Re: Help Encrypting Connection String
- From: "FlyFishGuy" <FlyFishGuy@xxxxxxxxxxxxx>
- Date: Sat, 7 Jan 2006 17:18:10 -0500
My main concern is the decryption side of the equation. I'm using ASP
membership and profiling, but I have to do it on SQL Server instead of SQL
Express because my Web Host does not support Express. Currently, I have
simply 'overridden' the LocalSqlServer connection string to point to my SQL
Server DB.
Will either of the suggested encryption models support me being able to
proceed this way? If I'm retrieving the connection string in my own code, I
don't see any issues, but since ASP is utilizing the same connection string
under the hood for membership etc, will I be able to get ASP to decrypt the
connection string for it's own use?
Thanks
"Dominick Baier [DevelopMentor]" <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message news:4580be6318baa18c7e1cc57458320@xxxxxxxxxxxxxxxxxxxxx
> hi,
> the "best" way is to use DPAPI - because you don't have to do your own key
> management. There are a lot of wrappers out there, e.g.
>
> http://www.leastprivilege.com/DPAPITools.aspx
>
> the tool you are referring to is called aspnet_setreg - it uses DPAPI to
> encrypt the section and places it into web.config - the config file then
> refers to the reg key.
>
> in 2.0 you can encrypt nearly all config section out of the box using the
> ProtectedConfiguration provider - there you have the choice of using DPAPI
> or RSA keys.
> There are some section that you can't encrypt (basically a chicken/egg
> problem or section that have to be read before managed code is run) -
> there again you have to use aspnet_setreg.
>
> My recommendation : use DPAPI (either the wrapped API in 1.1 or
> protectedconfig in 2.0).
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>> Enterprise Library (either the June 2005 release for .NET 1.1 or the
>> upcoming 2.0 release for .NET 2.0) can "magically" encrypt parts of
>> your configuration file. You can also use the Ent Lib cryptography
>> block to encrypt and decrypt arbitrary strings, so that will certainly
>> work for what you want to do.
>>
>> Ent Lib also has a notion of a data access block that allows you to
>> configure connection strings with a graphical tool and encrypt the
>> whole section on the fly if you want. You can programmatically
>> retrieve connection strings defined in the configuration if you want.
>> Essentially, it offers are variety of ways to solve your problem
>> easily.
>>
>> With .NET 1.1, you need the aspnet_regiis thing to encrypt parts of
>> the config file, but .NET 2.0 has more options. I'm not really up on
>> them yet though so I can't comment on how all of that new stuff works
>> yet.
>>
>> Joe K.
>>
>> "FlyFishGuy" <FlyFishGuy@xxxxxxxxxxxxx> wrote in message
>> news:OnpiE8wEGHA.4036@xxxxxxxxxxxxxxxxxxxxxxx
>>
>>> I'm certainly OK with starting basic and becoming more aggressive as
>>> my level of understanding increases. I think I like hardcoding the
>>> key as opposed to putting it directly in web.config. I don't like to
>>> hardcode anything, in general, but I'd rather do that with an
>>> encryption key than the underlying data itself.
>>>
>>> Ivan's code is pretty straightforward, but I've had this vision
>>> (based on some of the articles I've seen) that I could simply encrypt
>>> the section in web.config and the framework would decrypt on-the-fly.
>>> Perhaps this is only when using the aspnet_regiis method or perhaps
>>> I'm just confused.
>>>
>>> Regarding the Enterprise Library, I've not heard of it before and I'm
>>> all about high level classes and nice GUI's. I keep discovering neat
>>> tools scattered about the place. It looks like 2.0 is not out yet,
>>> but v1.1 is supposed to be compatible. I don't have much of a code
>>> investment in 1.1 but I understand that many best practices have
>>> changed. Should I just wait for 2.0 before diving in?
>>>
>>> Thanks Joe
>>>
>>> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
>>> wrote in message news:%23WsXSlvEGHA.1028@xxxxxxxxxxxxxxxxxxxxxxx
>>>
>>>> The biggest decision for you here is how you want to store the
>>>> encryption key. If you are ok with keeping the key in plain text in
>>>> your web.config file or just hard-coding it in your code, then this
>>>> is pretty easy. That won't ward off determined hackers, but it
>>>> should prevent casual snooping.
>>>>
>>>> For samples of simple symmetric encryption going back and forth
>>>> between strings (which is probably what you want), I like Ivan's
>>>> sample on www.dotnetthis.com. It is C#, but easy to adapt/convert.
>>>>
>>>> I also like the crypto capabilities in Enterprise Library for doing
>>>> this stuff as it makes it very simple to use and has nice config
>>>> support for storing the key and a nice GUI for configuring all of
>>>> it.
>>>>
>>>> Joe K.
>>>>
>>>> "FlyFishGuy" <FlyFishGuy@xxxxxxxxxxxxx> wrote in message
>>>> news:uouuXHvEGHA.2320@xxxxxxxxxxxxxxxxxxxxxxx
>>>>
>>>>> I am trying to perform the most basic encryption of my connection
>>>>> string in web.config and I am totally lost. Before someone flames
>>>>> me for not researching before posting, let me tell you that I have
>>>>> read literally dozens of explanations and blogs on this and I am
>>>>> more confused than ever.
>>>>>
>>>>> Every article I have read starts out with stating what a breeze
>>>>> this is to do, but by the time I get to the 3rd paragraph, either
>>>>> my head is spinning with encryption technicalities or they assume
>>>>> that I can run aspnet_regiis on the server. I don't host my web
>>>>> server, like many people, and I find this assumption obnoxious. To
>>>>> make matters worse, virtually every article I've read has a
>>>>> different methodology to perform the encryption. I understand that
>>>>> there are many ways to skin the same cat in .NET, but I'm looking
>>>>> for simple, if it exists. I never used the 2005 beta, and I'm
>>>>> guessing that many of these articles are referring to functionality
>>>>> that has subsequently changed.
>>>>>
>>>>> I'm not trying to hide anything from the NSA. I simply wish to
>>>>> prevent
>>>>> some scumbag from trashing my site.
>>>>> If I have to spend 40 hours becoming an encryption guru before I
>>>>> can do
>>>>> this, then that's fine. I just wish that someone would be up front
>>>>> about
>>>>> this and stop stating what a snap it is. If it really is a snap
>>>>> could
>>>>> someone please provide me a link to some code that is current,
>>>>> accurate,
>>>>> and unassuming. VB is my language, but I'll certainly settle for
>>>>> some C#
>>>>> code.
>>>>> Thanks
>>>>>
>
>
.
- Follow-Ups:
- Re: Help Encrypting Connection String
- From: Dominick Baier [DevelopMentor]
- Re: Help Encrypting Connection String
- References:
- Re: Help Encrypting Connection String
- From: Joe Kaplan \(MVP - ADSI\)
- Re: Help Encrypting Connection String
- From: Dominick Baier [DevelopMentor]
- Re: Help Encrypting Connection String
- Prev by Date: Re: How to Change MinRequiredNonAlphanumericCharacters in AspNetSq
- Next by Date: Re: Help Encrypting Connection String
- Previous by thread: Re: Help Encrypting Connection String
- Next by thread: Re: Help Encrypting Connection String
- Index(es):
Relevant Pages
|
