Caveats in ASP.NET Core Data Protection

Edi Wang 1/15/2019 (UTC)

ASP.NET Core provides a built-in Data Protection mechanism to let us encrypt or decrypt sensitive data. There are some limitations that can cause problems while bringing convenience. I met some problems these days.

My Scenario

My blog system has a feature to send email notifications, so you need to configure an email account to let the program use that account to send mail to an administrator or users. This involves the question of how to securely store your account password. As programmers with morals, we certainly can't store plaintext passwords to databases like many platforms in China. In this scenario, we also can't store passwords with HASH, because sending messages is done by the system in the background, and the user is not required to enter a password to compare the HASH with the database stored values. Therefore, my first thought is to use the symmetric encryption algorithm such as AES, store the encrypted ciphertext in the database, the program decrypts the values according to key, and then use the account to send mail.

Don't Reinvent the Wheel

Before designing a feature, I usually check the internet first to see if there is already a framework feature that comes with the functionality to complete the requirements. As a result, ASP.NET Core's own Data Protection APIs is brought to my attention.

The benefits of using Data Protection APIs are:
Replacement for the classic MachineKey
No need to design an encryption algorithm on your own, just use the most secured framework provided algorithms.
Without having to manage the key yourself, the framework will automatically store and manage the key for you.
The key is refreshed every 90 days by default
API is easy to use without requiring to know deep about encryptions
Retain flexibility and extensibility, allowing steps such as custom algorithms, key storage, and more

You can check the detailed introduction on Microsoft Docs here.

The algorithm used by Data Protection is by default AES, which can meet my needs.

Encryption and Decryption Flow

After the framework helps us hide the complex algorithm process, we can complete the encryption and decryption with just 3 simple API calls:

A common practice is: Add DataProtection in Startup

public void ConfigureServices(IServiceCollection services)
{
    services.AddDataProtection();
    // ...
}

Create a service like this to use in other parts of the system

public class EncryptionService
{
    private readonly IDataProtectionProvider _dataProtectionProvider;
    private const string Key = "cxz92k13md8f981hu6y7alkc";

    public EncryptionService(IDataProtectionProvider dataProtectionProvider)
    {
        _dataProtectionProvider = dataProtectionProvider;
    }

    public string Encrypt(string input)
    {
        var protector = _dataProtectionProvider.CreateProtector(Key);
        return protector.Protect(input);
    }

    public string Decrypt(string cipherText)
    {
        var protector = _dataProtectionProvider.CreateProtector(Key);
        return protector.Unprotect(cipherText);
    }
}

I used this method to encrypt the email account password and store it in the database. Then change the code to successfully decrypt the data, run on my own machine and complete the function of sending mail without a problem. So I deployed it to production.

Production Blow Up!

An exception occurred in the production environment while decrypted the ciphertext in the database:

System.Security.Cryptography.CryptographicException: The key {bd424a84-5faa-4b97-8cd9-6bea01f052cd} was not found in the key ring.

After research, this is because ASP.NET Core generates different keys to encrypt data when it is running on different machines, and the ciphertext in my database is encrypted with the key of the developer machine, not the key of the server. So when you try to decrypt, you can't find the key for encryption, and this exception blows up the server sky high.

ASP.NET Core can store Key to Windows Registry, IIS User Profile, Azure KeyVault, Azure Storage Account or File System, etc. In Azure App Service, the Key is stored in %HOME%\ASP.NET\DataProtection-Keys folder, it will automatically sync into other instances in your App Service. You can see the folder with Kudu:

Therefore, to solve the problem of key inconsistency in different environments, only need to find a consistent storage location. But that's not going to solve my problem. Because by default, a new key is regenerated every 90 days, so that the ciphertext in the database will fail to decrypt again if it is not updated.

In addition, the AntiForgeryToken in ASP.NET Core is also using the same Data Protection APIs, which in case when you deploy multiple web servers on your own (not using App Service to scale out), it will result in different keys in every server, and the user will fail on submitting form data.

The Solution

Although we can do this by saving the key in a unified location, we can also specify an automatic refresh cycle, but I do not recommend it. Because this mechanism applies only to encrypted, short-aging data, it is not designed for data that is persisted into the database. So in this scenario, we still have to write our own service of encryption and decryption.

