Re: encrypting app.config with RSA
- From: Dominick Baier [DevelopMentor] <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 15 Mar 2006 11:46:34 +0000 (UTC)
Hi,
no there is no such way - and don't try something hacky like embedding a hardcoced key in source code (which isn't secure at all either)
If the application (running in the security context of the user) is able to read that secret - the user is too.
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Is there a secure way to encrypt sensible information in a .net
application so that nobody but the application (and the developer of
course) can reveal that sensitive information (a password for
instance as part of a connectionstring connecting to a sql server 2000
database). The context I have in mind is a windows application
installed on user's machines.
I understand that the "protectsection" approach actually is not secure
at all, is it?
Thanks
Leo Leys
"Dominick Baier [DevelopMentor]" wrote:
Hi,
OK - but the app is running in the security context of the user - so
everyting the app can do - can be also done by the user.
A user could write a c# app to decrypt the section. would be no
problem.
But still this is better than having clear text configs.
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
I don't want the users to be able to read it, I want my app to be
able to read it with out the user being able to read it.
"Dominick Baier [DevelopMentor]" wrote:
Hi,
user/machine only specifies which store to use - you further can
specify the key container name.
You have to create a rsa key and import it on every single machine.
You also have to set ACLs on the key container.
To avoid having to change machine.config on every machine you could
overwrite the default key container called
"NetFrameworkConfigurationKey"
the security you gain from this is questionable - if every user on
every machine has access to the private key - this is not much
better than clear text :)
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
I'd like my application to encrypt certian secitons of the config
file. I'd like to use the
System.Configuration.SectionInformation.ProtectSection API.
However, I'd like the application to be able to decrypt the file
no matter what user is using it or what machine they are running
on. So I can't use the DPAPI provider.
That means I have to use the RSA provider, but by default, it
still uses the user keys or the machine keys. Is there a way to
get the provider to only use keys that my app specifies? I know
that the RSA class has an AddKey method, but I can't find a way to
get that to work with the ProtectSection method.
.
- Follow-Ups:
- Re: encrypting app.config with RSA
- From: Mitch Gallant
- Re: encrypting app.config with RSA
- References:
- Re: encrypting app.config with RSA
- From: Leo Leys
- Re: encrypting app.config with RSA
- Prev by Date: Re: encrypting app.config with RSA
- Next by Date: Re: encrypting app.config with RSA
- Previous by thread: Re: encrypting app.config with RSA
- Next by thread: Re: encrypting app.config with RSA
- Index(es):
Relevant Pages
|
