Better security

Discussion in 'ASP .Net Security' started by David Thielen, Jan 16, 2007.

  1. Hi;

    First off, if you have not read Dominick Baier's book yet - GO READ IT
    NOW. That is the book I wish I had read first - would have saved me
    boatloads of time.

    Ok, on to the question. It seems to me the best way to store secrets
    that we need to plaintext of (ie can't just hash and save the hash) is
    to:

    Have person A know the connection string to the database.

    Have person B know the symentric key used to encrypt the secrets

    Have person C be the only one with access to the server and to the
    web.config file.

    The question is, how do we get the ifno from person's A & B into the
    Web.Config file and encrypted in the Web.Config file. If person C does
    that they've seen them unencrypted. If person A & B do it, they are
    then on the server for a short period of time.

    ??? - thanks - dave

    david@
    Windward Reports -- http://www.WindwardReports.com
    me -- http://dave.thielen.com

    Cubicle Wars - http://www.windwardreports.com/film.htm
    David Thielen, Jan 16, 2007
    #1
    1. Advertising

  2. Asking again via the MS Web page so it's marked as a MSDN question.

    --
    thanks - dave
    david_at_windward_dot_net
    http://www.windwardreports.com

    Cubicle Wars - http://www.windwardreports.com/film.htm




    "David Thielen" wrote:

    > Hi;
    >
    > First off, if you have not read Dominick Baier's book yet - GO READ IT
    > NOW. That is the book I wish I had read first - would have saved me
    > boatloads of time.
    >
    > Ok, on to the question. It seems to me the best way to store secrets
    > that we need to plaintext of (ie can't just hash and save the hash) is
    > to:
    >
    > Have person A know the connection string to the database.
    >
    > Have person B know the symentric key used to encrypt the secrets
    >
    > Have person C be the only one with access to the server and to the
    > web.config file.
    >
    > The question is, how do we get the ifno from person's A & B into the
    > Web.Config file and encrypted in the Web.Config file. If person C does
    > that they've seen them unencrypted. If person A & B do it, they are
    > then on the server for a short period of time.
    >
    > ??? - thanks - dave
    >
    > david@
    > Windward Reports -- http://www.WindwardReports.com
    > me -- http://dave.thielen.com
    >
    > Cubicle Wars - http://www.windwardreports.com/film.htm
    >
    David Thielen, Jan 17, 2007
    #2
    1. Advertising

  3. Hello Dave,

    Based on the nature of the question you mentioned, it is somewhat a pure
    security & cryptography question.

    I'm not sure the exact application code logic in your scenario(such as the
    front end, backend and intermediate's processing on data and the user/role
    based security strategry), would you further explain it? For example, how
    will the three users(A,B,C) work in your application(or in different
    application tier).

    Generally, for symmetric cryptography, a key problem is the key
    distribution and key management. Only the sender and receiver should own
    the key. For example, if A and B want to exhange data through symmetric
    data encryption, only A,B will share a key. And if they want to let a 3rd
    party(such as user C) to maintain the data, then, they should offer C the
    encrypted data(rather than plain text).

    Please feel free to let me know your actual requirement and concerns.

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead



    This posting is provided "AS IS" with no warranties, and confers no rights.
    Steven Cheng[MSFT], Jan 17, 2007
    #3
  4. Because of the username and password in it to connect to the database. Am I
    missing something here?

    --
    thanks - dave
    david_at_windward_dot_net
    http://www.windwardreports.com

    Cubicle Wars - http://www.windwardreports.com/film.htm




    "Dominick Baier" wrote:

    > why is the connection string a secret??? This shouldn't be the case...it
    > is very easy to find SQL Servers on my network - in the simplest case scan
    > every IP address for an open TCP/1433...
    >
    >
    > -----
    > Dominick Baier (http://www.leastprivilege.com)
    >
    > > Yes - sort-of. I'm still learning this too.
    > >
    > > My question here is person A and B need to put their information in
    > > Web.Config. And they should be encrypted in Web.Config (aspnet_regiis
    > > -pef ...).
    > >
    > > The problem is how does person A get their connections tring into
    > > Web.Config and aspnet_regiis run on it? Only person C is allowed
    > > access to the server and to Web.Config. But they are not allowed to
    > > see the unencrypted connection string.
    > >
    > > Cubicle Wars - http://www.windwardreports.com/film.htm
    > >
    > > "Steven Cheng[MSFT]" wrote:
    > >
    > >> Hello Dave,
    > >>
    > >> Based on the nature of the question you mentioned, it is somewhat a
    > >> pure security & cryptography question.
    > >>
    > >> I'm not sure the exact application code logic in your scenario(such
    > >> as the front end, backend and intermediate's processing on data and
    > >> the user/role based security strategry), would you further explain
    > >> it? For example, how will the three users(A,B,C) work in your
    > >> application(or in different application tier).
    > >>
    > >> Generally, for symmetric cryptography, a key problem is the key
    > >> distribution and key management. Only the sender and receiver should
    > >> own the key. For example, if A and B want to exhange data through
    > >> symmetric data encryption, only A,B will share a key. And if they
    > >> want to let a 3rd party(such as user C) to maintain the data, then,
    > >> they should offer C the encrypted data(rather than plain text).
    > >>
    > >> Please feel free to let me know your actual requirement and concerns.
    > >>
    > >> Sincerely,
    > >>
    > >> Steven Cheng
    > >>
    > >> Microsoft MSDN Online Support Lead
    > >>
    > >> This posting is provided "AS IS" with no warranties, and confers no
    > >> rights.
    > >>

