Re: Web.config or App.config Security
From: Alek Davis (alek_xDOTx_davis_xATx_intel_xDOTx_com)
Date: 02/05/04
- Next message: Shawn Farkas: "Re: Cryptographic exception when using TripleDES class"
- Previous message: Damian: "Re: Web.config or App.config Security"
- In reply to: Damian: "Re: Web.config or App.config Security"
- Next in thread: Damian: ".config Security"
- Reply: Damian: ".config Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 5 Feb 2004 13:37:49 -0800
No problem. If you are new to this, I would recommend this MSDN Magazine
article (for general information relevant to the topic): "Safeguard Database
Connection Strings and Other Sensitive Settings in Your Code" at
http://msdn.microsoft.com/msdnmag/issues/03/11/ProtectYourData/default.aspx.
"Damian" <t-damianl@infocorp.com.uy> wrote in message
news:ewQCp5C7DHA.2720@TK2MSFTNGP09.phx.gbl...
> Ok Alek, I will choose the registry option. Well, thanks for all your help
> and sorry if I bother you. This is an interesting topic and I think that
> there are a lot of things to do relate to this. I will be continuing
> investigating about all this. Don't worry; I will be bothering you
soon!!!!
> ;-)
>
>
>
> Thanks, Damian
>
>
> "Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in message
> news:%23evNeuC7DHA.2404@TK2MSFTNGP11.phx.gbl...
> > No, not at all (sorry if I made this impression). But this - storing
> > encryption key in Web.config - is definitely not a good idea. In fact,
> this
> > is probably the worst possible option (maybe after not using
encryption).
> > You would be better off storing the key in the registry (using
> Configuration
> > Management Block approach), using DPAPI with machine key, or hard coding
> it
> > in the application source code, event though these are bad choices as
> well.
> >
> > "Damian" <t-damianl@infocorp.com.uy> wrote in message
> > news:eCdYKhC7DHA.1040@TK2MSFTNGP10.phx.gbl...
> > > I understand your point of view and it's right. The problem is that
the
> > > encrypting key is in my web.config so if someone gets hold
> > > of my Web.config, he has my encriptation key. If it is so, I'm in
> > trouble.
> > > When you say "so the goal should be to protect the encryption
> > > key, not the Web.config " in my case the encriptation key is in the
> > > web.config. I hope you don't get angry, do you? I`m new in this things
> > :-)
> > >
> > >
> > >
> > > "Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in message
> > > news:eO213WC7DHA.2576@TK2MSFTNGP11.phx.gbl...
> > > > There is not much you can do about Web.config. You cannot
overrestrict
> > > > access to it because - as I said - it must be accessed by an ASP
> worker
> > > > process, which may not have enough permissions. Again, I am not sure
> why
> > > you
> > > > are focusing on the Web.config. If I understand it correctly, your
> data
> > > are
> > > > protected by encryption, so the goal should be to protect the
> encryption
> > > > key, not the Web.config (although, setting the right ACLs in a file
> > > wouldn't
> > > > hurt, if this is what you mean, but this may take some trial and
error
> > > > approach, and I do not think you will accomplish much by this
> > > > security-wise). If you think about it, let's say a hacker somehow
gets
> > > hold
> > > > of you Web.config, but since all sensitive data are protected, what
> > would
> > > be
> > > > the risk? The weakest link here is the encryption key, and if the
> hacker
> > > > gets it, then you will be in trouble, but this is another story.
> > > >
> > > > "Damian" <t-damianl@infocorp.com.uy> wrote in message
> > > > news:uXoOO%23B7DHA.2568@TK2MSFTNGP10.phx.gbl...
> > > > > Well, I don`t have any choise. So, the best thing for a web
> aplication
> > > is
> > > > to
> > > > > use the BCL DPP and store the key, hash key and IV in the
registry.
> > > > > Concerning the web.config, what is the best thing I could do to
> ensure
> > > the
> > > > > best security ???? Could I assign permisions to the web.config in
> > order
> > > > to
> > > > > protect the data.??? Sorry my incistence and thanks for all your
> help.
> > > > >
> > > > >
> > > > > "Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in
> message
> > > > > news:uxGVNdB7DHA.2676@TK2MSFTNGP10.phx.gbl...
> > > > > > Hm, not quite sure I understand what you do (or want to do).
There
> > is
> > > no
> > > > > > built-in features (as far as I know) to encrypt/decrypt data in
> > config
> > > > > > files. All best know methods rely on encryption (in addition to
> > > > firewalls,
> > > > > > ACLs, DMZs, etc). If you can save encrypted data in .config
file,
> it
> > > > will
> > > > > > stay encrypted there (I am a bit confused by your "it has to be
> > > > decrypted
> > > > > > and then encrypt it again" statement). Your application will
have
> to
> > > > make
> > > > > a
> > > > > > call (explicit or implicit, e.g. via a configuration handler
> class),
> > > > which
> > > > > > will handle the decryption, so decrypted data will go in your
> > > > application
> > > > > > memory (not in the .config file). Now, the problem with this
> > approach
> > > is
> > > > > not
> > > > > > encryption per se (which is trivial). Actually, there are two
> > > problems.
> > > > > > First, how do you protect the encryption key? Second, how do you
> > make
> > > > sure
> > > > > > that only specific users/applications are able to
encrypt/decrypt
> > > data?
> > > > > > These have no easy solutions. This is why the standard
approaches
> > > > (saving
> > > > > > the key in plain text or using DPAPI) are either not secure or
do
> > not
> > > > work
> > > > > > with Web applications. But as I said, bad security is better
than
> no
> > > > > > security.
