Use Dpapi with Shared Asp.Net Web Host?
From: Dominick Baier [DevelopMentor] (dbaier_at_pleasepleasenospamdevelop.com)
Date: 01/24/05
- Next message: Svein Terje Gaup: "Re: Use Dpapi with Shared Asp.Net Web Host?"
- Previous message: Phil C.: "Re: Use Dpapi with Shared Asp.Net Web Host?"
- Next in thread: Phil C.: "Re: Use Dpapi with Shared Asp.Net Web Host?"
- Reply: Phil C.: "Re: Use Dpapi with Shared Asp.Net Web Host?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: microsoft.public.dotnet.framework.aspnet.security Date: Mon, 24 Jan 2005 12:12:08 -0800
i wrote a couple of DPAPI tools (extended the ms impl, a command line tool .. and a ASP.NET frontend) - just upload the single aspx file to the server and you can encrypt whatever strings you like with DPAPI...don't forget to secure that page (or better delete it when you are finished)
download:
http://www.leastprivilege.com/PermaLink.aspx?guid=ebd9956e-a36c-4b57-8d58-6ff79a60e43f
---
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/ Hi.
I'd like to use an encrypted database connection string. I'd also like use
an encrypted set of customer tables with a symmetric algorithm (and a secure
symmetric key) generated by .Net in my sql server database from asp.net
code stored on a shared host asp.net server.
I've downloaded a set of vb.net code that is a rewrite of the c# dpapi
code posted on msdn. The dpapi should enable me to encrypt the connection
string, but the portion of the code that calls the encryption class and
encrypts a given string is a console application.
The article accompanying the code states: "Note that you'll need to run the
console application on the IIS server to generate the encrypted
base-64-encoded string. this is because the EncryptString function
instructs the DPAPI to use the machine-wide key, so the encryption and
ecryption will be valid only on the same machine.
Since this is on a shared host thousands of miles away, and I don't belive
I can run any local console code on it,
does this mean I'm sunk????
Basically I need some secure way of storing my encrypted connection string
and storing
my symmetric encryption key. I know how to write the code to use the keys
and algorithms to encrypt and decrypt things.
I suppose I could hide bits and pieces of the each key
in different places in the code or database and append them together by
hardcoding, but
I believe that that could be discovered???? by dissassembling my code unless
I use a professional obfuscator???.
HELP!
--Insecure in Boston, MA
-->GO PATRIOTS!!!!!!!!!!!!!!!
[microsoft.public.dotnet.framework.aspnet.security]
Relevant Pages
... I want to deploy a .NET 2.0 Windows Forms application that uses an MS ... The database has been encoded and password ... I need a way to encrypt the connection string, ... The samples I've seen on the Internet use DPAPI and other encryption ...
(microsoft.public.dotnet.security)
... per machine DPAPI encryption of the connection string is probably ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... The database has been encoded and password ...
(microsoft.public.dotnet.security)
... // Create a symmetric algorithm. ... This is done to make encryption more ... // Encrypt a string into a string using a password ... // Decrypt a byte array into a byte array using a key and an IV ...
(microsoft.public.dotnet.framework.aspnet.security)
... The thing is, i dont wanna now whats best, like encryption, or a global ... has the ability to read a connection string directly from a registry ...
(microsoft.public.dotnet.languages.csharp)
... an encrypted archive utility designed for secure archiving ... A match string allows you to only extract files matching a given ... Encrypt the string s using passwd and encryption cipher enc ...
(comp.lang.python)
