ASP.NET 2.0 Encrypted Connection String

Discussion in 'ASP .Net Security' started by JohnMSyrasoft, Apr 12, 2005.

  1. I have a question regarding the storage and encryption of connection string
    data within an ASP .Net application that I am writing. I am using ASP .NET
    2.0 and have just recently downloaded the latest CTP Beta 2 version of
    Whidbey. After some trial and error, I am faced with three options and would
    like to know what would be the best way to proceed.

    Option 1:

    My original idea was to do things a little differently by storing my
    appSettings in a different file using the convenient external linking
    capability in the web.config file:

    <appSettings file="filename.config">

    My connection string information is stored under the appSettings section. I
    purposely wanted to leave out appSettings from the web.config file.

    So my filename.config looks something like this:

    <appSettings>
    <add key=â€ConnectString†value=â€connectstringvalue….â€></add>
    <add key=â€secondkey†value=â€secondvalueâ€></add>
    <add key=â€thirdkey†value=â€thirdvalueâ€></add>
    </appSettings>

    My question is, can I have the best of both worlds by using this external
    linkage capability as well as using the ConfigurationManager in this code to
    encrypt my appSettings:

    Public Sub EncryptAppSettings(ByVal protectionProvider As String)
    '---open the web.config file
    Dim config As System.Configuration.Configuration =
    ConfigurationManager.OpenWebConfiguration(_virtualAppPath)
    '---indicate the section to protect
    Dim section As ConfigurationSection = _
    config.Sections("appSettings")
    '---specify the protection provider
    If Not section.SectionInformation.IsProtected Then

    section.SectionInformation.ProtectSection(protectionProvider)
    '---Apple the protection and update
    config.Save()

    End If

    End Sub

    The problem is that "config.Save()" dumps all my appSettings directly into
    web.config.
    So first of all, is this option even possible? If so, then what am I doing
    wrong or not doing at all? If this is not feasible, then I think it leaves me
    to choose between Option 2 & Option 3.

    Option 2:

    Instead of using the ConfigurationManager for encryption/decryption, I would
    write my own encryption/decryption methods that use the classes in the
    System.Xml and System.Security.Cryptography namespaces to access my
    connection string key in my appSettings file, and then encrypt or decrypt it.
    I would call these methods any place within my application where the data
    needs to be accessed via the connection string.

    Option 3:

    Instead of storing my connection string information under appSettings, I
    would revert back to storing it in my web.config file under the
    <connectionStrings> tag and use the following code whenever it needs to be
    replaced with a new encrypted connection string:

    Dim connectString As New ConnectionStringSettings

    ConfigurationManager.ConnectionStrings.RemoveAt(0)
    connectString.Name = "EarltonConnection"
    connectString.ConnectionString = "Provider=Microsoft.Jet.OLEDB.4.0;Data
    Source=" & smsPath & ";Persist Security Info=True;Jet OLEDB:Database
    Password=holly"

    ConfigurationManager.ConnectionStrings.Add(connectString)
    Me.EncryptConString("RSAProtectedConfigurationProvider")

    End Sub
    -------------------------------------------------------------------
    Public Sub EncryptConString(ByVal protectionProvider As String)
    '---open the web.config file
    Dim config As System.Configuration.Configuration =
    ConfigurationManager.OpenWebConfiguration(_virtualAppPath)
    '---indicate the section to protect
    Dim section As ConfigurationSection = _
    config.Sections("connectionStrings")
    '---specify the protection provider
    If Not section.SectionInformation.IsProtected Then
    section.SectionInformation.ProtectSection(protectionProvider)
    '---Apple the protection and update
    config.Save()
    End If

    End Sub

    Correct me if I am wrong, but option 3 would remove the need to have to
    write my own decryption function since automatic decryption occurs for
    controls that need to connect to the database, and also due to the fact that
    I am not technically changing the connection string (I would not be allowed
    to anyway since it is a ReadOnly property) but replacing it with a new one.

    Please advise which of the three options would be the best in terms of
    security and feasibility(Ideally I would like to use Option 1, leaving out
    the connection string from my web.config file, but from my own experience, it
    will not seem to work) Thank you,

    Sabeeh
    JohnMSyrasoft, Apr 12, 2005
    #1
    1. Advertising

  2. JohnMSyrasoft

    Brock Allen Guest

    I'd suggest against #2, as writing your own security code tends to make you
    app less secure. Also, you'll have a key management issue if you do your
    own encryption and then you're back to the original problem.

    As for Option #1, you might be able to manually copy all that goo out and
    put it into the external file, but then that's all manual, so you might be
    out of luck. Though, the AppSettingsSection class has a File property. I've
    not tried it myself, but perhaps you could specify the filename prior to
    saving.

    I'd go with Option #3. You are correct in saying that once the <connectionStrings>
    is encrypted, you don't have to do anything special to read them -- they're
    decrypted prior to you calling the APIs (though that's true with any section
    encrypted with Protect()). Also, the benefit to this approach is that other
    controls use the <connectionStrings> so you simply configure them with your
    connection string name. If you stored that info elsewhere, then they'd not
    know where to look for the DB information.