> > > > > >
> > > > > > Alek
> > > > > >
> > > > > > "Damian" <t-damianl@infocorp.com.uy> wrote in message
> > > > > > news:OLg3VKB7DHA.2568@TK2MSFTNGP10.phx.gbl...
> > > > > > > Thanks Alek for your response. I think I did not express
myself
> > in
> > > > the
> > > > > > best
> > > > > > > way. I have implemented a class that implements the interface
> > > > > > > IDataProtection. I have used the code of the CMAB "as-is" and
I
> > > change
> > > > > the
> > > > > > > algorithm that BCL uses (3DESC). As the CMAB says, the key and
> the
> > > > > > > IV(base64) or the registry root of this keys must be seted in
> the
> > > > > > > <protectionProvider> tag in the .config file.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > I know that this is like ' Who was first, the egg or the
chicken
> > > ??'.
> > > > I
> > > > > > > thought that VS has some options or settings to ensure the
> > security
> > > of
> > > > > the
> > > > > > > web.config (or app.config).
> > > > > > >
> > > > > > > i.e.: Encrypt the web.config and when someone or the
application
> > > calls
> > > > > it,
> > > > > > > it has to be decrypted and then encrypt it again. All this
> > happened
> > > > when
> > > > > > the
> > > > > > > web application is running. This is al transparent for the
> > > developer(
> > > > > This
> > > > > > > is just an idea, I know that socks J )
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > I've read an article that said the following : I could add
this
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Administrators: Full controlSystem: Full controlASP.NET
process
> > > > > identity:
> > > > > > > ReadUNC Identity: ReadImpersonated Identity (Fixed Identity):
> Read
> > > But
> > > > I
> > > > > > don
> > > > > > > 't know where ???? In the web.config or in the Machine.config
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > In conclusion, I want to ensure the security of the web.config
> as
> > > > much
> > > > > as
> > > > > > > possible
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Thanks for all your help !!! . I will read the article you
have
> > send
> > > > me.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Damian
> > > > > > >
> > > > > > >
> > > > > > > "Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in
> > > message
> > > > > > > news:uygw1fA7DHA.2044@TK2MSFTNGP10.phx.gbl...
> > > > > > > > Damian,
> > > > > > > >
> > > > > > > > I would be surprised if you could use Data Protection
Provider
> > > from
> > > > a
> > > > > > Web
> > > > > > > > application. If I understand it correctly, it uses DPAPI,
but
> > > DPAPI
> > > > > > (with
> > > > > > > > user store) cannot be called from Web applications (unless
you
> > add
> > > > > more
> > > > > > > > complexity). If you use DPAPI with machine store, any
> > application
> > > > > > running
> > > > > > > on
> > > > > > > > the system will be able to decrypt your data, so this is -
> > > > arguably -
> > > > > > not
> > > > > > > > more secure than hiding key (and other secrets) in the
source
> > code
> > > > > (and
> > > > > > > > obfuscating assembly), although it is still better than
> leaving
> > > data
> > > > > in
> > > > > > > > plain text.
> > > > > > > >
> > > > > > > > Not sure why you are concerned about someone opening or
> > modifying
> > > > the
> > > > > > > > .config file (assuming that sensitive data in the file are
> > > > encrypted).
> > > > > > > > .config files are wide open for the read access (after all
> > ASP.NET
> > > > > > > > applications must be able to read config settings). You can
> > > tighten
> > > > > the
> > > > > > > > write access, but this has little to do with privacy and if
I
> > > > > understand
> > > > > > > you
> > > > > > > > correctly, privacy is your main concern; your primary goal
is
> > > > > preventing
> > > > > > > > unauthorized users from being able to decrypt data.
> > Unfortunately,
> > > > > there
> > > > > > > are
> > > > > > > > not many options out there. It is just the fundamental
> > difficulty
> > > of
> > > > > the
> > > > > > > > problems: how do you allow me to encrypt data, my
application
> to
> > > > > decrypt
> > > > > > > > data and prevent everybody else (humans and applications)
from
> > > > either?
> > > > > > If
> > > > > > > > you are interested in this area, check out info at
> > > > > > http://www.obviex.com/;
> > > > > > > > you can find relevant references and utilities, you may be
> able
> > to
> > > > > use.
> > > > > > > >
> > > > > > > > Alek
> > > > > > > >
> > > > > > > > "Damian" <t-damianl@infocorp.com.uy> wrote in message
> > > > > > > > news:%23eJ8xM$6DHA.2404@TK2MSFTNGP12.phx.gbl...
> > > > > > > > > Hi All ,
> > > > > > > > >
> > > > > > > > > I have this problem. I know how to encrypr connections
> strings
> > > or
> > > > > XML
> > > > > > > > files
> > > > > > > > > using Aplication Block. I have implemented a Data
Protection
> > > > > Provider
> > > > > > to
> > > > > > > > > encrypt all my configurations files. My problem is that my
> > > > > > encryptation
> > > > > > > > key
> > > > > > > > > and other personal information is set in my web.config or
> > > > app.config
> > > > > .
> > > > > > I
> > > > > > > > > wonder if Visual Studio has any tool or service to encrypt
> or
> > > > secure
> > > > > > the
> > > > > > > > > web.config or there is another way to do this in order to
> make
> > > > sure
> > > > > > than
> > > > > > > > > anyone is going to open or modify this file. Any advice?
> > > > > > > > >
> > > > > > > > > Thanks for your help.
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Shawn Farkas: "Re: Cryptographic exception when using TripleDES class"
- Previous message: Damian: "Re: Web.config or App.config Security"
- In reply to: Damian: "Re: Web.config or App.config Security"
- Next in thread: Damian: ".config Security"
- Reply: Damian: ".config Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
