Re: encrypting app.config with RSA

---

• From: Dominick Baier [DevelopMentor] <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Thu, 19 Jan 2006 23:11:10 +0000 (UTC)

---

Hi,

OK - but the app is running in the security context of the user - so everyting the app can do - can be also done by the user.

A user could write a c# app to decrypt the section. would be no problem.

But still this is better than having clear text configs.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

I don't want the users to be able to read it, I want my app to be able
to read it with out the user being able to read it.

"Dominick Baier [DevelopMentor]" wrote:

Hi,

user/machine only specifies which store to use - you further can
specify the key container name.

You have to create a rsa key and import it on every single machine.
You also have to set ACLs on the key container.

To avoid having to change machine.config on every machine you could
overwrite the default key container called
"NetFrameworkConfigurationKey"

the security you gain from this is questionable - if every user on
every machine has access to the private key - this is not much better
than clear text :)

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

I'd like my application to encrypt certian secitons of the config
file. I'd like to use the
System.Configuration.SectionInformation.ProtectSection API. However,
I'd like the application to be able to decrypt the file no matter
what user is using it or what machine they are running on. So I
can't use the DPAPI provider.

That means I have to use the RSA provider, but by default, it still
uses the user keys or the machine keys. Is there a way to get the
provider to only use keys that my app specifies? I know that the RSA
class has an AddKey method, but I can't find a way to get that to
work with the ProtectSection method.

.

---

• Prev by Date: Re: web service security that is interoperable
• Next by Date: security issue with with windows service account
• Previous by thread: Re: encrypting app.config with RSA
• Next by thread: security issue with with windows service account
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: encrypting app.config with RSA ... Dominick Baier - DevelopMentor ... I understand that the "protectsection" approach actually is not secure ... OK - but the app is running in the security context of the user - so ... So I can't use the DPAPI provider. ... (microsoft.public.dotnet.security) Re: How to Change MinRequiredNonAlphanumericCharacters in AspNetSq ... Dominick Baier - DevelopMentor ... The app is being deployed to a shared server, so I cannot do anything to the machine.config. ... My users will resist using extremely strong passwords. ... (microsoft.public.dotnet.framework.aspnet.security) Re: How to Change MinRequiredNonAlphanumericCharacters in AspNetSq ... Dominick Baier - DevelopMentor ... If I modify the existing provider in my app, do the changes apply only to my app? ... (microsoft.public.dotnet.framework.aspnet.security) Re: ASP.NET 2.0 Authorization Roles..Got Solution. ... the only difference is see with the provider and a normal WindowsPrincipal is, that the machine name for local groups gets stipped out. ... Dominick Baier - DevelopMentor ... I never used WindowsTokenRoleProvider earlier. ... (microsoft.public.dotnet.framework.aspnet.security) Re: Membership custom provider - logout function ... Dominick Baier - DevelopMentor ... The custom membership provider should work against this security server. ... the data store does not generate a sessionID - the data store says yes/no to the credentials - and afterwards the login control creates something called an "authentication ticket" - this tickets get "attached" to the current request/response using either a cookie or query string mangling. ... (microsoft.public.dotnet.framework.aspnet.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)