Re: Use Dpapi with Shared Asp.Net Web Host?
From: Svein Terje Gaup (stgaup_at_broadpark.no.spam)
Date: 01/24/05
- Next message: Joe Kaplan \(MVP - ADSI\): "Re: Help me! How I could make user in active directory"
- Previous message: Dominick Baier [DevelopMentor]: "Use Dpapi with Shared Asp.Net Web Host?"
- In reply to: Phil C.: "Re: Use Dpapi with Shared Asp.Net Web Host?"
- Next in thread: Phil C.: "Re: Use Dpapi with Shared Asp.Net Web Host?"
- Reply: Phil C.: "Re: Use Dpapi with Shared Asp.Net Web Host?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 24 Jan 2005 21:18:36 +0100
I'm not sure if this would work, but I guess you could try using asymetric
encryption. You could then store your public key and the encrypted
connection string in the web.config file on the web server. To decrypt the
connection string and connect to the database, the user connects using SSL,
passing the private key (as a kind of password). You might then store the
private key in the users context during the session.
Ah... you probably can't connect using SSL either since you don't have
access to the server? Or can you?
You could also use DPAPI as you suggested, but you should not use a console
application, but rather encapsulate your DPAPI code in a DLL file, as
suggested in this MSDN article:
http://msdn.microsoft.com/security/securecode/dotnet/default.aspx?pull=/library/en-us/dnnetsec/html/SecNetHT07.asp.
DPAPI consists of unmanaged code, so you will have to sign the component.
I'm not sure, however, if even signing will be enough to allow the component
to be used on the shared webserver. This depends on the ISP's CAS policy.
You can then make an application (one aspx file) that by using the DPAPI
library encrypts the connection string in web.config. After the encryption
has been done, for security reasons, you would have to remove the
application from the server, so no-one could use it to "double-encrypt" your
connection string.
Just a few thoughts...
Svein Terje Gaup
"Phil C." <charlestek@rcn.com> wrote in message
news:exsLpekAFHA.3528@tk2msftngp13.phx.gbl...
> Thanks, Svein
>
> Since the only directory I have access to on the web host server is a
> given asp.net directory for my files, I seriously doubt I would for
> security reasons be allowed to access the registry. Therefore, my
> alternatives do not look good at all.
>
> Phil
>
> "Svein Terje Gaup" <stgaup@broadpark.no.spam> wrote in message
> news:%23QKBVBkAFHA.1452@TK2MSFTNGP11.phx.gbl...
>> If you need to write your own DPAPI library, this might help:
>> http://msdn.microsoft.com/security/securecode/dotnet/default.aspx?pull=/library/en-us/dnnetsec/html/SecNetHT08.asp
>>
>> DPAPI is only suitable for encrypting and decrypting stuff on the same
>> machine. If you need to decrypt on a different machine, DPAPI is useless.
>>
>> This article explains how to encrypt and store the connection string in
>> the registry:
>> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod25.asp
>>
>> HTH,
>> Svein Terje Gaup
>>
>> "Phil C." <charlestek@rcn.com> wrote in message
>> news:OXd0npeAFHA.2076@TK2MSFTNGP15.phx.gbl...
>>> Hi.
>>>
>>> I'd like to use an encrypted database connection string. I'd also like
>>> use an encrypted set of customer tables with a symmetric algorithm (and
>>> a secure symmetric key) generated by .Net in my sql server database
>>> from asp.net code stored on a shared host asp.net server.
>>>
>>> I've downloaded a set of vb.net code that is a rewrite of the c# dpapi
>>> code posted on msdn. The dpapi should enable me to encrypt the
>>> connection string, but the portion of the code that calls the encryption
>>> class and encrypts a given string is a console application.
>>>
>>> The article accompanying the code states: "Note that you'll need to run
>>> the console application on the IIS server to generate the encrypted
>>> base-64-encoded string. this is because the EncryptString function
>>> instructs the DPAPI to use the machine-wide key, so the encryption and
>>> ecryption will be valid only on the same machine.
>>>
>>> Since this is on a shared host thousands of miles away, and I don't
>>> belive I can run any local console code on it,
>>> does this mean I'm sunk????
>>>
>>> Basically I need some secure way of storing my encrypted connection
>>> string and storing
>>> my symmetric encryption key. I know how to write the code to use the
>>> keys and algorithms to encrypt and decrypt things.
>>>
>>> I suppose I could hide bits and pieces of the each key
>>> in different places in the code or database and append them together by
>>> hardcoding, but
>>> I believe that that could be discovered???? by dissassembling my code
>>> unless I use a professional obfuscator???.
>>>
>>> HELP!
>>>
>>> --Insecure in Boston, MA
>>> -->GO PATRIOTS!!!!!!!!!!!!!!!
>>>
>>
>>
>
>
- Next message: Joe Kaplan \(MVP - ADSI\): "Re: Help me! How I could make user in active directory"
- Previous message: Dominick Baier [DevelopMentor]: "Use Dpapi with Shared Asp.Net Web Host?"
- In reply to: Phil C.: "Re: Use Dpapi with Shared Asp.Net Web Host?"
- Next in thread: Phil C.: "Re: Use Dpapi with Shared Asp.Net Web Host?"
- Reply: Phil C.: "Re: Use Dpapi with Shared Asp.Net Web Host?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
