You are here: Administrator Help > Security > Security and DPAPI

Security and DPAPI

JustWare utilizes the Data Protection Application Programming Interface (DPAPI) to provide client-side security. By using DPAPI, JustWare ensures that your data is secure and provides the confidentiality necessary when dealing with sensitive data.

DPAPI protects confidential information using value data that is derived from a master key. A master key is a pseudo-random 512-bit number. Each user account has one or more randomly generated master keys. Each master key contains the data that is required to decrypt all the user's confidential information. To protect the master key, a value is derived from the user's password and then used to encrypt the master key.

DPAPI is a Windows-based standard that was implemented in Windows 2000 and has been a key component of Windows security in every iteration since. There are a number of reasons that Microsoft uses DPAPI, as stated in the article "Windows Data Protection" on msdn.microsoft.com:

It uses proven cryptographic routines, such as the strong Triple-DES algorithm in CBC mode, the strong SHA-1 algorithm, and the PBKDF2 password-based key derivation routine.
It uses proven cryptographic constructs to protect data. All critical data is cryptographically integrity protected, and secret data is wrapped using standard methods.
It uses large secret sizes to greatly reduce the possibility of brute-force attacks to compromise the secrets.
It uses PBKDF2 with 4000 iterations to increase the work factor of an adversary trying to compromise the password.
It sanity checks MasterKey expiration dates.
It protects all required network communication with domain controllers by using mutually authenticated and privacy protected RPC channels.
It minimizes the risk of exposing any secrets, by never writing them to disk and minimizing their exposure in swappable RAM.
It requires Administrator privileges to make any modifications to the DPAPI parameters in the registry.
It uses Windows File Protection to help protect all critical DLLs from online changes, even by processes with Administrator privileges.

Each of the encrypted files is passed from the client to the Web server and stored on the client disk in the user profile. Encrypting them is important to maintaining data integrity.