RE: rsa encrtyption



Thanks Steven,
That's exactly what we've been doing for the past year.
Why it didn't work on one developers work station I don't know.
It seems to work for her now and all we did was apply some Sql Server updates.

My only guess was that the MS dll she used to apply the RSA encryption was
somehow different from the one on the server.


"Steven Cheng [MSFT]" wrote:

Hi Chuck,

From your description, you're encountering some problems about encypting
web.config via exportable RSA provider, correct?

According to the RSA encryption reference, I've performed some local tests,
the normal process of encrypting web.config section via RSA provider and
move to other machine is as below:

======================
Step 1

Create a machine-level RSA key container:
aspnet_regiis -pc "MyTestKeys" -exp

Step 2

Grant Read Access to the RSA Encryption Key:

aspnet_regiis -pa "MyTestKeys" "NT AUTHORITY\NETWORK SERVICE"

Step 3

Encrypt the config file:
aspnet_regiis -pef "connectionStrings" "physical path of the web site
folder" -prov MyRSAProvider


export the container and import it back to other machine using the
following steps

Step 4

Export the machine-level RSA key container:
aspnet_regiis -px "MyTestKeys" "c:\Config-Key.xml" -pri

Step 5

Copy Config-Key.xml to c:\ on 2nd server

Step 6

Import the the machine-level RSA key container on the 2nd server:
aspnet_regiis -pi "MyTestKeys" "c:\Config-Key.xml"

Step 7

Grant Read Access to the RSA Encryption Key:
aspnet_regiis -pa "MyTestKeys" "NT AUTHORITY\NETWORK SERVICE"

Step 8

Copy encrypted web.config to 2nd server

========================

Based on the steps you mentioned, I think most of the process you've
followed should be correct. So far I'd like to suggest you check the
following things:

1. Check your custom RSA provider setting to see whether it is correctly
copied to target machine also and set to use Machine container

========encrypt config section=======
<configProtectedData>
<providers>
<add keyContainerName="MyTestKeys"
useMachineContainer="true"
description="Uses RsaCryptoServiceProvider to encrypt and
decrypt"
name="MyRSAProvider"

type="System.Configuration.RsaProtectedConfigurationProvider,System.Configur
ation, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</configProtectedData>
=======================


2. AS in the above steps, after you create RSA key container, you need to
use "aspnet_regiis -pa" to make sure that the certain account(which will
run your ASP.NET application) has the sufficient access permission to the
key container. Generally, when you use VS 2008/VS 2005 test server to run
ASP.NET application, you're using the logon user(which is probably the
admin), however, if you run the ASP.NET in IIS (or after move to other
server which is using another different process account), you need to make
sure the certain process account have been granted the permission.

You can check them to see whether the problem is due to some of them.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@xxxxxxxxxxxxxx

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.




--------------------
Thread-Topic: rsa encrtyption
thread-index: Aciu+8jtjzMaoNRFQOC625A+xhVV9A==
X-WBNR-Posting-Host: 207.46.19.197
From: =?Utf-8?B?Q2h1Y2sgUA==?= <Chuck@xxxxxxxxxxxxxxxx>
Subject: rsa encrtyption
Date: Mon, 5 May 2008 15:03:01 -0700


I created a key for encrypting my web.config

aspnet_regiis -pz WebEncryptionKeys
aspnet_regiis -pc WebEncryptionKeys -exp

exported them
aspnet_regiis -px WebEncryptionKeys c:\WebEncryptionKeys_Public.xml -pri

imported them to developers and server machines
aspnet_regiis -pi "WebEncryptionKeys" "c:\WebEncryptionKeys_Public.xml "


Then in MsBuild I run
<Target Name="AfterBuild">
<Exec WorkingDirectory="$(OutputPath)"
Command="$(Registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSBuild\ToolsVers
ions\2.0@MSBuildToolsPath)aspnet_regiis.exe
-pef connectionStrings $(OutputPath) -prov HrCustomProvider" />

This works fine from my machine, the web.config gets encrypted and moved
to
the server.
However, if a co-worker runs the same msBuild on her machine, we get a bad
data error when the website is hit on the server. If I deploy to the
server,
she can logon to the server and encrypt and decrpyt the web.config.

I re-imported the encryption keys to her machine with the same results.

The only thing I can think of is that her machine is using a different
version of the encrtyption algorithims?

So I had her run windows update on her machine, couple things got updated
sql server mostly.

I logged on to her machine, deployment worked.
She logged on to her machine, deployment worked.

The keys were created months ago. Any idea what happened?




.



Relevant Pages

  • RE: rsa encrtyption
    ... According to the RSA encryption reference, I've performed some local tests, ... Grant Read Access to the RSA Encryption Key: ... Export the machine-level RSA key container: ... Import the the machine-level RSA key container on the 2nd server: ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: OWA Publishing problem for ISA 2006- using SecurID
    ... nodesecret in the registry and then cleared it on the RSA Admin server I ... The reason, from what I can gather, is that SDTEST write the securid file to ... a different location and the nodesecet is just set between the ACE and ISA ... ACE server doesn't think it's supposed to. ...
    (microsoft.public.isa.publishing)
  • Re: Symmetric encryption algorithm with group like properties
    ... >> Solutions that exist today are not as secure as they can be. ... I wouldn't expect more than PGP / GPG type encryption, ... > versions - with the key, protected by RSA encryption under a RSA public key ... > Alice needs a secure decryption mechanism to read her emails, ...
    (sci.crypt)
  • RE: OWA Publishing problem for ISA 2006- using SecurID
    ... source other than the ISA Server? ... nodesecret in the registry and then cleared it on the RSA Admin server I ... The publishing rule is set for Basic Authentication on the Auth Delegation ... They are getting this when connecting from an ISA Server labeled page: ...
    (microsoft.public.isa.publishing)
  • RE: OWA Publishing problem for ISA 2006- using SecurID
    ... on the phone with RSA doing that repeatedly. ... The reason, from what I can gather, is that SDTEST write the securid file to ... a different location and the nodesecet is just set between the ACE and ISA ... ACE server doesn't think it's supposed to. ...
    (microsoft.public.isa.publishing)