First (very faceless) copy a pair of AES encryption and decryption functions from Microsoft's official documents:

Encryption

private static byte[] EncryptStringToBytes_Aes(string plainText, byte[] key, byte[] iv)
{
    if (plainText == null || plainText.Length <= 0)
        throw new ArgumentNullException(nameof(plainText));
    if (key == null || key.Length <= 0)
        throw new ArgumentNullException(nameof(key));
    if (iv == null || iv.Length <= 0)
        throw new ArgumentNullException(nameof(iv));
    byte[] encrypted;

    using (var aesAlg = Aes.Create())
    {
        aesAlg.Key = key;
        aesAlg.IV = iv;

        var encryptor = aesAlg.CreateEncryptor(aesAlg.Key, aesAlg.IV);
        using (var msEncrypt = new MemoryStream())
        {
            using (var csEncrypt = new CryptoStream(msEncrypt, encryptor, CryptoStreamMode.Write))
            {
                using (var swEncrypt = new StreamWriter(csEncrypt))
                {
                    swEncrypt.Write(plainText);
                }
                encrypted = msEncrypt.ToArray();
            }
        }
    }

    return encrypted;
}

Decryption

private static string DecryptStringFromBytes_Aes(byte[] cipherText, byte[] key, byte[] iv)
{
    if (cipherText == null || cipherText.Length <= 0)
        throw new ArgumentNullException(nameof(cipherText));
    if (key == null || key.Length <= 0)
        throw new ArgumentNullException(nameof(key));
    if (iv == null || iv.Length <= 0)
        throw new ArgumentNullException(nameof(iv));

    string plaintext;
    using (var aesAlg = Aes.Create())
    {
        aesAlg.Key = key;
        aesAlg.IV = iv;

        var decryptor = aesAlg.CreateDecryptor(aesAlg.Key, aesAlg.IV);
        using (var msDecrypt = new MemoryStream(cipherText))
        {
            using (var csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read))
            {
                using (var srDecrypt = new StreamReader(csDecrypt))
                {
                    plaintext = srDecrypt.ReadToEnd();
                }
            }
        }

    }

    return plaintext;
}

Create an EncryptionService

public class EncryptionService
{
    private readonly KeyInfo _keyInfo;

    public EncryptionService(KeyInfo keyInfo = null)
    {
        _keyInfo = keyInfo;
    }

    public string Encrypt(string input)
    {
        var enc = EncryptStringToBytes_Aes(input, _keyInfo.Key, _keyInfo.Iv);
        return Convert.ToBase64String(enc);
    }

    public string Decrypt(string cipherText)
    {
        var cipherBytes = Convert.FromBase64String(cipherText);
        return DecryptStringFromBytes_Aes(cipherBytes, _keyInfo.Key, _keyInfo.Iv);
    }
	
    // EncryptStringToBytes_Aes and DecryptStringFromBytes_Aes above ...
}

KeyInfo is designed as a separate class to flexibly allow the user to choose to assign byte[] array or a string type Key as well as an initial vector (IV)

public class KeyInfo
{
    public byte[] Key { get; }
    public byte[] Iv { get; }

    public string KeyString => Convert.ToBase64String(Key);
    public string IVString => Convert.ToBase64String(Iv);

    public KeyInfo()
    {
        using (var myAes = Aes.Create())
        {
            Key = myAes.Key;
            Iv = myAes.IV;
        }
    }

    public KeyInfo(string key, string iv)
    {
        Key = Convert.FromBase64String(key);
        Iv = Convert.FromBase64String(iv);
    }

    public KeyInfo(byte[] key, byte[] iv)
    {
        Key = key;
        Iv = iv;
    }
}

services.AddTransient(ec => new EncryptionService(new KeyInfo("45BLO2yoJkvBwz99kBEMlNkxvL40vUSGaqr/WBu3+Vg=", "Ou3fn+I9SVicGWMLkFEgZQ==")));

The key and IV can be obtained by KeyInfo's parameterless constructor. After saving these values, you can always use this pair of key, to ensure that the subsequent encryption and decryption data are consistent.

