Re: Web.config or App.config Security
From: Damian (t-damianl_at_infocorp.com.uy)
Date: Thu, 5 Feb 2004 15:08:04 -0300
Thanks Alek for your response. I think I did not express myself in the best
way. I have implemented a class that implements the interface
IDataProtection. I have used the code of the CMAB "as-is" and I change the
algorithm that BCL uses (3DESC). As the CMAB says, the key and the
IV(base64) or the registry root of this keys must be seted in the
<protectionProvider> tag in the .config file.
I know that this is like ' Who was first, the egg or the chicken ??'. I
thought that VS has some options or settings to ensure the security of the
web.config (or app.config).
i.e.: Encrypt the web.config and when someone or the application calls it,
it has to be decrypted and then encrypt it again. All this happened when the
web application is running. This is al transparent for the developer( This
is just an idea, I know that socks J )
I've read an article that said the following : I could add this
Administrators: Full controlSystem: Full controlASP.NET process identity:
ReadUNC Identity: ReadImpersonated Identity (Fixed Identity): Read But I don
't know where ???? In the web.config or in the Machine.config
In conclusion, I want to ensure the security of the web.config as much as
Thanks for all your help !!! . I will read the article you have send me.
"Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in message
> I would be surprised if you could use Data Protection Provider from a Web
> application. If I understand it correctly, it uses DPAPI, but DPAPI (with
> user store) cannot be called from Web applications (unless you add more
> complexity). If you use DPAPI with machine store, any application running
> the system will be able to decrypt your data, so this is - arguably - not
> more secure than hiding key (and other secrets) in the source code (and
> obfuscating assembly), although it is still better than leaving data in
> plain text.
> Not sure why you are concerned about someone opening or modifying the
> .config file (assuming that sensitive data in the file are encrypted).
> .config files are wide open for the read access (after all ASP.NET
> applications must be able to read config settings). You can tighten the
> write access, but this has little to do with privacy and if I understand
> correctly, privacy is your main concern; your primary goal is preventing
> unauthorized users from being able to decrypt data. Unfortunately, there
> not many options out there. It is just the fundamental difficulty of the
> problems: how do you allow me to encrypt data, my application to decrypt
> data and prevent everybody else (humans and applications) from either? If
> you are interested in this area, check out info at http://www.obviex.com/;
> you can find relevant references and utilities, you may be able to use.
> "Damian" <email@example.com> wrote in message
> > Hi All ,
> > I have this problem. I know how to encrypr connections strings or XML
> > using Aplication Block. I have implemented a Data Protection Provider to
> > encrypt all my configurations files. My problem is that my encryptation
> > and other personal information is set in my web.config or app.config . I
> > wonder if Visual Studio has any tool or service to encrypt or secure the
> > web.config or there is another way to do this in order to make sure than
> > anyone is going to open or modify this file. Any advice?
> > Thanks for your help.