Re: Use Dpapi with Shared Asp.Net Web Host?
From: Svein Terje Gaup (stgaup_at_broadpark.no.spam)
Date: 01/24/05
- Next message: Gianluca Torta: "Serviced Component runs under ASPNET, not specified account"
- Previous message: Paul Clement: "Re: redirecting to specific webpage after logging in - ASP.NET 2.0"
- In reply to: Phil C.: "Use Dpapi with Shared Asp.Net Web Host?"
- Next in thread: Phil C.: "Re: Use Dpapi with Shared Asp.Net Web Host?"
- Reply: Phil C.: "Re: Use Dpapi with Shared Asp.Net Web Host?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 24 Jan 2005 19:12:56 +0100
If you need to write your own DPAPI library, this might help:
http://msdn.microsoft.com/security/securecode/dotnet/default.aspx?pull=/library/en-us/dnnetsec/html/SecNetHT08.asp
DPAPI is only suitable for encrypting and decrypting stuff on the same
machine. If you need to decrypt on a different machine, DPAPI is useless.
This article explains how to encrypt and store the connection string in the
registry:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod25.asp
HTH,
Svein Terje Gaup
"Phil C." <charlestek@rcn.com> wrote in message
news:OXd0npeAFHA.2076@TK2MSFTNGP15.phx.gbl...
> Hi.
>
> I'd like to use an encrypted database connection string. I'd also like
> use an encrypted set of customer tables with a symmetric algorithm (and a
> secure symmetric key) generated by .Net in my sql server database from
> asp.net code stored on a shared host asp.net server.
>
> I've downloaded a set of vb.net code that is a rewrite of the c# dpapi
> code posted on msdn. The dpapi should enable me to encrypt the connection
> string, but the portion of the code that calls the encryption class and
> encrypts a given string is a console application.
>
> The article accompanying the code states: "Note that you'll need to run
> the console application on the IIS server to generate the encrypted
> base-64-encoded string. this is because the EncryptString function
> instructs the DPAPI to use the machine-wide key, so the encryption and
> ecryption will be valid only on the same machine.
>
> Since this is on a shared host thousands of miles away, and I don't
> belive I can run any local console code on it,
> does this mean I'm sunk????
>
> Basically I need some secure way of storing my encrypted connection string
> and storing
> my symmetric encryption key. I know how to write the code to use the
> keys and algorithms to encrypt and decrypt things.
>
> I suppose I could hide bits and pieces of the each key
> in different places in the code or database and append them together by
> hardcoding, but
> I believe that that could be discovered???? by dissassembling my code
> unless I use a professional obfuscator???.
>
> HELP!
>
> --Insecure in Boston, MA
> -->GO PATRIOTS!!!!!!!!!!!!!!!
>
- Next message: Gianluca Torta: "Serviced Component runs under ASPNET, not specified account"
- Previous message: Paul Clement: "Re: redirecting to specific webpage after logging in - ASP.NET 2.0"
- In reply to: Phil C.: "Use Dpapi with Shared Asp.Net Web Host?"
- Next in thread: Phil C.: "Re: Use Dpapi with Shared Asp.Net Web Host?"
- Reply: Phil C.: "Re: Use Dpapi with Shared Asp.Net Web Host?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
