Re: Web.config or App.config Security

From: Damian (t-damianl_at_infocorp.com.uy)
Date: 02/05/04


Date: Thu, 5 Feb 2004 15:08:04 -0300

Thanks Alek for your response. I think I did not express myself in the best
way. I have implemented a class that implements the interface
IDataProtection. I have used the code of the CMAB "as-is" and I change the
algorithm that BCL uses (3DESC). As the CMAB says, the key and the
IV(base64) or the registry root of this keys must be seted in the
<protectionProvider> tag in the .config file.

I know that this is like ' Who was first, the egg or the chicken ??'. I
thought that VS has some options or settings to ensure the security of the
web.config (or app.config).

i.e.: Encrypt the web.config and when someone or the application calls it,
it has to be decrypted and then encrypt it again. All this happened when the
web application is running. This is al transparent for the developer( This
is just an idea, I know that socks J )

I've read an article that said the following : I could add this

Administrators: Full controlSystem: Full controlASP.NET process identity:
ReadUNC Identity: ReadImpersonated Identity (Fixed Identity): Read But I don
't know where ???? In the web.config or in the Machine.config

In conclusion, I want to ensure the security of the web.config as much as
possible

Thanks for all your help !!! . I will read the article you have send me.

Damian

"Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in message
news:uygw1fA7DHA.2044@TK2MSFTNGP10.phx.gbl...
> Damian,
>
> I would be surprised if you could use Data Protection Provider from a Web
> application. If I understand it correctly, it uses DPAPI, but DPAPI (with
> user store) cannot be called from Web applications (unless you add more
> complexity). If you use DPAPI with machine store, any application running
on
> the system will be able to decrypt your data, so this is - arguably - not
> more secure than hiding key (and other secrets) in the source code (and
> obfuscating assembly), although it is still better than leaving data in
> plain text.
>
> Not sure why you are concerned about someone opening or modifying the
> .config file (assuming that sensitive data in the file are encrypted).
> .config files are wide open for the read access (after all ASP.NET
> applications must be able to read config settings). You can tighten the
> write access, but this has little to do with privacy and if I understand
you
> correctly, privacy is your main concern; your primary goal is preventing
> unauthorized users from being able to decrypt data. Unfortunately, there
are
> not many options out there. It is just the fundamental difficulty of the
> problems: how do you allow me to encrypt data, my application to decrypt
> data and prevent everybody else (humans and applications) from either? If
> you are interested in this area, check out info at http://www.obviex.com/;
> you can find relevant references and utilities, you may be able to use.
>
> Alek
>
> "Damian" <t-damianl@infocorp.com.uy> wrote in message
> news:%23eJ8xM$6DHA.2404@TK2MSFTNGP12.phx.gbl...
> > Hi All ,
> >
> > I have this problem. I know how to encrypr connections strings or XML
> files
> > using Aplication Block. I have implemented a Data Protection Provider to
> > encrypt all my configurations files. My problem is that my encryptation
> key
> > and other personal information is set in my web.config or app.config . I
> > wonder if Visual Studio has any tool or service to encrypt or secure the
> > web.config or there is another way to do this in order to make sure than
> > anyone is going to open or modify this file. Any advice?
> >
> > Thanks for your help.
> >
> >
>
>



Relevant Pages

  • Re: Web.config or App.config Security
    ... I would be surprised if you could use Data Protection Provider from a Web ... If I understand it correctly, it uses DPAPI, but DPAPI (with ... .config file. ... > encrypt all my configurations files. ...
    (microsoft.public.dotnet.security)
  • encrypting connection strings for network installed application
    ... applications on the workstations and the appropriate permissions on the ... application's .config file, the connectionStrings section of the file ... Here is the code used to encrypt the connectionStrings section of the ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Encrypting/Decrypting Password from a Config File
    ... > I am looking for a way to encrypt a password in a configuration file ... > out in the open if someone were to look at the config file. ... > application would read encrypted password, decrypt the password back ... > // Create Encryption cipher ...
    (comp.lang.java.programmer)
  • Encrypting/Decrypting Password from a Config File
    ... I am looking for a way to encrypt a password in a configuration file ... out in the open if someone were to look at the config file. ... decrypt the password back ... String decryptedString = new String; ...
    (comp.lang.java.programmer)
  • Re: Help Encrypting Connection String
    ... but I have to do it on SQL Server instead of SQL ... If I'm retrieving the connection string in my own code, ... > in 2.0 you can encrypt nearly all config section out of the box using the ... >> the config file, but .NET 2.0 has more options. ...
    (microsoft.public.dotnet.framework.aspnet.security)