Encrypt/Decrypt across machines is a no-no

Question

I'm using an identical call to "CryptUnprotectData" (exposed from Crypt32.dll) between XP and Vista. Works fine in XP. I get the following exception when I run in Vista:

"Decryption failed. Key not valid for use in specified state."

As expected, the versions of crypt32.dll are different between XP and Vista (w/XP actually having the more recent, possibly as a result of SP3 or some other update).

More specifically, I'm encrypting data, putting it in the registry, then reading and decrypting using "CryptUnprotectData". UAC is turned off.

Anyone seen this one before?

Answer 1

The CryptUnprotectData function documentation states that it usually only works when the user has the same logon credentials as the encrypter.

This suggests to me that maybe the key is tied to the user's current token. Since you mention Vista, this makes me think UAC and restricted tokens.

Can you show us some code? Can you give us more information about what you're doing with the data -- i.e. are you moving it between processes, or users, or computers?

Answer 2

Nice. Hopefully this is my bone-head move of the week! ;-)

This suggests to me that maybe the key is tied to the user's current token.

That was it. Turns out I was using encrypted data from another machine (the XP one) and trying to decrypt on the Vista machine.

As the MSDN documentation states:

Usually, only a user with the same logon credentials as the encrypter can decrypt the data. In addition, the encryption and decryption must be done on the same computer.

Once I re-encrypted the data on the Vista machine, decryption works as expected.

Thanks.