1

We are writing a tool to migrate data from a Windows Store application to a Windows Desktop one. The store app protects some data using DPAPI which we need to be able to decrypt from the desktop application.

When calling ProtectedData.Unprotect method we are getting a CryptographicException stating "the parameter is invalid". Looking at the store application code I can see that the DPAPI API is different from the desktop .NET framework. The store app API is used as follows:

provider = new DataProtectionProvider("LOCAL=user");
...
IBuffer origBuffer = await this.provider.UnprotectAsync(encryptedBuffer);

The desktop API looks like the following

byte[] ProtectedData.Unprotect(byte[] encryptedBytes, 
                               byte[] entropy, 
                               DataProtectionScope scope);

We have tried to use DataProtectionScope.CurrentUser and entropy null but this results in the above CryptographicException. At a guess, internally, the store API uses a specific entropy without which we cannot decrypt the data.

Does anyone know what the store DPAPI API is doing behind the scenes that would allow us to decrypt the store data?

Richard Blewett
  • 6,089
  • 1
  • 18
  • 23
  • Does the store code work? The [documentation](https://msdn.microsoft.com/en-us/library/windows/apps/br241562.aspx) suggests it shouldn't - "Do not use this constructor before starting a decryption operation. You must use the `DataProtectionProvider()` constructor instead." – Damien_The_Unbeliever Dec 09 '15 at 13:51
  • Yes store app works fine, either the store app authors were lucky or the documentation is incorrect – Richard Blewett Dec 09 '15 at 13:56
  • The fact that the decryption apparently *can* work without specifying the scope suggests that the scope is stored (possibly not encrypted, though not necessarily human-readable) along with the data. The usual DPAPI does not do that, as far as I know. That may be at least part of why using `ProtectedData` with data that was encrypted using `DataProtectionProvider` doesn't work. – CBHacking Oct 03 '17 at 19:00

1 Answers1

1

Sorry to not have a direct answer but can't you reference the WinRT API from your desktop application in order to decrypt this secured bytes ?

Here is a guide to reference the WinRT API in a WPF application : http://www.hanselman.com/blog/HowToCallWinRTAPIsInWindows8FromCDesktopApplicationsWinRTDiagram.aspx

Regards

tobre
  • 1,347
  • 3
  • 21
  • 53
Jonathan ANTOINE
  • 9,021
  • 1
  • 23
  • 33
  • 1
    We finally put the code in and apart from having to get used to working in the world of IBuffers and Storages it worked great - thanks – Richard Blewett Dec 18 '15 at 11:52