Reputation: 617
ASP.NET Core Data Protection cross platform encryption provider
I'm trying to use the asp.net core DataProtectionProvider with a single database backing a server farm. I have a IXmlRepository implemented for the store and I'm successfully supplying the same certificate to 2 machines running my server. I verified I'm using the same purpose strings in the same order, but when I try to unprotect from machine b a string that machine a encodes, I'm getting a generic CryptographicException.
Would it matter if machine a and machine b are 2 different operating systems? (Linux vs windows server)
The exception I'm getting is:
{System.Security.Cryptography.CryptographicException: Exception of type 'System.Security.Cryptography.CryptographicException' was thrown. at Microsoft.AspNetCore.Cryptography.UnsafeNativeMethods.ThrowExceptionForBCryptStatusImpl(Int32 ntstatus) at Microsoft.AspNetCore.Cryptography.UnsafeNativeMethods.ThrowExceptionForBCryptStatus(Int32 ntstatus) at Microsoft.AspNetCore.DataProtection.Cng.GcmAuthenticatedEncryptor.DecryptImpl(Byte* pbCiphertext, UInt32 cbCiphertext, Byte* pbAdditionalAuthenticatedData, UInt32 cbAdditionalAuthenticatedData)
at Microsoft.AspNetCore.DataProtection.Cng.Internal.CngAuthenticatedEncryptorBase.Decrypt(ArraySegment1 ciphertext, ArraySegment1 additionalAuthenticatedData) at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status) at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.DangerousUnprotect(Byte[] protectedData, Boolean ignoreRevocationErrors, Boolean& requiresMigration, Boolean& wasRevoked) at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData) at Microsoft.AspNetCore.DataProtection.DataProtectionCommonExtensions.Unprotect(IDataProtector protector, String protectedData)
Upvotes: 1
Views: 3797
Answers (1)
Reputation: 617
I found that the provider had the folder name for the top level purpose. I'm assuming this is to isolate the key storage when stored in the registry. The solution was to add to the configuration setting the ApplicationName so it uses that instead of the folder which was different on the two different machines.
example:
services.AddDataProtection()
.UseCryptographicAlgorithms(new AuthenticatedEncryptorConfiguration()
{
EncryptionAlgorithm = EncryptionAlgorithm.AES_256_GCM,
ValidationAlgorithm = ValidationAlgorithm.HMACSHA256
})
.SetApplicationName("MyCommonName");
Upvotes: 6
Related Questions
- How to properly implement AES encryption with .net core 2?
- ASP.NET Core - Data protection
- Is it possible to disable the data protection encryption in ASP.NET Core?
- Encrypted configuration in ASP.NET Core
- Reproduce the decryption of Microsoft.AspNetCore.DataProtection with the framework.net 4.8
- .NET Core 3.1 Always Encrypted
- Key encryption in ASP.NET Core
- Encrypt Decrypt with Data Protection in c# MVC across controllers
- Multi platform data protection
- Which encryption algorithm do we use in Asp.net 5 Core