i be excited about this?
Until now, there was no secure way of encrypting your data due to which developers were not able to enable the offline scenarios in line of business and enterprise applications. Ofcourse, if you are developing a game or a fun application and not storing any PII information, you could simply save the data in plain text to either Isolated Storage or the Transient Storage.
So, for the mobile developers who are developing enterprise applications and even for those who were eagerly waiting for Windows Phone to have a proper secure encryption standard, IT IS A BIG DEAL!
What is DPAPI?
I will not be covering the concept of DPAPI in detail. There are lots of blogs and articles on this technology which you can read to get the grasp of the concept -
http://msdn.microsoft.com/en-us/library/ms995355
http://blogs.msdn.com/b/shawnfa/archive/2004/05/05/126825.aspx
"In context of Windows Systems, DPAPI works by generating a key from the current user's credentials and then generates a master key. DPAPI then encrypts the master key with the key generated from user's credentials. Then a random session key is created for each call to the CryptProtectData method. This session key is generated from the master key, some random data, and some optional entropy passed in by the user to strengthen the key. This session key is used to do the actual encryption!"
DPAPI in MANGO
Before DPAPI was introduced, there were other ways possible to encrypt your data using AES APIs but the issue was how to secure the key used to encrypt and decrypt the data. Saving the key on the phone was not recommended approach. The only possible and tedious way was to store the key on a server side and then get the key from server via a web service which then needed to be claims - aware (as this is the only way any enterprise application can interact with a web service). So overall, the encryption and decryption was neither developer-friendly nor recommended by the experts!
DPAPI solves the problem of generating and handling the keys used to encrypt the data in a secure manner. As mentioned earlier, it will generate the key on the basis of user and phone credentials. On a windows phone device, every application gets its own decryption key, which is created when the user runs the application for the first time. The methods provided by the Cryptography API - Protect and UnProtect will use this key implicitly. The key will also persist across updates to the application.
Enough theory!! Tell me the API
Fair thought! I myself am not a big fan of theory but it helps to understand the concepts.
The two methods that you would be using are - Protect and Unprotect.
These methods are present in System.Security.Cryptography in mscorlib.Extensions.dll.
I will be writing the second part of this blog which will have a running sample of Encryption and Decryption using DPAPI.
In Mango, the Windows Phone team has provided the developers with DPAPI (Data protection API) and methods - Protect and Unprotect which can be used to encrypt and decrypt the data.
Why should i be excited about this?
Until now, there was no secure way of encrypting your data due to which developers were not able to enable the offline scenarios in line of business and enterprise applications. Ofcourse, if you are developing a game or a fun application and not storing any PII information, you could simply save the data in plain text to either Isolated Storage or the Transient Storage.
So, for the mobile developers who are developing enterprise applications and even for those who were eagerly waiting for Windows Phone to have a proper secure encryption standard, IT IS A BIG DEAL!
What is DPAPI?
I will not be covering the concept of DPAPI in detail. There are lots of blogs and articles on this technology which you can read to get the grasp of the concept -
http://msdn.microsoft.com/en-us/library/ms995355
http://blogs.msdn.com/b/shawnfa/archive/2004/05/05/126825.aspx
"In context of Windows Systems, DPAPI works by generating a key from the current user's credentials and then generates a master key. DPAPI then encrypts the master key with the key generated from user's credentials. Then a random session key is created for each call to the CryptProtectData method. This session key is generated from the master key, some random data, and some optional entropy passed in by the user to strengthen the key. This session key is used to do the actual encryption!"
DPAPI in MANGO
Before DPAPI was introduced, there were other ways possible to encrypt your data using AES APIs but the issue was how to secure the key used to encrypt and decrypt the data. Saving the key on the phone was not recommended approach. The only possible and tedious way was to store the key on a server side and then get the key from server via a web service which then needed to be claims - aware (as this is the only way any enterprise application can interact with a web service). So overall, the encryption and decryption was neither developer-friendly nor recommended by the experts!
DPAPI solves the problem of generating and handling the keys used to encrypt the data in a secure manner. As mentioned earlier, it will generate the key on the basis of user and phone credentials. On a windows phone device, every application gets its own decryption key, which is created when the user runs the application for the first time. The methods provided by the Cryptography API - Protect and UnProtect will use this key implicitly. The key will also persist across updates to the application.
Enough theory!! Tell me the API
Fair thought! I myself am not a big fan of theory but it helps to understand the concepts.
The two methods that you would be using are - Protect and Unprotect.
These methods are present in System.Security.Cryptography in mscorlib.Extensions.dll.
I will be writing the second part of this blog which will have a running sample of Encryption and Decryption using DPAPI.
No comments:
Post a Comment