    >
    >
    >
    David Thielen, Jan 18, 2007
    #4
  5. Hi Dave,

    I'm afraid this is a bit hard. One question, why user A and B can not give
    the encrypted connectionstring to C and let it store into the web.config
    file? And can't they retrieve the encrypted one later and decrypt them in
    their own context?

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Steven Cheng[MSFT], Jan 18, 2007
    #5
  6. get rid of passwords in connection strings.....


    -----
    Dominick Baier (http://www.leastprivilege.com)

    > Because of the username and password in it to connect to the database.
    > Am I missing something here?
    >
    > Cubicle Wars - http://www.windwardreports.com/film.htm
    >
    > "Dominick Baier" wrote:
    >
    >> why is the connection string a secret??? This shouldn't be the
    >> case...it is very easy to find SQL Servers on my network - in the
    >> simplest case scan every IP address for an open TCP/1433...
    >>
    >> -----
    >> Dominick Baier (http://www.leastprivilege.com)
    >>> Yes - sort-of. I'm still learning this too.
    >>>
    >>> My question here is person A and B need to put their information in
    >>> Web.Config. And they should be encrypted in Web.Config
    >>> (aspnet_regiis -pef ...).
    >>>
    >>> The problem is how does person A get their connections tring into
    >>> Web.Config and aspnet_regiis run on it? Only person C is allowed
    >>> access to the server and to Web.Config. But they are not allowed to
    >>> see the unencrypted connection string.
    >>>
    >>> Cubicle Wars - http://www.windwardreports.com/film.htm
    >>>
    >>> "Steven Cheng[MSFT]" wrote:
    >>>
    >>>> Hello Dave,
    >>>>
    >>>> Based on the nature of the question you mentioned, it is somewhat a
    >>>> pure security & cryptography question.
    >>>>
    >>>> I'm not sure the exact application code logic in your scenario(such
    >>>> as the front end, backend and intermediate's processing on data and
    >>>> the user/role based security strategry), would you further explain
    >>>> it? For example, how will the three users(A,B,C) work in your
    >>>> application(or in different application tier).
    >>>>
    >>>> Generally, for symmetric cryptography, a key problem is the key
    >>>> distribution and key management. Only the sender and receiver
    >>>> should own the key. For example, if A and B want to exhange data
    >>>> through symmetric data encryption, only A,B will share a key. And
    >>>> if they want to let a 3rd party(such as user C) to maintain the
    >>>> data, then, they should offer C the encrypted data(rather than
    >>>> plain text).
    >>>>
    >>>> Please feel free to let me know your actual requirement and
    >>>> concerns.
    >>>>
    >>>> Sincerely,
    >>>>
    >>>> Steven Cheng
    >>>>
    >>>> Microsoft MSDN Online Support Lead
    >>>>
    >>>> This posting is provided "AS IS" with no warranties, and confers no
    >>>> rights.
    >>>>
    Dominick Baier, Jan 18, 2007
    #6
  7. Hi Dave,

    Yes, use aspnet_regiis is one way to encrypt the content so that only
    ASP.NET runtime can decrypt it. However, for your scenario, you only want
    A,B to know the key and be able to encrypt and decrypt the
    connectionstring, this violate the usage of ASP.NET/.NET 2.0's
    configuration protection/encryption. So I think you can review your current
    security design here to see whether any other approach should be better?

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Steven Cheng[MSFT], Jan 19, 2007
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Aaron
    Replies:
    1
    Views:
    346
    John C. Bollinger
    Aug 4, 2003
  2. Peter Bencsik
    Replies:
    2
    Views:
    822
  3. Joey Martin
    Replies:
    28
    Views:
    269
    Bob Barrows [MVP]
    Jun 25, 2008
  4. Andrew Thompson
    Replies:
    8
    Views:
    147
    Premshree Pillai
    Jun 7, 2005
  5. Replies:
    2
    Views:
    52
    Mark H Harris
    May 13, 2014
Loading...

Share This Page