Use Dpapi with Shared Asp.Net Web Host?

• Previous message: Chris Rolon: "Re: Calling a webservice using Kerberos"
• Next in thread: Svein Terje Gaup: "Re: Use Dpapi with Shared Asp.Net Web Host?"
• Reply: Svein Terje Gaup: "Re: Use Dpapi with Shared Asp.Net Web Host?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 24 Jan 2005 02:57:19 -0500

Hi.

I'd like to use an encrypted database connection string. I'd also like use
an encrypted set of customer tables with a symmetric algorithm (and a secure
symmetric key) generated by .Net in my sql server database from asp.net
code stored on a shared host asp.net server.

I've downloaded a set of vb.net code that is a rewrite of the c# dpapi
code posted on msdn. The dpapi should enable me to encrypt the connection
string, but the portion of the code that calls the encryption class and
encrypts a given string is a console application.

The article accompanying the code states: "Note that you'll need to run the
console application on the IIS server to generate the encrypted
base-64-encoded string. this is because the EncryptString function
instructs the DPAPI to use the machine-wide key, so the encryption and
ecryption will be valid only on the same machine.

Since this is on a shared host thousands of miles away, and I don't belive
I can run any local console code on it,
does this mean I'm sunk????

Basically I need some secure way of storing my encrypted connection string
and storing
my symmetric encryption key. I know how to write the code to use the keys
and algorithms to encrypt and decrypt things.

 I suppose I could hide bits and pieces of the each key
in different places in the code or database and append them together by
hardcoding, but
I believe that that could be discovered???? by dissassembling my code unless
I use a professional obfuscator???.

HELP!

--Insecure in Boston, MA
-->GO PATRIOTS!!!!!!!!!!!!!!!

• Previous message: Chris Rolon: "Re: Calling a webservice using Kerberos"
• Next in thread: Svein Terje Gaup: "Re: Use Dpapi with Shared Asp.Net Web Host?"
• Reply: Svein Terje Gaup: "Re: Use Dpapi with Shared Asp.Net Web Host?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Help encrypt conn string - no ASP, no server, cant protect keys, cant use Windows Authentica ... I want to deploy a .NET 2.0 Windows Forms application that uses an MS ... The database has been encoded and password ... I need a way to encrypt the connection string, ... The samples I've seen on the Internet use DPAPI and other encryption ... (microsoft.public.dotnet.security) Re: Help encrypt conn string - no ASP, no server, cant protect keys, cant use Windows Authentica ... per machine DPAPI encryption of the connection string is probably ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... The database has been encoded and password ... (microsoft.public.dotnet.security) Re: Byte array to string and back - newbie question ... // Create a symmetric algorithm. ... This is done to make encryption more ... // Encrypt a string into a string using a password ... // Decrypt a byte array into a byte array using a key and an IV ... (microsoft.public.dotnet.framework.aspnet.security) Re: Connection string stored in registry ... The thing is, i dont wanna now whats best, like encryption, or a global ... has the ability to read a connection string directly from a registry ... (microsoft.public.dotnet.languages.csharp) Re: Encryption of Connection String ... I don't think ANY encryption is applied to the string by default. ... > Do you know what level of encryption IS applied to the connection string? ... >> to the SQL Server via SQL authentication the password is only ... (microsoft.public.sqlserver.security)