Usage

private readonly EncryptionService _encryptionService;

public HomeController(EncryptionService encryptionService)
{
    _encryptionService = encryptionService;
}

public IActionResult Index()
{
    var str = "Hello";
    var enc = _encryptionService.Encrypt(str);
    var dec = _encryptionService.Decrypt(enc);
    return Content($"str: {str}, enc: {enc}, dec: {dec}");
}

Conclusion

ASP.NET Core comes with a Data Encryption API that is secure, easy to use, and flexible. However, that key storage and timed refresh apply only to short-aging encryption. For long-time saved static ciphertext, you can implement an encryption and decryption service on our own.

The complete sample code is on my GitHub: https://github.com/EdiWang/DotNet-Samples/tree/master/AspNet-AES-Non-DPAPI

Comments

asozyurt

1/15/2019 5:56:56 AM

Thanks for this useful article Edi.It's a good and informative blog, I'm glad to follow. Wanna ask you smt about Rss/Atom feeds.I have a blog in .Net Core too and recently added Rss/Atom support. (http://blog.asozyurt.com/rss) But there is a problem with the prolog Encoding declaration(<xml version="1.0" encoding="utf-16">)Your feed is ok with encoding utf-8. I've solved it by replacing the string but it doesn't seem right to me.Codes are in myGithub. Can you share your solution or guide me? Thanks again.

asozyurt

1/15/2019 6:06:57 AM

I think I found, https://github.com/EdiWang/Edi.Blog.OpmlFileWriter. Is it true?

Author Replied at 1/15/2019 6:36:00 AM

It's actually https://github.com/EdiWang/Edi.SyndicationFeedGenerator

Jeremy

3/25/2019 11:15:18 AM

Hi there, your article is very useful but i come to a problem when the encrypted output with character like "+" , which .net doesn't like it if I try to use the value in the URL, .net will throw back 404.11 error to prevent possibility of HTML injection, JavaScript injection or SQL injection. Can you give me some idea how to overcome this problem? Many thanks

German

5/9/2019 8:05:48 AM

Hi!

German

5/9/2019 8:06:50 AM

Hi! I've been using DataProtection to encrypt data in the database. The shared keys repository solution to sync accross machines worked for me and I didn't encounter the production problem after 90 days. I store the key ring to a UNC drive using PersistKeysToFileSystem.

Whenever the system needs to rotate a key it doesn't actually delete the old key from the key ring, it simply creates a new one at the shared filesystem location and starts using it for encrypting whenever Protect is called. This is automatically handled by the DataProtection system.

At the time of the decryption, the encrypted payload contains a header pointing to the key id in the key ring that was used to protect the data. So as long as you don't delete any keys from the key ring, DataProtection should find the key and you shouldn't have any problems decrypting data from the database.

So basically, never ever delete keys in the key ring for long lived encrypted data.

Thanks for sharing!

Germán

Author Replied at 5/9/2019 10:26:05 AM

Hi Germán, thanks for your comment. A shared location like the UNC drive you are using do prevent the problem. My scenario is that I can't use a shared drive, when the app is deployed to Azure, it uses the ASP.NET\Data Protection folder to sync across Azure App Service instances. I can use Azure KeyVault or Storage to achieve the same goal as an UNC drive. However this app is distributed to users who don't have an Azure environment, so everything should be coded decouple with Azure because I don't control the deployment and hosting environment. This is how I have to use my own encryption method. I think a better solution may be writing a custom Data Protection provider that can be configured into ASP.NET Core Data Protection API.

Vlad

7/7/2019 12:00:41 PM

Not really helpful neither does it increase the security a lot. In order to decrypt the data, you need the decryption key, which is within your application. So one attacker who gets on your server will have both, the database and the application and can still easily decrypt your data. You should rather use the DataProtection for local or Azure Key Valut for azure applications

Author Replied at 7/8/2019 2:47:55 AM

Thanks for the feedback. It is less secure indeed, but:

Azure Key Vault is the best option I can use. But not everybody uses Azure, I want to find a common way to do it.
The reason why I can't use DataProtection is explained in the post.
My web server and DB server are not on the same machine.
I never store keys in appsettings.json, on my production environment it is managed elsewhere by Azure.
3 and 4 are very common practices in web app deployments. The post explains the idea, it's always up to developers to design what's suitable for their environment. Such as storing the keys in Key Vault instead of appsettings.json, or use other encryption methods to work around DataProtection limits.

Brecht

8/17/2019 10:02:20 PM

But that's not going to solve my problem. Because by default, a new key is regenerated every 90 days, so that the ciphertext in the database will fail to decrypt again if it is not updated.

