CryptoAPI and DPAPI are not thread-safe :-( !

Monday, July 12, 2004

.NET Others

Today, while stress-testing a Web Application of a customer of mine, I discovered an issue in a piece of code working with DPAPI: CryptoAPI are not thread-safe!

As my friend and colleague Marco discovered through this Microsoft newsgroup post it's an issue "by design".

So, in order to avoid this problem, I had to review my code (originally based on MSDN DPAPI C# sample library) in order to provide a synchronization logic by myself.

The problem doesn't matter situations in which you use DPAPI just to protect gobal one-time-read informations like connection string and process impersonation identities, even if I suggest you to acquire a lock on resources before accessing them. On the other side it becomes an annoying issue if you use DPAPI intensively and with multiple threads, like in my application.

2 Comments

I do feel obliged to point out that the newsgroups post is 5 years old, it's possible that it's been fixed since then.

The Cert backup&restore APIs clearly require that they run in an STA, so...

MSDN is mute on the threading issue unfortunately.

Larry Osterman - Monday, July 12, 2004 11:14:00 PM

Larry, you're right: the post is 5 years old. By the way my tests were made yesterday and they showed that under certain circumstances CryptoAPI fails to work, if used in stressing multithreaded environment.

As you already noticed the real problem is that, if I'm not wrong, MSDN seems to be mute on thread safety of CryptoAPI and it shouldn't, I guess.

Paolo Pialorsi - Tuesday, July 13, 2004 6:45:00 AM

Comments have been disabled for this content.