Hardcoded DPAPI entropy string in ProtectedKeyProvider weakens defense-in-depth

[Christophe-Rogiers]

Description

In src/Servy.Core/Security/ProtectedKeyProvider.cs (line 29):

private static readonly byte[] Entropy = Encoding.UTF8.GetBytes("Servy-Entropy-Secure-Key-Storage");

This static entropy value is passed to ProtectedData.Protect() / Unprotect() (DPAPI). The purpose of the entropy parameter is to limit which applications can decrypt the protected data — it acts as a shared secret between the encrypting and decrypting code.

Since this value is hardcoded in the source code (and thus embedded in the compiled binary), anyone with access to the binary can extract it. Combined with access to the DPAPI-protected key files on the target machine (C:\ProgramData\Servy\security\aes_key.dat), an attacker can call ProtectedData.Unprotect() with this entropy to recover the master key.

Severity

Warning — weakens the intended defense-in-depth layer. Exploitable only when combined with access to the target machine's key files, but the entropy value is meant to add an additional protection layer that is currently ineffective.

Suggested fix

Consider moving the entropy to an external protected configuration source (e.g., a machine-level registry key with restricted ACLs, or a separate DPAPI-protected file), so that possession of the binary alone is not sufficient to derive the entropy.

Alternatively, document this as an accepted limitation — DPAPI's primary protection is the user/machine scope, and the entropy is a secondary layer.

[aelassas]

Thanks for pointing out the limitations of static entropy. I have addressed this by implementing two synergistic security layers that neutralize both the Local Privilege Escalation (LPE) and the Master Key portability risks.

1. Access Control Layer (The "Front Door")
I implemented SecurityHelper.CreateSecureDirectory for all sensitive paths. This method breaks inheritance and explicitly purges the Users, Authenticated Users, and Everyone groups. By default, only SYSTEM and Administrators (plus the current installation identity) have access.
Result: A local non-admin attacker can no longer read the encrypted .dat files. Without the ciphertext, knowing the entropy is useless.

2. Dynamic Machine-Bound Entropy (The "Secret")
I replaced the hardcoded static string with a dynamic value derived from the Windows MachineGuid.
Result: The entropy is now unique to each OS installation. Even if an attacker possesses the Servy binary and the "method" of encryption, they cannot decrypt stolen key files on a different machine because the MachineGuid acts as a machine-specific "salt" that is non-portable.

Fixed in: ProtectedKeyProvider.cs and SecurityHelper.cs.
Migration: v7.9 includes an auto-migration path that transparently upgrades legacy (no-entropy) keys to this new hardened format.

Why this is "Safe" (The Explanation)

The reason we can be confident in this approach, even though the "method" of using MachineGuid is public, is the shift from Security through Obscurity to Security by Design.

1. The ACLs Solve the "Local" Problem
Security starts at the filesystem. By locking the folder to SYSTEM and Admins, we've moved the goalposts. For an attacker to even see the .dat files, they would first need to exploit a different vulnerability to gain Admin rights. If they already have Admin rights, they don't need to "crack" the key; they already control the entire operating system.

2. The MachineGuid Solves the "Global" Problem
In the previous version, a hardcoded string was a Global Secret. If one person found it, every Servy install was compromised. By using the MachineGuid:

• The secret is now a Local Secret.
• It follows Kerckhoffs's Principle: the security of the system rests entirely on the key (the MachineGuid), which is unique to each machine and unknown to anyone who doesn't have local access to that specific computer.

3. DPAPI Ties it to the OS
Because we are still using DPAPI (DataProtectionScope.LocalMachine), Windows adds its own internal master key to the mix. So even if someone knows the MachineGuid and steals the file, they still can't decrypt it on their own machine because their Windows instance doesn't have the internal DPAPI keys that the OS generated.

Summary Table

Attack Vector	Previous (v7.8)	New (v7.9)	Why it's Safe
Local Non-Admin	Could read/delete files via C:\ProgramData defaults.	Access Denied.	Folder-level ACLs (The "Front Door") are locked.
Binary Analysis	Could find a hardcoded secret in the code.	Finds a dynamic, hardware-bound method.	An attacker doesn't have the machine's unique MachineGuid.
Local App Access	Any app/script on the PC could decrypt (No Entropy).	Blocked.	DPAPI now requires the machine-unique "Combination" to open.
Machine Portability	Machine-bound by DPAPI (OS-level).	Double-Locked.	Moving files to a new PC fails both the OS check and the Entropy check.

By locking the "Front Door" (ACLs) and changing the "Safe Combination" (MachineGuid), we've followed the industry standard for securing service secrets.