This is true, but the old keys are not deleted from your keystore. Aslong as you don't revoke a key in code or delete it manually from the key store you should always be able to decrypt your data.

Source: https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/implementation/key-management?view=aspnetcore-2.2

They did this because rolling keys are a good practise. If a hacker could decrypt data (by brute-forcing or finding a single key) there is only data decryptable of 90 days in this case.

Martin

2/17/2020 3:42:36 PM

Hi very nice article. One question, - How can I generate the keys? And should the have a specific length?

Atle Magnussen

5/3/2020 9:24:04 PM

I have to point out some serious misinterpretation about AspNet Core DataProtection.

the Key Ring. This is the keys which are used to encrypt/protect data. The key, in which is used instead of the old "machinekey" in the old Windows world, is rolled over by default every 90 days, fully configurable.
Rolling over keys does not mean you cant decrypt old protected/decrypted pieces of data.That is why it is called a key ring, it keeps the old ones as well for decryption. Whereas you will not be allowed to encrypt with the old ones.
You mix up the key ring with another encryption key when you say that you can store the key ring in Azure key vault. You can not. You can however encrypt the key ring at rest using Azure Key vault. So that when you store your key ring on disk or database or blob storage, it will be encrypted. Because that is not the case by default.

Atle Magnussen

5/3/2020 9:45:07 PM

Sorry my first comment was bit of rubbish. I only need to point out that you can't use Azure Key Vault to store the key ring. https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/implementation/key-storage-providers

You can however use Key Vault's assymetric keys to encrypt the key ring at rest.

And as for your problem, would it not be possible to implement your own custom key provider? See the last headline in the link

David Collins

7/27/2020 3:54:16 PM

I have a high level question, and I apologize in advance for my rudimentary knowledge of good encryption practices. I want to use the DataProtection Class for a desktop app to encrypt sensitive data and persist that encrypted data to a file. This then falls under the long-term data storage case you discuss in which I must implement an encryption and decryption service interface interface. So my question is, having encrypted data using this approach, if an attacker has admin privileges, how well-protected is that data in the encrypted file? I know that’s a vague question so let me narrow it down. Assume the attacker knows the general approach used to encrypt the file. I assume they could access the private key I use to decrypt the data and decrypt it themselves. Is that correct? If I used the “User” or “System” key, which are not retrievable, the attacker could simply write code to decrypt the data while logged in as the system or user. Do I have the right mental model here?

Author Replied at 7/30/2020 6:28:59 AM

It's correct. You should avoid storing the private key in app config or somewhere else on the server which can be found by the attacker. This is when products like Azure Key Vault comes really handy to keep the private key safe.

Tore

10/12/2020 12:28:54 PM

You can indeed store the key ring in Azure Key Vault, I wrote a driver for it here https://github.com/edumentab/AzureKeyVaultKeyRingRepository

Yes, AKV have a few limitations, but for most applications its fine. (blogpost is coming soon)

Hifni

12/3/2020 7:44:16 AM

Hi Edi, Thank You for the article. What If I needed the client to encrypt the message and send to me so that I can decrypt it and process the data? AFAIK your article says keys are generated by the Host app (Which in case the Data Protection API) and encrypts the response that goes out from the App to Client. Ideally, a Public Key should be shared with the client so that client can encrypt the request and we, the host can decrypt using a Private key. Can that be accommodated here with Data Protection API?

bigpjo

3/24/2021 3:06:52 PM

Great article, nice solution. One thing to be mindful of when talking about cryptography and aes encryption is the reuse of IV. Best practice is to use a new IV for each piece of data encrypted with the same encryption key. The AES crypto provider has a method GenerateIV, this generated IV should be appended/prefixed to the encrypted data. The decryption method can then read the IV from the data to use to decrypt.

If you use the same encryption key with the same iv and the same data the output is the same.

Microsoft MVP for Azure

My Scenario

Don't Reinvent the Wheel

Encryption and Decryption Flow

Production Blow Up!

The Solution

Encryption

Decryption

Usage

Conclusion

Comments

asozyurt

asozyurt

Jeremy

German

German

Vlad

Brecht

Martin

Atle Magnussen

Atle Magnussen

David Collins

Tore

Hifni

bigpjo