Issues with protectedData API

Question

I have following code and application works successfully sometimes but for certain users its not able to decrypt the password. It happens when mostly on server and multi user environment, works great on dev machine.

public static byte [] Protect( byte [] data )
    {
        try
        {
            // Encrypt the data using DataProtectionScope.CurrentUser. The result can be decrypted
            //  only by the same current user.
            return ProtectedData.Protect( data, s_aditionalEntropy, DataProtectionScope.CurrentUser );
        } 
        catch (CryptographicException e)
        {
            Console.WriteLine("Data was not encrypted. An error occurred.");
            Console.WriteLine(e.ToString());
            return null;
        }
    }

    public static byte [] Unprotect( byte [] data )
    {
        try
        {
            //Decrypt the data using DataProtectionScope.CurrentUser.
            return ProtectedData.Unprotect( data, s_aditionalEntropy, DataProtectionScope.CurrentUser );
        } 
        catch (CryptographicException e)
        {
            Console.WriteLine("Data was not decrypted. An error occurred.");
            Console.WriteLine(e.ToString());
            return null;
        }
    }

Answer 1

IN a server-side context you have some problems to utilize it. See details:

CurrentUser Scope : the protected data is associated with CurrentUser, I mean, only the user that encrypted the data may achieve to decrypt it - no one else. You may understand it like a routine to protect PERSONAL DATA.

LocalMachine Scope : as mentioned, it allow DIFFERENT USERS to decrypt data but it MAY RESULT IN A SECURITY ISSUE! Using this scope, even users not in the same group/domain will decrypt the data! The control is NOT over the encryption routine, but in the User Access to thar server.

If you have a public (or not under a Domain) server and need SOME GUYS to have access to certain kind of data, you may abandon the DataProtectionScope and try a customized procedure, where:

1 - You check the user if authorized. 2 - You provide the mechanism to encrypt and decrypt the data. 3 - You may assume different keys to different users or groups.

To details, please consider to see this link: https://msdn.microsoft.com/en-us/library/system.security.cryptography.dataprotectionscope(v=vs.110).aspx

Answer 2

DataProtectionScope.LocalMachine: This scope is valid to decrypt any authenticated user in the system.

DataProtectionScope.CurrentUser : This scope is valid for only the user whose identity was used for encrypt only that identity can make it decrypt.

   public static byte [] Protect( byte [] data )
        {
            try
            {
                return ProtectedData.Protect( data, s_aditionalEntropy, DataProtectionScope.LocalMachine );
            } 
            catch (CryptographicException e)
            {
                Console.WriteLine("Data was not encrypted. An error occurred.");
                Console.WriteLine(e.ToString());
                return null;
            }
        }

        public static byte [] Unprotect( byte [] data )
        {
            try
            {
                return ProtectedData.Unprotect( data, s_aditionalEntropy, DataProtectionScope.LocalMachine );
            } 
            catch (CryptographicException e)
            {
                Console.WriteLine("Data was not decrypted. An error occurred.");
                Console.WriteLine(e.ToString());
                return null;
            }
        }