Re: Web.config or App.config Security

From: Alek Davis (alek_xDOTx_davis_xATx_intel_xDOTx_com)
Date: 02/05/04 

Date: Thu, 5 Feb 2004 08:48:59 -0800

Damian,

I would be surprised if you could use Data Protection Provider from a Web
application. If I understand it correctly, it uses DPAPI, but DPAPI (with
user store) cannot be called from Web applications (unless you add more
complexity). If you use DPAPI with machine store, any application running on
the system will be able to decrypt your data, so this is - arguably - not
more secure than hiding key (and other secrets) in the source code (and
obfuscating assembly), although it is still better than leaving data in
plain text.

Not sure why you are concerned about someone opening or modifying the
.config file (assuming that sensitive data in the file are encrypted).
.config files are wide open for the read access (after all ASP.NET
applications must be able to read config settings). You can tighten the
write access, but this has little to do with privacy and if I understand you
correctly, privacy is your main concern; your primary goal is preventing
unauthorized users from being able to decrypt data. Unfortunately, there are
not many options out there. It is just the fundamental difficulty of the
problems: how do you allow me to encrypt data, my application to decrypt
data and prevent everybody else (humans and applications) from either? If
you are interested in this area, check out info at http://www.obviex.com/;
you can find relevant references and utilities, you may be able to use.

Alek

"Damian" <t-damianl@infocorp.com.uy> wrote in message
news:%23eJ8xM$6DHA.2404@TK2MSFTNGP12.phx.gbl...
> Hi All ,
>
> I have this problem. I know how to encrypr connections strings or XML
files
> using Aplication Block. I have implemented a Data Protection Provider to
> encrypt all my configurations files. My problem is that my encryptation
key
> and other personal information is set in my web.config or app.config . I
> wonder if Visual Studio has any tool or service to encrypt or secure the
> web.config or there is another way to do this in order to make sure than
> anyone is going to open or modify this file. Any advice?
>
> Thanks for your help.
>
>

Relevant Pages

  • Re: Encrypt/Decrypt
    ... Thank you Hernan but I am not sure DPAPI is the correct way. ... Encrypt it and then on the software that gets released to the ... >> the login info in a config file on each system this program resides. ...
    (microsoft.public.dotnet.security)
  • Re: Encryption Key Question
    ... Here's a very quick explanation of how DPAPI works in Windows. ... > used to encrypt the user's secrets. ... the master key can not be decrypted. ... > that there are no universal solutions in security. ...
    (Security-Basics)
  • Re: DPAPI implemented in Crypt32.dll
    ... The DPAPI API for encrypting data is CryptProtectData. ... > Encrypt / Decrypt is called from my Visual Basic 6 code. ...
    (microsoft.public.win2000.security)
  • Re: Size of Entropy with Dpapi Encrypted Connection String
    ... > I am doing TWO things with the dpapi. ... and the symmetric key is used to encrypt and decrypt info in a ... > that was the same number of bytes as the symmetric aes binary key, ... > decrypt some arbitrary text, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • encrypting connection strings for network installed application
    ... applications on the workstations and the appropriate permissions on the ... application's .config file, the connectionStrings section of the file ... Here is the code used to encrypt the connectionStrings section of the ...
    (microsoft.public.dotnet.languages.csharp)