information on Data Protection API (DPAPI)

2019-01-19 06:24发布

I am currently writing a c# mvc web application in which password are being taken from a user and stored in a database - sql server. I need a way of hashing the passwords.

It has been recommended to be to use the Data Protection API (DPAPI). I am not familliar with it and from research on the internet, very little information exists on it.

Can anyone point in the direction for further information on it? OR give me an overview of how to set it up and work with it etc.

2条回答
神经病院院长
2楼-- · 2019-01-19 06:25

.Net has a wrapper class for the DPAPI called ProtectedData. It it very easy to use, and contains just two static methods: Protect and Unprotect. A How-to article can be found here. The DPAPI does not require a key because it uses either the logged-in users's credentials or the machine's credentials to do the encryption, depending on what scope you choose when calling Protect. Note that if you intend to store the encrypted data in a database, you must be sure to always use the same windows user account or machine (again, depending on the encryption scope), or else you will not be able to decrypt the data. Thus, depending on your application, this API may not be optimal. It is primarily intended for doing local encryption on a single machine rather than for distributed applications.

查看更多
走好不送
3楼-- · 2019-01-19 06:51

The Data Protection API is primarily used for protecting cryptographic keys and secrets under a users credentials. If you want to store hashed passwords in a database, the DAPI isn't really what you want.

The ASP.NET Membership Provider is used for managing users, including hashing passwords with a salt. Unfortunately there doesn't seem to be a method to just return a hashed password, so if you don't need the extra functionality, it might be worth extracting the relevant code from something like CodeFirst Membership Provider (See Crypto.cs in the Source Code). The advantage here is this Membership Provider uses PBKDF2 to derive the hash, which is more resistant to brute force attacks given the number of rounds. It's also the method StackOverflow itself uses.

查看更多
登录 后发表回答