Tech Blog

Jay's Technical blog

What I don't like about DPAPI...

24 March 2004
Jay Kimble

[WARNING! This is an archived post and as such there may be things broken/missing here.. you have been warned.]

I know that right after Dev Days right now there is a big buzz about DPAPI.  I think the main reasons is that it really simplifies cryptography to a point that we can essentially ignore key generation (at least this appears to be the case for every example that I haven't seen).  Key generation is defined by looking at when you want the data to be able to be decrypt (do I tie this data to the user, or to this machine, for instance).

I know that the goal here is to make it easier for “Joe Programmer“ (I hate the term “Mort“) to use encryption without having to know a lot about cryptography and the cryptography framework.

Here are my problems with DPAPI.  First of all it uses Triple-DES which is not the absolute strongest encryption (AES/Rijn-Dael is actually stronger).  I wish that we could determine behind the scenes how the strong the encryption is (someone told me that this is possible, but it is not easy to do). 

Sometimes you want to go the opposite direction and munge the data so prying eyes (of users) can't tell what it is, but that the programmer can mentally decrypt (building a simple ROT13 encryption scheme for example would accomplish this); this would let us munge the data settings in our app.config files, for instance.

There are times when I want to control the key (because I need the data to be decrypted on machines or by the people that I say should be able to decrypt it).  DPAPI actually doesn't let me set the key (at least as far as I can tell), so I give up some of the control.

Something else, I would like to see MS do is give us an application block of something similar that lets us securely retrieve/store our crypto keys on a machine.  Maybe they should strip the key generation features (maybe they have) out and let me just use them so I can use this with my own encryption.

ASP/vbscript Codebehind

20 March 2004
Jay Kimble

[WARNING! This is an archived post and as such there may be things broken/missing here.. you have been warned.]

I'm one of the unlucky ones who has to still deal with old ASP.  In my day job, I work on a site that is for the most part pure ASP.  I've developed a pretty cool technique to make me forget that I'm using Asp and not ASP.NET (at least I think it is cool).  I think the technique should make it easy to convert a page over to ASP.Net.

As you may or may not remember Microsoft added class support to VBScript (in one of the last iterations I think), so you can create classes in ASP.  Since I'm really in love with what codebehind gives us in ASP.Net (namely that VB code and HTML code are separated), I decided to build myself a methodology (and in my case it's not too strict of one) for doing ASP.

So I have the main asp page that looks like this (in green)

<!--#include file=”codebehind/myPage_codebehind.asp”-->
<p><% page.callSomeMethid%></p>
Set page = Nothing%>

In the same directory as this page I have subdirectory called “codebehind” and in this directory I have another page called somehting like thispagename_codebhind.asp.  This page looks something like this (in blue)

<!-- any additional includes here -->
Class myPage

  Public Sub SomeMethod()
    ' Does nothing
  End Sub

  ' Real Events
  Private Sub class_initialize()
     ' Initialization code goes here (as well as catches of postback)

     ' I have also built mock events here (these are simply additional methods that I call in order from here)
  End Sub

  Private Sub class_terminate()
     ' Close down stuff created (I could for instance keep 1 connection object throughout the entire page and close it here
  End Sub
End Class

' Instantiate the page
Dim page
Set page = New myPage

Anyway, this has the desired affect of pretty much splitting the HTML code from the VBScript code.  My suspicion is that VBScript classes may be a little slower than straight code in the page, but if you plan on doing a conversion over to ASP.Net then the cost in performance for a few months may be something worthwhile (especially when you are in my shoes where I spent a long time trying to convince my boss to let me do the conversion...

BTW, I'm real now I posted 1 technology item.  You can now count me as a real blogger (seethis page for details) 

Now I can disappear and not feel like I have a wasted blog...

Definition of a Dev Theologian

20 March 2004
Jay Kimble

[WARNING! This is an archived post and as such there may be things broken/missing here.. you have been warned.]

Alright, I'm sure if you're one of the couple people I have invited to my blog, you may or may not be wondering what a “Dev Theologian” is.

Blame Joe Healy
Blame Joe Healy of Microsoft for it.  He inadvertantly gave it to me.  Joe is the .Net Evangelist for the local region here in Florida.

It's a rather long story that I won't go heavily into, but in the course of an email conversation, I mentioned to Joe that I have a degree in Theology (actually the official title of my Degree is “B.A. in Christian Ministries”).  Joe told me that I was the first Developer Theologian that he had ever met.  I liked the name so I'm using it...

So what are you going to do here?
I want to do a comparative between the writings of St. Paul and VB.Net.  NOT!!!! 

Actually, I use my degree, but it will probably never make me a dime in the religious establishment.  Think of my degree more as a Philosophy degree with an emphasis in writing (and ancient books).

So what am I going to talk about in this Blog?  Let me start by saying that I love to code, I love new technology, and I love to look at new ways to use technology.  So I'm just like everyone else.  If anything I'm a mad coder... I have a knack for coming up with unusual ways of using technology (some of which are useful in the right context).  I will probably explore some of the philosophical aspects of us developers.  I'll also rant from time to time (thank you Rory Blythe for showing me how to rant and be funny about it).

My first post (please ignore)

20 March 2004
Jay Kimble

[WARNING! This is an archived post and as such there may be things broken/missing here.. you have been warned.]

Ok, I have been blogging privately for a little bit.  I already know that I'll be sporadic (probably not everyday). 

But for what it is worth, <rant> what is with people?  I recently went through all the blogs at msdn.  There are entries for back in the November/December timeframe that have 1 post.  The 1 post points out that “yes, this is my first post, but I plan to write a lot more.  I have a cool perspective cause... well, I work for Microsoft.”  Decmber was a long time ago...

I wonder what happened to this person?  I know that they wouldn't lie to me.  At least, you think they won't lie because they've never lied to me before.  I mean these people work for an important company like Microsoft and this is a technology blog (not some blog by a 14 year old girl) </rant>

Ok, I feel better.  Please ignore me, I only have 1 blog entry and it's not even technical. 

It's my intention to write more stuff.  We'll see if my intentions pan out (OK, I know I'm going to have 2 entries, but the second one won't be technical either).