Re: Help Encrypting Connection String

hi, 

you mean classic ASP??

sure - you can call DPAPI via COM Interop.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

My main concern is the decryption side of the equation. I'm using ASP
membership and profiling, but I have to do it on SQL Server instead of
SQL Express because my Web Host does not support Express. Currently, I
have simply 'overridden' the LocalSqlServer connection string to point
to my SQL Server DB.

Will either of the suggested encryption models support me being able
to proceed this way? If I'm retrieving the connection string in my own
code, I don't see any issues, but since ASP is utilizing the same
connection string under the hood for membership etc, will I be able to
get ASP to decrypt the connection string for it's own use?

Thanks

"Dominick Baier [DevelopMentor]"
<dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4580be6318baa18c7e1cc57458320@xxxxxxxxxxxxxxxxxxxxx

hi,
the "best" way is to use DPAPI - because you don't have to do your
own key
management. There are a lot of wrappers out there, e.g.
http://www.leastprivilege.com/DPAPITools.aspx

the tool you are referring to is called aspnet_setreg - it uses DPAPI
to encrypt the section and places it into web.config - the config
file then refers to the reg key.

in 2.0 you can encrypt nearly all config section out of the box using
the
ProtectedConfiguration provider - there you have the choice of using
DPAPI
or RSA keys.
There are some section that you can't encrypt (basically a
chicken/egg
problem or section that have to be read before managed code is run) -
there again you have to use aspnet_setreg.
My recommendation : use DPAPI (either the wrapped API in 1.1 or
protectedconfig in 2.0).

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Enterprise Library (either the June 2005 release for .NET 1.1 or the
upcoming 2.0 release for .NET 2.0) can "magically" encrypt parts of
your configuration file.  You can also use the Ent Lib cryptography
block to encrypt and decrypt arbitrary strings, so that will
certainly work for what you want to do.

Ent Lib also has a notion of a data access block that allows you to
configure connection strings with a graphical tool and encrypt the
whole section on the fly if you want.  You can programmatically
retrieve connection strings defined in the configuration if you
want. Essentially, it offers are variety of ways to solve your
problem easily.

With .NET 1.1, you need the aspnet_regiis thing to encrypt parts of
the config file, but .NET 2.0 has more options.  I'm not really up
on them yet though so I can't comment on how all of that new stuff
works yet.

Joe K.

"FlyFishGuy" <FlyFishGuy@xxxxxxxxxxxxx> wrote in message
news:OnpiE8wEGHA.4036@xxxxxxxxxxxxxxxxxxxxxxx

I'm certainly OK with starting basic and becoming more aggressive
as my level of understanding increases. I think I like hardcoding
the key as opposed to putting it directly in web.config. I don't
like to hardcode anything, in general, but I'd rather do that with
an encryption key than the underlying data itself.

Ivan's code is pretty straightforward, but I've had this vision
(based on some of the articles I've seen) that I could simply
encrypt the section in web.config and the framework would decrypt
on-the-fly. Perhaps this is only when using the aspnet_regiis
method or perhaps I'm just confused.

Regarding the Enterprise Library, I've not heard of it before and
I'm all about high level classes and nice GUI's. I keep discovering
neat tools scattered about the place. It looks like 2.0 is not out
yet, but v1.1 is supposed to be compatible. I don't have much of a
code investment in 1.1 but I understand that many best practices
have changed. Should I just wait for 2.0 before diving in?

Thanks Joe

"Joe Kaplan (MVP - ADSI)"
<joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23WsXSlvEGHA.1028@xxxxxxxxxxxxxxxxxxxxxxx

The biggest decision for you here is how you want to store the
encryption key.  If you are ok with keeping the key in plain text
in your web.config file or just hard-coding it in your code, then
this is pretty easy.  That won't ward off determined hackers, but
it should prevent casual snooping.

For samples of simple symmetric encryption going back and forth
between strings (which is probably what you want), I like Ivan's
sample on www.dotnetthis.com.  It is C#, but easy to
adapt/convert.

I also like the crypto capabilities in Enterprise Library for
doing this stuff as it makes it very simple to use and has nice
config support for storing the key and a nice GUI for configuring
all of it.

Joe K.

"FlyFishGuy" <FlyFishGuy@xxxxxxxxxxxxx> wrote in message
news:uouuXHvEGHA.2320@xxxxxxxxxxxxxxxxxxxxxxx

I am trying to perform the most basic encryption of my connection
string in web.config and I am totally lost. Before someone flames
me for not researching before posting, let me tell you that I
have read literally dozens of explanations and blogs on this and
I am more confused than ever.

Every article I have read starts out with stating what a breeze
this is to do, but by the time I get to the 3rd paragraph, either
my head is spinning with encryption technicalities or they assume
that I can run aspnet_regiis on the server. I don't host my web
server, like many people, and I find this assumption obnoxious.
To make matters worse, virtually every article I've read has a
different methodology to perform the encryption. I understand
that there are many ways to skin the same cat in .NET, but I'm
looking for simple, if it exists. I never used the 2005 beta, and
I'm guessing that many of these articles are referring to
functionality that has subsequently changed.

I'm not trying to hide anything from the NSA. I simply wish to
prevent
some scumbag from trashing my site.
If I have to spend 40 hours becoming an encryption guru before I
can do
this, then that's fine. I just wish that someone would be up
front
about
this and stop stating what a snap it is. If it really is a snap
could
someone please provide me a link to some code that is current,
accurate,
and unassuming. VB is my language, but I'll certainly settle for
some C#
code.
Thanks



.

Relevant Pages

  • Re: connectionstring & web farm
    ... Placing the connection string in Machine.config on every web ... you will have to use one machine to export the encryption keys. ... also "hard coded" unless you put source on the web server. ... Registry is an option that is more secure than config, ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Connection to SQL Server CE Windows Service via C# - Error 250
    ... Encryption is not specified in the connection string. ... connect to it via the windows service under the Local Service account. ... I'm using SQL Server Compact Edition as a private data store. ...
    (microsoft.public.sqlserver.ce)
  • Re: Encryption of Connection String
    ... I don't think ANY encryption is applied to the string by default. ... > Do you know what level of encryption IS applied to the connection string? ... >> to the SQL Server via SQL authentication the password is only ...
    (microsoft.public.sqlserver.security)
  • Re: Encrypt connection channel
    ... I assume that you are talking only about encryption during transmission, ... this question is not about how to store sensitive data in a database. ... > DMZ and SQL Server in secured zone? ... > 1 Encrypt the connection string that is used to make a connection, ...
    (microsoft.public.sqlserver.security)
  • Encrypt connection channel
    ... (Been reading other messages on this subject but could not find an answer, ... DMZ and SQL Server in secured zone? ... Encrypt the connection string that is used to make a connection, ... Encryption of sensitive sensitive query data that is exchanged between ...
    (microsoft.public.security)