I'm looking into using Windows' Data Protection API (DPAPI) to encrypt some data. One requirement I have is to use a Dynamic Salt when encrypting values.
I have noticed through testing that if I encrypt the same string multiple times, I get a different result. This is with using the same string, null Entropy value, and same scope.
This makes me FEEL as though there is a dynamic salt involved already. I am not seeing any documentation stating this.
Here is the method I am calling https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.protecteddata.protect?view=netframework-4.7.2 .
Does DPAPI handle dynamic salting already? If not, what is causing the encrypted values to change each time?
The MasterKey, however, is not used explicitly to protect the data. Instead, a symmetric session key is generated based on the MasterKey, some random data, and any additional entropy, if an application chooses to supply it. It is this session key that is used to protect the data.
[...]
The session key is never stored. Instead, DPAPI stores the random data it used to generate the key in the opaque data BLOB. When the data BLOB is passed back in to DPAPI, the random data is used to re-derive the key and unprotect the data.
https://msdn.microsoft.com/en-us/library/ms995355.aspx
This random data included in the encrypted data acts as a salt.
The intention of the optionalEntropy parameter is to allow individual applications to protect themselves from other applications running under the same user account and is not required to increase the effectiveness of the salting already performed.