    -Brock
    DevelopMentor
    http://staff.develop.com/ballen



    > I have a question regarding the storage and encryption of connection
    > string data within an ASP .Net application that I am writing. I am
    > using ASP .NET 2.0 and have just recently downloaded the latest CTP
    > Beta 2 version of Whidbey. After some trial and error, I am faced
    > with three options and would like to know what would be the best way
    > to proceed.
    >
    > Option 1:
    >
    > My original idea was to do things a little differently by storing my
    > appSettings in a different file using the convenient external linking
    > capability in the web.config file:
    >
    > <appSettings file="filename.config">
    >
    > My connection string information is stored under the appSettings
    > section. I purposely wanted to leave out appSettings from the
    > web.config file.
    >
    > So my filename.config looks something like this:
    >
    > <appSettings>
    > <add key="ConnectString" value="connectstringvalue.."></add>
    > <add key="secondkey" value="secondvalue"></add>
    > <add key="thirdkey" value="thirdvalue"></add>
    > </appSettings>
    > My question is, can I have the best of both worlds by using this
    > external linkage capability as well as using the ConfigurationManager
    > in this code to encrypt my appSettings:
    >
    > Public Sub EncryptAppSettings(ByVal protectionProvider As String)
    > '---open the web.config file
    > Dim config As System.Configuration.Configuration =
    > ConfigurationManager.OpenWebConfiguration(_virtualAppPath)
    > '---indicate the section to protect
    > Dim section As ConfigurationSection = _
    > config.Sections("appSettings")
    > '---specify the protection provider
    > If Not section.SectionInformation.IsProtected Then
    > section.SectionInformation.ProtectSection(protectionProvider)
    > '---Apple the protection and update
    > config.Save()
    > End If
    >
    > End Sub
    >
    > The problem is that "config.Save()" dumps all my appSettings directly
    > into
    > web.config.
    > So first of all, is this option even possible? If so, then what am I
    > doing
    > wrong or not doing at all? If this is not feasible, then I think it
    > leaves me
    > to choose between Option 2 & Option 3.
    > Option 2:
    >
    > Instead of using the ConfigurationManager for encryption/decryption, I
    > would
    > write my own encryption/decryption methods that use the classes in the
    > System.Xml and System.Security.Cryptography namespaces to access my
    > connection string key in my appSettings file, and then encrypt or
    > decrypt it.
    > I would call these methods any place within my application where the
    > data
    > needs to be accessed via the connection string.
    > Option 3:
    >
    > Instead of storing my connection string information under appSettings,
    > I would revert back to storing it in my web.config file under the
    > <connectionStrings> tag and use the following code whenever it needs
    > to be replaced with a new encrypted connection string:
    >
    > Dim connectString As New ConnectionStringSettings
    >
    > ConfigurationManager.ConnectionStrings.RemoveAt(0)
    > connectString.Name = "EarltonConnection"
    > connectString.ConnectionString =
    > "Provider=Microsoft.Jet.OLEDB.4.0;Data
    > Source=" & smsPath & ";Persist Security Info=True;Jet OLEDB:Database
    > Password=holly"
    > ConfigurationManager.ConnectionStrings.Add(connectString)
    > Me.EncryptConString("RSAProtectedConfigurationProvider")
    >
    > End Sub
    > -------------------------------------------------------------------
    > Public Sub EncryptConString(ByVal protectionProvider As String)
    > '---open the web.config file
    > Dim config As System.Configuration.Configuration =
    > ConfigurationManager.OpenWebConfiguration(_virtualAppPath)
    > '---indicate the section to protect
    > Dim section As ConfigurationSection = _
    > config.Sections("connectionStrings")
    > '---specify the protection provider
    > If Not section.SectionInformation.IsProtected Then
    >
    > section.SectionInformation.ProtectSection(protectionProvider)
    > '---Apple the protection and update
    > config.Save()
    > End If
    >
    > End Sub
    >
    > Correct me if I am wrong, but option 3 would remove the need to have
    > to write my own decryption function since automatic decryption occurs
    > for controls that need to connect to the database, and also due to the
    > fact that I am not technically changing the connection string (I would
    > not be allowed to anyway since it is a ReadOnly property) but
    > replacing it with a new one.
    >
    > Please advise which of the three options would be the best in terms of
    > security and feasibility(Ideally I would like to use Option 1, leaving
    > out the connection string from my web.config file, but from my own
    > experience, it will not seem to work) Thank you,
    >
    > Sabeeh
    >
    Brock Allen, Apr 12, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Alek Davis

    Using encrypted dB connection string

    Alek Davis, May 21, 2004, in forum: ASP .Net
    Replies:
    12
    Views:
    2,895
    Alek Davis
    Jun 3, 2004
  2. Ranginald
    Replies:
    2
    Views:
    410
    Ranginald
    Feb 6, 2007
  3. Scott M.

    Encrypted Connection String

    Scott M., Dec 14, 2003, in forum: ASP .Net Security
    Replies:
    3
    Views:
    109
    Guest
    Dec 15, 2003
  4. Phil C.
    Replies:
    8
    Views:
    173
    charlestek
    Mar 17, 2005
  5. Morfys
    Replies:
    1
    Views:
    120
    Gunnar Hjalmarsson
    Jun 17, 2007
Loading...

Share This Page